FinishKitFinishKit/Legal
Back to FinishKit

Privacy Policy

Last updated: March 1, 2026

1. Introduction

This Privacy Policy explains how FinishKit ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our website, platform, and services (collectively, the "Service").

FinishKit is the finish layer for AI-built web apps. We connect to your code repository, analyze your codebase using AI, and generate a prioritized Finish Plan to help you ship a production-ready product.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Service.

Beta Notice: FinishKit is currently in beta. Our data handling practices may evolve as the product matures. We will update this Privacy Policy to reflect any material changes and notify you accordingly.

2. Information We Collect

Information You Provide Directly

  • Account information: When you sign up, we collect your name, email address, and profile details from your authentication provider (GitHub or Google).
  • Repository access: When you connect a repository, we receive access to repository metadata, file contents, branch information, and commit history as permitted by your GitHub App installation settings.
  • Communications: If you contact us for support or feedback, we collect the contents of your messages and any contact information you provide.

Information Collected Automatically

  • Usage data: We collect information about how you interact with the Service, including pages viewed, features used, analysis runs initiated, and actions taken within the dashboard.
  • Device and browser data: We collect your IP address, browser type and version, operating system, device type, and screen resolution.
  • Performance data: We collect page load times, error logs, and other technical metrics to monitor and improve the Service.

Information from Third Parties

  • Authentication providers: When you sign in with GitHub or Google, we receive your public profile information and email address from those providers.
  • GitHub App events: We receive webhook events from GitHub related to your installed repositories, including push events and installation changes.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, operate, and maintain the Service.
  • To analyze your code repositories and generate Finish Plans, findings, and patches.
  • To authenticate your identity and manage your account.
  • To communicate with you about the Service, including sending transactional emails and responding to support requests.
  • To monitor usage patterns, diagnose technical issues, and improve the Service.
  • To track token consumption and compute costs for analysis runs.
  • To enforce our Terms of Service and protect against fraud or abuse.
  • To comply with legal obligations and respond to lawful requests.

4. AI and Code Processing

FinishKit uses third-party AI providers to analyze your code. When you initiate an analysis run, portions of your repository data (including code snippets, file structures, and configuration details) are sent to our AI providers for processing. Currently, we use:

  • OpenAI (GPT models) for code analysis and finding generation.
  • Google (Gemini models) as an alternative analysis provider.

These providers process your code solely to generate analysis results for the Service. They operate under data processing agreements that restrict how your data may be used.

We do not use your code to train AI models. Your repository data is processed for analysis only and is not retained by our AI providers for model training or improvement purposes.

What we store: We retain metadata, analysis findings, generated patches, diffs, run logs, token usage counts, and cost metrics. We do not store full copies of your source code in our database.

Temporary processing: During an analysis run, your repository is temporarily cloned to our runner infrastructure for processing. This temporary copy is deleted when the run completes or is cancelled.

5. How We Share Information

We do not sell your personal information. We share information only in the following circumstances:

  • AI providers: As described in Section 4, portions of your repository data are sent to OpenAI and Google for code analysis.
  • Infrastructure providers: We use Supabase (database and authentication), Vercel (web hosting), and Fly.io (worker infrastructure) to operate the Service. These providers may process data on our behalf in accordance with their privacy policies.
  • Analytics providers: We use analytics tools (described in Section 7) that collect aggregated usage data to help us understand how the Service is used.
  • Legal compliance: We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6. GitHub Integration

FinishKit integrates with GitHub through a GitHub App. When you install the FinishKit GitHub App:

  • We receive access to the repositories you explicitly select during installation. We do not access repositories outside your selected scope.
  • We receive repository metadata including names, branches, commit history, and file contents for the purpose of analysis.
  • We receive webhook events (such as push events and installation changes) to keep your project data in sync.
  • We may create pull requests on your behalf when you choose to apply suggested patches. We do not modify your repository without your explicit action.

You can revoke access at any time by uninstalling the FinishKit GitHub App from your GitHub account settings.

7. Cookies and Tracking

We use cookies and similar technologies to operate the Service and understand usage patterns:

  • Authentication cookies: Supabase Auth sets cookies to maintain your session and keep you signed in. These are essential for the Service to function.
  • Vercel Analytics: We use Vercel Analytics to collect anonymized performance and usage metrics for our web application.
  • PostHog: We use PostHog for product analytics, including feature usage tracking, session recording, and event analytics to improve the user experience.
  • Google Ads: We use Google Ads conversion tracking and remarketing tags to measure the effectiveness of our advertising campaigns.

8. Data Retention

We retain different types of data for different periods:

  • Account data: We retain your account information for as long as your account is active. If you delete your account, we will remove your personal information within a reasonable timeframe, except where retention is required by law.
  • Analysis artifacts: Findings, patches, run logs, and related artifacts are retained for as long as your account is active and the associated project exists.
  • Temporary runner data: Cloned repository data used during analysis runs is deleted upon run completion or cancellation.
  • Analytics data: Aggregated usage and performance data may be retained indefinitely, as it does not identify individual users.

9. Data Security

We implement reasonable technical and organizational measures to protect your information:

  • All data in transit is encrypted using HTTPS/TLS.
  • Database access is protected by Row Level Security (RLS) policies, ensuring users can only access their own data.
  • Authentication is managed through Supabase Auth with support for OAuth providers and magic link sign-in.
  • API endpoints are protected by rate limiting to prevent abuse.
  • Sensitive data in logs is redacted before storage.

Beta caveat: While we take security seriously, the Service is in beta and our security practices are still maturing. We cannot guarantee absolute security. Please do not submit highly sensitive credentials, secrets, or confidential material through the Service.

10. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to legal retention requirements.
  • Portability: Request a copy of your data in a structured, commonly used, and machine-readable format.
  • Objection: Object to the processing of your personal information for certain purposes, such as direct marketing.

To exercise any of these rights, please contact us at support@finishkit.app. We will respond to your request within a reasonable timeframe and in accordance with applicable law.

11. International Data Transfers

FinishKit operates infrastructure across multiple regions. Your data may be processed in Australia, the United States, and other countries where our infrastructure providers operate.

When we transfer personal information across borders, we rely on appropriate safeguards, including data processing agreements with our service providers, to ensure your data is protected in accordance with applicable privacy laws.

12. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 16, please contact us at support@finishkit.app.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will notify you by email or through a prominent notice on the Service before the changes take effect.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically for the latest information.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

support@finishkit.app

This Privacy Policy is governed by the laws of New South Wales, Australia.

For information about our terms and conditions, please see our Terms of Service.