"Write" permissions: create webhooks on repos (and eventually organizations) so we're notified of relevant events, post comments on commits..
"Read" permissions: list public and private repos and organizations, read source code, read user emails, read public user data (name, avatar).
repo: Grants read/write access to code, commit statuses, invitations, collaborators, adding team memberships, and deployment statuses for public and private repositories and organizations.
user:email: Grants read access to a user's email addresses so we can contact you if you request to be notified (e.g. there is a new GitClear user from your org) or if there is an exceptional circumstance (e.g. something is wrong with your account).
GitHub's authorization scopes are pretty broad and cannot be constrained to specific organizations. However, we will never create pull requests, merge pull requests, or delete branches. Here’s some information on GitHub’s authorization scope, GitLab's authentication, and BitBuckets API authentication. You can revoke all of these permissions at any time via your authorized applications settings page on GitHub, your application settings on GitLab, or by going to Settings > OAuth in BitBucket, but doing so may result in an interruption of service.