Trust & Security

CostLens is built with privacy at its core. We measure outcomes, not content.

No Code Storage

We never store your source code. Our AI detection analyzes patterns in diffs (whitespace, structure, timing) — not the code itself. Diffs are processed in memory and discarded.

Metadata Only

The local proxy sends only metadata upstream: model name, token counts, cost, branch, timestamp. Prompt content and AI responses never leave your machine.

Encrypted at Rest

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). GitHub tokens are encrypted with a separate key before storage.

SOC 2 Pending

We are pursuing SOC 2 Type 1 certification. Our infrastructure runs on Vercel (SOC 2 certified) and Supabase (SOC 2 certified).

GDPR Compliant

Full data export and deletion on request. 30-day soft delete with recovery option. No data sold to third parties. EU data processing compliant.

GitHub OAuth Scopes

We request repo and read:org scopes. We read PRs, commits, and reviews. We never push code, create branches, or modify your repositories.

What we collect

✓ We collect

  • PR metadata (title, branch, timestamps, file count)
  • Commit metadata (hash, message, timestamps)
  • Token counts and model names (via proxy)
  • Calculated costs
  • Git branch and repo names

✗ We never collect

  • Source code content
  • Prompt or response text
  • API keys (yours stay on your machine)
  • File contents or diffs (processed in memory only)
  • Personal browsing or activity data

Questions about security? Contact hello@costlens.dev