Privacy FAQs - ThinkReview

Q: Why does ThinkReview need permissions to access GitLab, GitHub, and Azure DevOps?

ThinkReview requires host permissions to inject content scripts that add the 'AI Review' button and review panel to merge request and pull request pages. These permissions also allow the extension to fetch code diffs only when you explicitly click 'Review Code'. The extension never scans repositories automatically. For GitLab, it fetches .patch files directly. For GitHub, it fetches .diff files through the background script. For Azure DevOps, it makes REST API calls using your Personal Access Token.

Q: Is my code stored or retained?

No. ThinkReview has a zero code retention policy. Code diffs are sent to AI services (or local Ollama) for analysis and immediately discarded after the review is generated. No code is stored, cached, or retained on servers. Code only exists in memory during the brief processing time. Once the AI review is returned, the code diff is deleted from memory.

Last Updated: December 2025

Frequently Asked Questions

This page addresses common privacy and security questions about the ThinkReview browser extension. For more detailed information, see our Privacy Policy and Zero Code Retention pages.

Why does ThinkReview need permissions to access GitLab, GitHub, and Azure DevOps?

ThinkReview requires host permissions to function properly. These permissions are necessary for the following reasons:

Required Host Permissions:

https://gitlab.com/* - Used to inject content scripts and fetch patch files from GitLab merge request pages
https://github.com/* - Used to inject content scripts and UI elements into GitHub pull request pages
https://patch-diff.githubusercontent.com/* - Used by the background script to fetch GitHub diff/patch files (required to avoid CORS restrictions)
https://dev.azure.com/* - Used to inject content scripts and make API calls to Azure DevOps pull request pages
https://*.visualstudio.com/* - Used for Azure DevOps Visual Studio domains (same purpose as dev.azure.com)
https://us-central1-thinkgpt.cloudfunctions.net/* - Backend service for AI reviews, user authentication, and subscription management

Optional Host Permissions:

http://*:*/* and https://*:*/* - Used only for custom/self-hosted GitLab instances. Users must explicitly grant these permissions for their custom domains.

Why These Permissions Are Necessary:

Content scripts must be injected to add the "AI Review" button and review panel to merge request/pull request pages
The extension uses the chrome.scripting API to dynamically register content scripts for custom GitLab domains
Code diffs are fetched only when you explicitly click "Review Code" - the extension never scans repositories automatically
For GitLab: Fetches .patch files directly using fetch() with credentials
For GitHub: Fetches .diff files through the background script from patch-diff.githubusercontent.com (to avoid CORS restrictions)
For Azure DevOps: Makes REST API calls using your Personal Access Token to fetch PR diffs

Does ThinkReview read or modify my code?

ThinkReview ONLY reads code diffs from PRs/MRs that you explicitly open and request reviews for. The extension never writes, modifies, or changes any code.

What the Extension Does:

Reads code diffs from the current PR/MR page you're viewing
Displays AI-generated reviews in an integrated panel
Injects UI elements (buttons and review panels) into the page

What the Extension Does NOT Do:

Never writes or modifies code
Never creates comments or reviews on your behalf
Never accesses code you haven't explicitly requested a review for
Never scans repositories automatically
Never accesses code in the background

Technical Details:

All data fetching uses GET requests only (read-only) - no POST, PUT, DELETE, or PATCH requests to modify code
Code is fetched only when you click the "Review Code" button - never automatically or in the background
The extension injects UI elements using document.createElement() and appendChild() - it does not modify existing page content or code
Content scripts run at document_idle (after page load) and only add review UI components
The extension never writes comments, commits, or modifies any code on GitLab, GitHub, or Azure DevOps

Is my code stored or retained?

No. ThinkReview has a zero code retention policy. For detailed information, see our Zero Code Retention page.

How Zero Code Retention Works:

Code diffs are sent to AI services (or local Ollama) for analysis and immediately discarded after the review is generated
No code is stored, cached, or retained on servers
Code only exists in memory during the brief processing time
All code processing is transient - once the AI review is returned, the code diff is deleted from memory

This means your source code is processed in real-time for AI code reviews and immediately discarded—never stored, cached, or retained in any form on our servers.

Can I review the extension's source code for security?

Yes! ThinkReview is open source and publicly available on GitHub.

Open Source Details:

Repository: https://github.com/Thinkode/thinkreview-browser-extension
License: AGPL-3.0
Benefits: Security researchers and privacy-conscious users can review the code
Transparency: You can verify all claims about read-only access, zero retention, and permission usage by examining the source code
Contributions: Contributions and security reports are welcome

Open-source availability enables transparency and community audits. You can review the codebase to verify all privacy and security claims, including:

How permissions are used
What data is accessed and when
How code diffs are processed
Confirmation of zero code retention practices

Additional Privacy Resources

For more detailed information about privacy and security:

Privacy Policy - Comprehensive privacy information
Zero Code Retention - Detailed explanation of our zero code retention policy
Terms of Service - Legal terms and conditions
GitHub Repository - Review the source code

Questions About Privacy?

If you have additional questions about privacy, security, or permissions, please contact us:

Email: support@thinkode.co.uk
Subject Line: "Privacy Inquiry"
Company: ThinkReview trading as Thinkode LTD
Company Registration Number: 12850972
Website: https://thinkreview.dev

We're committed to transparency and are happy to discuss our privacy practices with you.