Skip to main content
doc0
HomeSign In

Privacy Policy

Last updated: May 7, 2026

1. Information We Collect

When you sign in with GitHub, we receive your GitHub profile information (username, email, avatar). We use this solely for authentication and to display your profile in the app.

We collect product-usage data (page views, feature interactions, error reports) to operate and improve the service. Analytics fire only after you accept cookies — see our cookie consent banner. We do not sell your data to third parties.

2. Source Code & Repository Data

When you generate documentation, your repository is cloned temporarily and analyzed in memory. Source code is never stored in our database. Only generated documentation, file paths, and content hashes are persisted. Raw source code is deleted immediately after processing. Documentation content is sent to AI processors (see §5) for generation, embedding, and chat.

3. How We Use Your Data

  • Authenticate you and manage your account
  • Generate and serve documentation for your repositories
  • Provide AI chat features using your documentation context
  • Process billing and manage your subscription
  • Improve our product through anonymized usage analytics
  • Send transactional emails related to your account
  • Detect and investigate abuse or security incidents

4. Data Storage & Security

Your data is stored in Supabase (PostgreSQL) with encryption at rest and in transit. Secrets such as GitHub installation tokens and MCP keys are stored in Supabase Vault with an additional layer of envelope encryption. All traffic to doc0 is served over HTTPS.

5. Sub-processors

We rely on the following processors to operate doc0. Each processes only the data necessary for its role.

  • Supabase (US/EU) — authentication, PostgreSQL database, Vault secrets storage
  • Vercel (US) — hosting, edge network, deployment and traffic analytics
  • Trigger.dev (US) — background job processing (wiki generation, incremental updates, scheduled retention jobs)
  • OpenAI (US) — AI chat (gpt-5.4-mini), structured output for query expansion and reranking, fallback for documentation generation
  • Google AI (US/EU) — primary documentation generation (gemini-3.5-flash) and text embeddings (gemini-embedding-001)
  • PostHog (EU region) — product analytics, feature flags, session replay (loaded only after cookie consent; sensitive selectors are masked)
  • Sentry (US) — error tracking and performance monitoring
  • Resend (US) — transactional email delivery (account, billing, invitations)
  • Polar (US) — subscription billing and payment processing
  • Upstash (Global) — Redis-backed rate limiting and ephemeral caches (no PII stored)
  • GitHub (US) — OAuth authentication and the GitHub App used to clone repositories you connect

6. Cookies & Tracking

We use strictly necessary cookies for authentication (Supabase session) and to remember your documentation-mode preference. These are required for the service to function and do not require consent.

We use optional analytics cookies (PostHog, Vercel Analytics) only after you accept them via the cookie banner. You can change or withdraw your consent at any time — .

7. Data Retention

  • Account data: retained while your account is active
  • Page-view analytics and analytics sessions: 365 days
  • Wiki page feedback: 90 days
  • Wiki regeneration events: 180 days
  • Audit log entries: 90 days for routine actions, 730 days (2 years) for security-sensitive actions (auth, account or project deletion, key rotation, subscription, membership changes)
  • Archived wiki versions: capped at 20 most-recent per wiki
  • Source-file metadata (path, hash) for archived/failed generations older than 90 days: deleted

You can delete your account at any time from your account settings; this triggers a cascade that removes your profile and all associated projects and wikis.

8. Your Rights (GDPR)

If you are in the EU/UK, you have the right to access, correct, export, restrict processing of, or delete your personal data, and to object to certain processing. You can:

  • Export a copy of your data via the "Export my data" button in account settings (Article 20 — data portability)
  • Delete your account and all associated data at any time
  • Withdraw analytics consent via the cookie banner or the footer link
  • Lodge a complaint with your supervisory authority if you believe we've mishandled your data

For other privacy requests, contact us at privacy@doc0.dev.

9. International Transfers

Several of our processors are based in the United States. Where personal data is transferred outside the EU/UK, we rely on the applicable processor's Standard Contractual Clauses or equivalent safeguards.

10. Changes

We may update this policy from time to time. We will notify you of significant changes via email or an in-app notification.