Data & Privacy

How Keshro handles your data. Your source code stays on your machine.

How Your Data Is Used

Plan Generation & Analysis

When you create a project or migration, Keshro generates plans, risk assessments, effort estimates, and task coordination data. We store plans, tasks, and execution state in your account. Your source code is never read, stored, or transmitted — agents execute locally on your machine.

Aggregate Learning

Completed analyses can contribute anonymized path-level benchmarks and playbook patterns according to your personal or workspace learning mode. Aggregate-only is the default. Raw run details do not flow across organizations.

Team Workspaces

If you create or join an organization, migrations created inside that workspace are visible to members of that workspace. Personal migrations remain private to your account unless you explicitly choose a broader personal learning mode.

Codebase Discovery

When you use the CLI to create a project, a AI agent running locally on your machine scans your codebase to gather technical facts (framework versions, directory structure, dependencies, existing patterns). A structured summary of these facts is sent to Keshro to improve plan quality. Raw source code is never sent — only the summary the agent produces. You can review the summary before it's submitted.

AI Processing & Third Parties

Keshro uses Anthropic's Claude API to generate plans and analysis. Your project descriptions and task context are sent to Anthropic under their commercial API terms, which prohibit using inputs for model training. During plan enrichment, connected-account data (repo structure, issue details) may be accessed via GitHub, Linear, or Jira APIs and used in prompts — not persisted separately. Web research queries are sent to Tavily for best-practice lookups using only your project description, not code.

Security

✓All data transmitted over HTTPS with TLS encryption

✓Authentication via Google OAuth 2.0 with JWT tokens

✓Email-based access control with configurable allowlists

✓File uploads validated client-side: 2 MB limit, code/config types only

✓No passwords stored — authentication delegated to Google

✓Organization-level access controls for team migrations

✓Raw run details are never shared across organizations

Retention and deletion

We retain active account data, migration runs, and connected-account snapshots until you delete them or request deletion. In-product deletion actions take effect immediately in active systems. Manual deletion follow-up requests are handled within 30 days.