GitLab AI AgentGitLab AI AgentSuper Human
Privacy PolicyTerms of Service
Legal Document

Privacy Policy

How the GitLab AI Agent collects, uses, and protects your information.

Effective Date: May 15, 2026·~8 min read

On This Page

  1. 1. Overview
  2. 2. Information We Collect
  3. 3. GitLab OAuth & Scopes
  4. 4. How We Use Your Data
  5. 5. Data Storage & Retention
  6. 6. Third-Party Services
  7. 7. AI Processing & LLMs
  8. 8. Your Rights
  9. 9. Security
  10. 10. Changes to This Policy
  11. 11. Contact Us

1. Overview

Welcome to the GitLab AI Agent (hereinafter referred to as "the Agent," "we," "us," or "our"), a Coda Pack integration developed and maintained by Sanmark Solutions (Pvt) Ltd. The Agent acts as an intelligent bridge between your Coda documents and your GitLab account, enabling you to query, summarise, and interact with your GitLab repositories, merge requests, issues, and commits, directly from within the Coda interface.

This Privacy Policy describes how we collect, use, store, and protect information obtained when you authorise and use the GitLab AI Agent. By connecting your GitLab account to the Agent, you acknowledge that you have read and agree to the practices described in this policy.

Plain English Summary: We connect to your GitLab account on your behalf to fetch data you request. We do not store your source code permanently, and we never use your data to train AI models.

2. Information We Collect

We collect the following categories of information when you use the GitLab AI Agent:

2.1 Account & Identity Information

When you authorise the Agent via GitLab's OAuth 2.0 flow, we receive basic profile information associated with your GitLab account, including your GitLab username, display name, email address (if made public or granted via scope), and your GitLab User ID. This information is used solely for authentication and to identify your session.

2.2 GitLab Resource Data (On-Demand)

The Agent fetches the following GitLab resources exclusively on demand - only when you explicitly trigger an action within Coda:

  • Merge Requests - titles, descriptions, status, reviewers, and diff statistics.
  • Commits - commit messages, author metadata, timestamps, and associated diffs.
  • Issues - issue titles, descriptions, labels, milestones, and comment threads.
  • Repositories - repository names, descriptions, branch lists, and file trees.
  • Pipelines & CI/CD status - pipeline status, job names, and execution results (read-only).

2.3 Usage Metadata

We may collect anonymised, aggregated usage metadata such as the frequency of API calls, feature usage patterns, and error rates. This data contains no personal identifiers and is used solely to improve the reliability and performance of the Agent.

3. GitLab OAuth 2.0 & Requested Scopes

The GitLab AI Agent connects to your GitLab account using the industry-standard OAuth 2.0 authorisation framework. You will be directed to GitLab's official authorisation page, where you explicitly grant the Agent permission to act on your behalf. We never receive or store your GitLab password.

The Agent requests the following OAuth scopes:

api

Grants full access to the GitLab API on your behalf. Required to read and write resources such as merge request comments, issue labels, and branch operations initiated through the Agent.

read_user

Allows the Agent to read your basic profile information - username, name, and email - to identify your account and personalise responses.

read_repository

Enables the Agent to read repository contents, file trees, and commit histories to provide accurate, context-aware summaries and AI analysis.

write_repository

Permits the Agent to perform write operations on repositories when you explicitly request them - such as creating branches, committing files, or updating repository content.

Important: You can revoke the Agent's access to your GitLab account at any time by navigating to GitLab → Settings → Applications → Authorized Applications and revoking the GitLab AI Agent token.

4. How We Use Your Data

We use the data collected strictly for the following purposes:

  • To provide the core service: Fetching and presenting GitLab data within your Coda documents as explicitly requested by you.
  • To generate AI summaries: Passing relevant, user-requested GitLab data (e.g., a merge request diff) to a Large Language Model (LLM) to produce a human-readable summary or analysis.
  • To authenticate your identity: Verifying that you are the authorised GitLab account holder and matching your session to the correct credentials.
  • To improve service reliability: Analysing anonymised error logs and aggregated usage patterns to detect bugs, optimise performance, and plan future features.
  • To communicate with you: Sending service-related notifications (e.g., important security updates or breaking API changes), only if you have provided a contact method.

