Privacy Policy

1. What we collect

When you sign up or use Flowlyt, we collect the information you provide directly — including your email address, name, and GitHub or GitLab account information required to authenticate and connect your repositories.

During scanning, Flowlyt reads workflow files and pipeline configurations in your connected repositories. We do not store the full content of your source code. We store scan results, finding metadata, and the configuration required to run subsequent scans.

We collect standard usage logs (IP address, browser type, pages visited, timestamps) for operational purposes.

2. How we use your data

We use your data to: — Provide, operate, and improve the Flowlyt platform. — Send transactional emails (scan results, finding alerts, account notifications). — Respond to support requests. — Aggregate anonymous usage metrics to understand how the product is used.

We do not sell your data. We do not use your repository content to train machine learning models.

3. Data sharing

We share data only with the third-party service providers necessary to operate Flowlyt — including cloud infrastructure (hosting, databases), email delivery, and payment processing. All providers are contractually required to handle data in accordance with applicable law.

We do not share your data with advertisers or data brokers.

4. GitHub and GitLab integration

When you connect a GitHub organization or GitLab group, Flowlyt requests the minimum OAuth scopes required: read access to repository contents and the ability to post pull request or merge request review comments.

We do not request write access to your code, push access, or admin access to your organization. You can revoke Flowlyt's access at any time through your GitHub or GitLab settings.

5. Data retention

Scan results and finding history are retained according to your plan tier (7 days on Pro, 90 days on Team). Account data is retained while your account is active and for 30 days after deletion, to allow recovery.

You may request deletion of your account and associated data at any time by contacting us.

6. Security

We apply encryption in transit (TLS) and at rest for all stored data. Access to production systems is restricted to authorized personnel and requires multi-factor authentication.

Despite reasonable precautions, no system is completely secure. We will notify affected users in the event of a breach that materially affects their data.

7. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete the personal data we hold about you. To exercise these rights, contact us at privacy@flowlyt.dev.

8. Changes to this policy

We may update this policy as the product evolves. Significant changes will be communicated by email or a prominent notice in the dashboard. Continued use of Flowlyt after changes take effect constitutes acceptance.

9. Contact

For privacy-related questions or requests, contact us at privacy@flowlyt.dev.