Privacy Policy
Last updated: March 28, 2026
What data we collect
When you use DiffBeats, we collect and store the following:
- Pull request titles and descriptions (used for song lyrics and diagram generation)
- Repository names (to associate songs with repos)
- Your GitHub username, profile image, and numeric user ID (for authentication)
- Your email address (from authentication provider)
- Issue comments (to detect
/songifyand/picifycommands) - Stripe customer ID and subscription information (for paid users)
- Monthly usage counts per installation
We do not access your repository files or commit diffs.
How we use your data
- PR titles and descriptions are sent to OpenRouter (LLM) to generate song lyrics
- PR content is sent to fal.ai to generate visual diagrams via
/picify - Generated lyrics are sent to fal.ai to produce audio
- Generation metadata (title, lyrics, audio, images) is stored in Convex
- Your profile information is used for authentication and display
- Analytics and session recordings are used to understand how the product is used, diagnose issues, and improve the experience
Generation visibility and private repositories
When the GitHub App is installed on a private repository, generations created from that repository are automatically set to unlisted visibility. Unlisted generations are accessible via direct URL but are not indexed, listed publicly, or discoverable through search.
You can change generation visibility at any time from the dashboard:
- Public — discoverable and listed
- Unlisted — accessible by direct link only
- Private — visible only to the owner and members of the same GitHub App installation
Data sent to AI services
PR titles and up to 1,500 characters of PR descriptions are sent to OpenRouter (Google Gemini) for lyrics generation. The system prompt explicitly instructs the model to never reproduce secrets, API keys, tokens, passwords, private URLs, IP addresses, email addresses, or PII.
Generated lyrics are sent to fal.ai (MiniMax Music) for audio synthesis. PR content is also sent to fal.ai (Nano Banana) for diagram generation via /picify.
Third-party services
- Convex — database and backend hosting
- OpenRouter — LLM API for lyrics generation
- fal.ai — music and image generation
- GitHub — OAuth authentication and webhook events
- Clerk — authentication and session management
- Stripe — payment processing
- PostHog — product analytics
- Google Analytics (via Google Tag Manager) — aggregate traffic analytics
- Fly.io — application hosting
Analytics and session recording
We use PostHog for product analytics. PostHog collects:
- Page views, clicks, and form interactions (autocapture)
- Session recordings — replays of how you interact with the site, with text inputs masked by default
- JavaScript errors and performance data
- Device type, browser, OS, and approximate location (from IP, which is not stored)
PostHog analytics data is sent to our self-hosted proxy and forwarded to PostHog (US region). Google Analytics data is loaded via Google Tag Manager and sent to Google.
Cookie consent
If you visit DiffBeats from the European Economic Area, the United Kingdom, or Switzerland, analytics cookies are disabled by default and a consent banner is shown. Neither PostHog nor Google Analytics loads until you click Accept. Visitors from other regions have analytics enabled by default; you can opt out by clearing thediffbeats.consent key from local storage and refusing the banner, or by contacting us.
Cookies and local storage
We use cookies and local storage for:
- Authentication — session cookies managed by Clerk
- Analytics (PostHog) — device identifier and session data in local storage and a cross-subdomain cookie to distinguish unique visitors
- Analytics (Google Analytics) —
_gaand related cookies set by Google Tag Manager to measure traffic - Consent preference — a local storage key (
diffbeats.consent) storing your accept/decline choice
We do not use advertising cookies.
Data retention
Generations and associated metadata are retained until you delete them. Deleted generations are kept in a recoverable state for 30 days, after which they are permanently and irreversibly removed from our systems, including any stored audio and image files.
Data deletion
You can delete individual generations from the dashboard. Deleted generations can be restored within 30 days. After 30 days they are permanently removed.
You can also delete your entire account and all associated data from your dashboard settings. Account deletion is immediate and permanent (bypasses the 30-day trash window), including cancellation of any active subscription.
Changes to this policy
We may update this policy from time to time. Changes will be posted on this page with an updated date.
Contact
Questions about this policy? Email hello@diffbeats.com.