T
tugtug
← Home

Security & Privacy

How tugtug handles your code data.

Last updated: June 2026

What We Collect

tugtug reads repository files to compute code health metrics, then discards the source. Only derived numbers and file paths are persisted.

We store

  • File paths (e.g. src/auth.ts)
  • Complexity metrics (numbers)
  • Churn counts (commits/file)
  • Hotspot scores (0.0–1.0)
  • Coupling pairs (file names)
  • Health score history
  • Team & member records

We do NOT store

  • Source code
  • Commit messages
  • Author names or emails
  • Branch names
  • Secrets or credentials
  • Git history content
  • Pull request data

How Your Data Is Protected

In Transit

  • All communication uses HTTPS/TLS 1.3
  • GitHub API calls encrypted end-to-end
  • File contents are never logged in transit

At Rest

  • AES-256 encryption for all stored data (Supabase managed, AWS KMS)
  • GitHub tokens encrypted in database
  • Database backups encrypted with same key

Access Control

  • Row-level security (RLS) — team data is isolated at the database level
  • RLS policies are designed to prevent cross-team data access
  • Audit logs track all data access with timestamps
  • Ask us to delete your stored GitHub token — tugtug can no longer call the GitHub API on your behalf

Your Rights

Right to Access

View your analysis data via the dashboard. Contact us if you need an export.

Right to Delete

Purge all team analysis data at any time from Team Settings. Irreversible.

Right to Audit

Full audit logs showing who accessed what data and when. 90 days retention.

Right to Revoke

Ask us to delete your stored GitHub token so tugtug can no longer access the GitHub API on your behalf. To fully revoke OAuth access, also visit github.com/settings/applications.

Compliance

GDPR

We comply with GDPR Article 17 (right to erasure). EU customers can request data deletion at any time via the purge endpoint. Contact privacy@tugtug.com for GDPR requests.

SOC 2 Type II

tugtug is not currently SOC 2 certified. Contact us for security details or to discuss compliance requirements.

Data Residency

Data is currently stored in the US via Supabase. EU data residency is not currently available.

Data Retention

Data TypeRetentionDeletable
Analysis metrics & hotspot dataUntil purgedYes — via purge
Health score historyUntil purgedYes — via purge
Audit logs90 daysYes — via purge
Email digest logsUntil purgedYes — via purge
Team record (name, slug)7 yearsKept for billing
Billing history7 years (legal)Legal requirement

Questions?

Security questions: security@tugtug.com

GDPR / privacy requests: privacy@tugtug.com

Enterprise security reviews:Contact us and we'll provide a completed security questionnaire, architecture diagram, and compliance documentation.

Looking for how we handle personal data, cookies, and third-party processors? See our Privacy Policy.