Pilot connects to the systems your team already trusts: GitHub for code, your analytics provider for experiments, and pull requests for change control. We keep the operational records needed to run experiments, not a second home for your codebase or your data
Pilot is useful because it can read the right code and the right metrics. It doesn't try to become the system of record for either.
Pilot reads files only when it needs context for a suggestion, spec, or pull request. We do not maintain a persistent mirror of your source code.
Pilot works from event names, funnel summaries, and aggregate experiment results. We do not ingest raw event streams, person profiles, distinct IDs, or user properties.
Implementation and promotion changes go through reviewable GitHub pull requests. Your team keeps the same code review and merge controls it already trusts.
Security starts with a smaller blast radius. Pilot stores the records required to make experiments auditable and resumable, then leaves the source systems in place.
Repo metadata, selected file paths, PR metadata, specs, and bounded code excerpts needed to explain or resume work.
A long-lived full repository mirror in Pilot's database or silent direct pushes to production.
Encrypted analytics connection details plus aggregate experiment snapshots: exposures, conversions, lift, confidence, and decision state.
Raw analytics events, session replay, person records, distinct IDs, customer-user properties, or ad-targeting data.
The prompt context needed for the agent to draft specs and PRs, which may include repo excerpts and experiment data.
Claims that your data never leaves Pilot. Model providers process the context required to do the work.
We read the aggregate statistics needed to evaluate experiments and decide winners. Customer-user identities and raw behavioral history stay inside your analytics provider.
Scoped GitHub App installation per customer-selected repositories.
Short-lived GitHub installation access is minted when work runs.
Analytics credentials (OAuth tokens, or legacy personal API keys) are encrypted at rest with AES-256-GCM.
Experiment changes are explicit artifacts: specs, branches, PRs, and result snapshots.
Access can be revoked by uninstalling the GitHub App or disconnecting your analytics provider.
Workspace deletion removes associated rows, including encrypted analytics keys, on the retention timeline.