We will never sell, rent, or trade your personal data or GitLab resource data to any third party for marketing or commercial purposes.

5. Data Storage & Retention

5.1 In-Memory Processing

All GitLab resource data fetched by the Agent, including repository file contents, commit diffs, merge request descriptions, and issue bodies, is processed entirely in-memory on our servers during the lifecycle of a single API request. This data is not written to any database, cache, or persistent storage medium on our infrastructure.

5.2 OAuth Tokens

OAuth access tokens and refresh tokens issued by GitLab are stored securely using industry-standard encryption (AES-256) and are associated exclusively with your account session. Tokens are stored only for as long as necessary to maintain your active session. You may revoke these tokens at any time from within the Agent settings or directly from your GitLab account.

5.3 Anonymised Logs

Anonymised operational logs (error codes, request durations, feature usage counts) may be retained for up to 90 days for debugging and service improvement purposes. These logs do not contain any GitLab resource data, source code, or personally identifiable information.

6. Third-Party Services

The GitLab AI Agent is a Coda Pack, meaning it operates as an extension within the Coda platform. By using the Agent, you are also subject to Coda's Privacy Policy (coda.io/privacy). We are not responsible for Coda's data handling practices.

The Agent interacts with the following third-party services:

ServicePurposeData Shared
GitLabSource of all repository dataOAuth tokens (for API calls)
CodaPack host & user interfacePack responses (formatted data)
LLM ProviderAI summaries & analysisSelected GitLab data (in-memory, per-request)

7. AI Processing & Large Language Models

The Agent uses one or more Large Language Model (LLM) APIs to generate intelligent summaries, code diff explanations, and natural language responses based on your GitLab data. We want to be fully transparent about how this works:

  • Data sent to LLMs is transient: GitLab data (e.g., a commit diff or issue description) is sent to the LLM API only during the processing of a specific, user-initiated request. It is not batched, queued, or stored for later LLM processing.
  • No model training on your data: Your source code, repository contents, commit messages, and issue data are never used to train, fine-tune, or update any public or private AI/ML model, including the LLMs used by this service.
  • LLM provider data handling: Data transmitted to LLM APIs is subject to the respective provider's data processing agreements. We select LLM providers that offer zero data retention policies for API inputs or equivalent contractual protections.
  • AI output accuracy: AI-generated summaries and explanations are provided for informational purposes only. They may contain inaccuracies. You are responsible for verifying any AI-generated content before acting on it.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, please contact us at the address listed in Section 11.

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate personal data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data and OAuth tokens from our systems.
  • Right to Restrict Processing: Request that we limit how we use your data.
  • Right to Data Portability: Request your data in a structured, machine-readable format.
  • Right to Object: Object to specific processing activities, including any analytics or usage tracking.
  • Right to Withdraw Consent: Revoke your OAuth authorisation and disconnect your GitLab account at any time without penalty.

9. Security

We implement industry-standard security measures to protect the data we handle:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • OAuth tokens are stored encrypted at rest using AES-256.
  • Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
  • We conduct regular security reviews and dependency audits.
  • No source code or repository content is persisted beyond the duration of a single API request.

While we take robust precautions, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability related to the Agent, please disclose it responsibly by emailing us at the address in Section 11.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the features of the GitLab AI Agent. When we make material changes, we will update the "Effective Date" at the top of this page and, where feasible, notify active users through the Coda Pack interface or via email.

Your continued use of the Agent after the updated policy takes effect constitutes your acceptance of the revised terms. If you do not agree with the updated policy, you must disconnect your GitLab account from the Agent.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us:

CompanySanmark Solutions (Pvt) Ltd.
Emailhello@sanmarksolutions.com
Websitesanmarksolutions.com
GitLab AI Agent
Privacy Policy·Terms of Service

© 2026 Sanmark Solutions PVT LTD. All rights reserved.