Last updated: April 7, 2026
This page summarizes how Sprouts approaches security, data handling, and risk for our products—especially the IDE Companion editor extension and the optional Sprouts GitHub App. It is intended for publishers, enterprises, and users reviewing integrations (including GitHub Marketplace).
Related: Privacy Policy, Terms of Service.
When you use Sprouts (mobile, web, or IDE Companion), we process account and gameplay-related data needed to operate the product—for example profile identifiers you provide via our auth providers, progression and economy state, and support communications. Details are in our Privacy Policy.
If you install our GitHub App, GitHub sends signed webhook payloads to our API. Our server verifies the signature using a shared secret configured in your GitHub App settings and our environment. Processing is limited to event metadata needed for in-product rewards and linkage to your Sprouts account (for example commit SHAs already present in webhook payloads, pull request merge signals, CI suite conclusions). We do not use GitHub webhooks to fetch, store, or train on your repository source code contents.
The IDE Companion runs inside your editor. Local repository information you choose to sync (for example local git head for commit credit) is sent only to Sprouts APIs over HTTPS as needed for the features you use.
In supported editors, optional MCP tooling may expose read-only Sprouts data to the editor's AI assistant (for example current sprout stats). The assistant's model and policies are governed by your editor provider (for example Cursor)—not a separate Sprouts-hosted chat product in the companion sidebar.
In-product progression rules (XP, caps, hatch triggers) are deterministic server-side rules applied to events we receive. They are not large language model judgments about your code.
For EU transparency expectations around high-risk AI systems: Sprouts does not market the IDE Companion as a stand-alone “high-risk” AI product under the EU AI Act; it is a game/progression kit with optional tooling. If your organization requires Act-specific documentation for downstream uses, contact us.
X-Hub-Signature-256)Independent third-party audit reports (e.g. SOC 2 Type II) are not published today. If your procurement requires them, reach out with requirements.
We retain account and progression data as needed to operate the Services and meet legal obligations. You may request access or deletion subject to exceptions (for example billing records). Contact team@getsprouts.io.
Subprocessors depend on features you use (hosting, database, auth, payments); the Privacy Policy describes categories of integrations at a high level.
GitHub Marketplace publishers should also review the GitHub Marketplace Developer Agreement.
Official EU AI Act consolidated text is maintained by the EU; use your counsel's preferred source for legal interpretation.