We ask for access to something sensitive — your codebase. Here's exactly what we do with it, in plain language. No legal jargon.
Read-only accessSource code never storedNever used to train modelsDisconnect anytime
What we read
When you connect your GitHub repo, SnapSignal reads a targeted set of files — not your entire codebase. We focus only on what's needed to understand your product's funnel structure:
Routes & page handlers
Files like routes.js, pages/, app/ — to map user-facing steps in your product.
Auth & onboarding flows
Signup, login, and onboarding handlers — to identify where users enter and drop off.
Payment & conversion handlers
Checkout and subscription logic — to map the critical bottom-of-funnel steps.
What we skip
Environment files, secrets, .env, database credentials, test files, and any directory you explicitly exclude. We never read what we don't need.
What happens to your code
Here's the exact sequence when you connect:
1 — We read your code directly
Using your GitHub read access, we fetch the relevant files via the GitHub API. We do not clone your repository or download it to a separate environment.
2 — Our model analyzes it
The fetched code is passed to our model to infer your funnel structure, identify event trigger conditions, and generate instrumentation. This happens in a single session.
3 — Your code is never stored
We do not store, cache, or retain your source code at any point. Once analysis is complete, the code is gone.
4 — We store only what we generated
The only thing that persists is the output SnapSignal produced — event names, trigger conditions, funnel structure. Not your code.
GitHub permissions we request
We request the minimum scopes needed. Here's what each one is for:
contents:read
Read your file tree and source files. This is the only scope needed for analysis. We do not request write access to your code.
pull_requests:write
Open a PR with the generated instrumentation. When you approve, SnapSignal creates a branch with the event tracking code for you to review and merge. You stay in control of what gets merged.
metadata:read
Read repo name and basic metadata. Required by GitHub for all GitHub Apps. We use this only to identify which repo you connected.
Your code & AI models
Your source code is never used to train our models or any third-party models. We use AI to analyze your funnel structure during a session — that session data is not retained for training purposes.
We know this matters. The industry has a bad track record here and we're being explicit about it.
Compliance roadmap
Security page & responsible disclosure
This page. A public commitment to how we handle code. Contact email for vulnerability reporting.
SOC 2 Type I — in progress
We're working toward SOC 2 Type I certification. Expected Q3 2026.
SOC 2 Type II
Planned after Type I. Required for enterprise and mid-market procurement.
Report a vulnerability
Responsible disclosure
Found a security issue? Email us at victor@snapsignal.io. We respond within 48 hours and will work with you to resolve it promptly.
Last updated April 2026 · Written by the SnapSignal team