What we store and why

Last updated: April 24, 2026

Account data

When you sign up we store your name, email, and a scrypt hash of your password. We never store passwords in plain text. Each user has a unique salt.

Sessions

We issue an HMAC-SHA256-signed JWT stored in an httpOnly cookie with sameSite=lax. The cookie expires after 7 days.

AI-processed content

Product brief and diffs you send to our endpoints are processed with Claude (Anthropic) under the standard commercial agreement: Anthropic does not train models on API data. We do not keep the raw content after processing, except the generated agent execution plan stored in your workspace for you to review.

Public sandbox

The sandbox at /demo does not require an account. We rate-limit by IP (3 runs/hour). We do not associate those runs with any account or retain them after we respond.

Optional integrations

If you connect GitHub, Discord, Slack, or Linear, we store the tokens you provide encrypted at rest and use them only for actions you authorize (read PRs, send notifications, create issues).

Your rights

You can request full deletion of your account and associated data by writing to info@sprintpilot.xyz. We respond within 7 days.

Contact

Privacy questions: info@sprintpilot.xyz.