Pilot
ProductPrivacyContact security
Security posture

Built to run experiments securely

Pilot connects to the systems your team already trusts: GitHub for code, your analytics provider for experiments, and pull requests for change control. We keep the operational records needed to run experiments, not a second home for your codebase or your data

Ask a security questionRead privacy policy
Short version
Repo mirrorNo persistent copy
Raw user eventsNot ingested
API keysEncrypted at rest
Code changesGitHub PRs only
AI contextBounded and work-scoped
What matters

The default boundary is least custody.

Pilot is useful because it can read the right code and the right metrics. It doesn't try to become the system of record for either.

Code

Your repo stays in GitHub.

Pilot reads files only when it needs context for a suggestion, spec, or pull request. We do not maintain a persistent mirror of your source code.

Data

We don't see user data

Pilot works from event names, funnel summaries, and aggregate experiment results. We do not ingest raw event streams, person profiles, distinct IDs, or user properties.

Control

Changes land as PRs.

Implementation and promotion changes go through reviewable GitHub pull requests. Your team keeps the same code review and merge controls it already trusts.

Data boundary

Clear about what we keep. Clear about what we do not.

Security starts with a smaller blast radius. Pilot stores the records required to make experiments auditable and resumable, then leaves the source systems in place.

Repository access
Pilot keeps

Repo metadata, selected file paths, PR metadata, specs, and bounded code excerpts needed to explain or resume work.

Pilot avoids

A long-lived full repository mirror in Pilot's database or silent direct pushes to production.

Analytics
Pilot keeps

Encrypted analytics connection details plus aggregate experiment snapshots: exposures, conversions, lift, confidence, and decision state.

Pilot avoids

Raw analytics events, session replay, person records, distinct IDs, customer-user properties, or ad-targeting data.

AI context
Pilot keeps

The prompt context needed for the agent to draft specs and PRs, which may include repo excerpts and experiment data.

Pilot avoids

Claims that your data never leaves Pilot. Model providers process the context required to do the work.

Analytics access

Pilot sees experiment results, not individual users.

We read the aggregate statistics needed to evaluate experiments and decide winners. Customer-user identities and raw behavioral history stay inside your analytics provider.

Result fields Pilot stores
Total exposures
Conversions
Conversion rate
Lift vs. control
Probability to beat control
Decision gate status
Controls

Practical security, built into the workflow.

Scoped GitHub App installation per customer-selected repositories.

Short-lived GitHub installation access is minted when work runs.

Analytics credentials (OAuth tokens, or legacy personal API keys) are encrypted at rest with AES-256-GCM.

Experiment changes are explicit artifacts: specs, branches, PRs, and result snapshots.

Access can be revoked by uninstalling the GitHub App or disconnecting your analytics provider.

Workspace deletion removes associated rows, including encrypted analytics keys, on the retention timeline.

Pilot© 2026trypilot.dev
DashboardDemoPrivacyTermsSecuritySupport