This Privacy Policy describes how the Sherlog Trust Layer GitHub App ("Sherlog", "we", "us") collects, uses, and handles data when installed on a GitHub repository.
When installed, Sherlog requests the following GitHub permissions:
Sherlog operates as a stateless webhook processor. We do not store:
We retain structured server logs containing: timestamp, installation ID, repository
full name (e.g. owner/repo), PR number, event action, analysis duration,
and outcome. Logs are retained for up to 30 days on the deployment host.
Log data is used solely for:
We do not sell, rent, or share your data with third parties. We do not use your repository code for model training, analytics products, or any purpose other than the analysis described above.
All communication between GitHub and the Sherlog server uses HTTPS with HMAC-SHA256 webhook signature verification. Installation access tokens are used only for the duration of a single PR analysis and are never persisted. All secrets (App private key, webhook secret, license allow-list) are stored as environment secrets on the deployment host and are never written to logs.
You may uninstall the Sherlog GitHub App at any time via GitHub → Settings → Installations. Uninstalling removes Sherlog's access to your repositories. Log entries containing your repository name will expire naturally within 30 days. To request early deletion, contact us at privacy@alley21.dev.
We will update this page when our data practices change. The "last updated" date at the top of the page will reflect any changes.
For privacy questions or data requests: privacy@alley21.dev or visit sherlog.alley21.dev/support.