Privacy FAQs - ThinkReview

Q: Why does ThinkReview need permissions to access GitLab, GitHub, and Azure DevOps?

ThinkReview requires host permissions to inject content scripts that add the 'AI Review' button and review panel to merge request and pull request pages. These permissions also allow the extension to fetch code diffs only when you explicitly click 'Review Code'. The extension never scans repositories automatically. For GitLab, it fetches .patch files directly. For GitHub, it fetches .diff files through the background script. For Azure DevOps, it makes REST API calls using your Personal Access Token.

Q: Is my code stored or retained?

No. ThinkReview has a zero code retention policy. Code diffs are sent to AI services (or local Ollama) for analysis and immediately discarded after the review is generated. No code is stored, cached, or retained on servers. Code only exists in memory during the brief processing time. Once the AI review is returned, the code diff is deleted from memory.

Last Updated: December 2025

Frequently Asked Questions

This page addresses common privacy and security questions about the ThinkReview browser extension. For more detailed information, see our Privacy Policy and Zero Code Retention pages.

Why does ThinkReview need permissions to access GitLab, GitHub, and Azure DevOps?

ThinkReview requires host permissions to function properly. These permissions are necessary for the following reasons:

Required Host Permissions:

https://gitlab.com/* - Used to inject content scripts and fetch patch files from GitLab merge request pages
https://github.com/* - Used to inject content scripts and UI elements into GitHub pull request pages
https://patch-diff.githubusercontent.com/* - Used by the background script to fetch GitHub diff/patch files (required to avoid CORS restrictions)
https://dev.azure.com/* - Used to inject content scripts and make API calls to Azure DevOps pull request pages
https://*.visualstudio.com/* - Used for Azure DevOps Visual Studio domains (same purpose as dev.azure.com)
https://us-central1-thinkgpt.cloudfunctions.net/* - Backend service for AI reviews, user authentication, and subscription management

Optional Host Permissions:

http://*:*/* and https://*:*/* - Used only for custom/self-hosted GitLab instances. Users must explicitly grant these permissions for their custom domains.

Why These Permissions Are Necessary:

Content scripts must be injected to add the "AI Review" button and review panel to merge request/pull request pages
The extension uses the chrome.scripting API to dynamically register content scripts for custom GitLab domains
Code diffs are fetched only when you explicitly click "Review Code" - the extension never scans repositories automatically
For GitLab: Fetches .patch files directly using fetch() with credentials
For GitHub: Fetches .diff files through the background script from patch-diff.githubusercontent.com (to avoid CORS restrictions)
For Azure DevOps: Makes REST API calls using your Personal Access Token to fetch PR diffs

Does ThinkReview read or modify my code?

ThinkReview ONLY reads code diffs from PRs/MRs that you explicitly open and request reviews for. The extension never writes, modifies, or changes any code.

What the Extension Does:

Reads code diffs from the current PR/MR page you're viewing
Displays AI-generated reviews in an integrated panel
Injects UI elements (buttons and review panels) into the page

What the Extension Does NOT Do:

Never writes or modifies code
Never creates comments or reviews on your behalf
Never accesses code you haven't explicitly requested a review for
Never scans repositories automatically
Never accesses code in the background

Technical Details:

All data fetching uses GET requests only (read-only) - no POST, PUT, DELETE, or PATCH requests to modify code
Code is fetched only when you click the "Review Code" button - never automatically or in the background
The extension injects UI elements using document.createElement() and appendChild() - it does not modify existing page content or code
Content scripts run at document_idle (after page load) and only add review UI components
The extension never writes comments, commits, or modifies any code on GitLab, GitHub, or Azure DevOps

Is my code stored or retained?

No. ThinkReview has a zero code retention policy. For detailed information, see our Zero Code Retention page.

How Zero Code Retention Works:

Code diffs are sent to AI services (or local Ollama) for analysis and immediately discarded after the review is generated
No code is stored, cached, or retained on servers
Code only exists in memory during the brief processing time
All code processing is transient - once the AI review is returned, the code diff is deleted from memory

This means your source code is processed in real-time for AI code reviews and immediately discarded—never stored, cached, or retained in any form on our servers.

Do AI providers or ThinkReview train on my code or conversations?

We do not train our own machine learning models on your source code, prompts, or conversations.

We route requests to providers under terms that do not use API submissions to train their models.

LLM tool calls (including repository access via integrations):

Tool calls run only when you request them — for example when you start a code review, use review chat, or when a configured review agent runs as part of your workflow
We do not run LLM tool calls against your repository in the background without a user-driven action tied to that session

Can I review the extension's source code for security?

Yes! ThinkReview is open source and publicly available on GitHub.

Open Source Details:

Repository: https://github.com/Thinkode/thinkreview-browser-extension
License: AGPL-3.0
Benefits: Security researchers and privacy-conscious users can review the code
Transparency: You can verify all claims about read-only access, zero retention, and permission usage by examining the source code
Contributions: Contributions and security reports are welcome

Open-source availability enables transparency and community audits. You can review the codebase to verify all privacy and security claims, including:

How permissions are used
What data is accessed and when
How code diffs are processed
Confirmation of zero code retention practices

Are my Personal Access Tokens (PATs) stored securely?

Yes. PATs you connect for repository integrations are encrypted at rest using industry-standard encryption. Encryption keys are derived server-side and never stored alongside your tokens — we cannot read your token in plaintext, and neither can anyone who accesses our database.

Why does ThinkReview need your PAT at all?

PATs are required to enable repository-level context for AI code reviews. Rather than reviewing only the visible diff, ThinkReview can use your token to make tool calls to the platform API (GitHub, GitLab, Azure DevOps) to fetch additional context — such as related files, base branch content, or linked issues — giving the AI a much richer understanding of the change being reviewed.

How PAT storage works:

Your PAT is encrypted server-side before being written to our database
Encryption keys are derived per-user and never stored alongside the token
Your raw token is never logged or accessible in plaintext by anyone, including our team
The PAT is only decrypted in memory at the moment it is needed to make an API call during a user-requested review, chat, or agent-driven workflow — not in the background
You can delete your stored credentials at any time from the Integrations page in the ThinkReview webapp

Additional Privacy Resources

For more detailed information about privacy and security:

Privacy Policy - Comprehensive privacy information
Zero Code Retention - Detailed explanation of our zero code retention policy
Terms of Service - Legal terms and conditions
GitHub Repository - Review the source code

Questions About Privacy?

If you have additional questions about privacy, security, or permissions, please contact us:

Email: support@thinkreview.dev
Subject Line: "Privacy Inquiry"
Company: ThinkReview trading as Thinkode LTD
Company Registration Number: 12850972
Website: https://thinkreview.dev

We're committed to transparency and are happy to discuss our privacy practices with you.