- AES-256-GCM encryption for all credentials at rest
- No tracking cookies, no advertising, no data selling
- Single HTTP-only session cookie (24h expiry)
- Full GDPR and CCPA compliance with 30/45-day response
This summary is for convenience only. The full policy below governs.
1What We Collect
TinyOps collects the minimum data required to provide our service. Below is a comprehensive breakdown of every category of data we process.
1.1 Account Information
Email address, display name, avatar URL, and hashed password (bcrypt cost 12). When you authenticate via GitHub OAuth, we receive your public profile, email, and organization membership.
1.2 Organization Data
Organization name, slug, plan tier, billing status, and member roles. All data is tenant-isolated by organization ID.
1.3 Team Invitations
Invitee email, role, invitation token (hashed), expiration timestamp, and invitation status.
1.4 Integration Credentials
API keys and OAuth tokens for connected services (GitHub, Vercel, Supabase, Slack). All credentials are encrypted at rest using AES-256-GCM with per-organization encryption keys. We also store integration configuration (selected repos, channels, projects).
1.5 GitHub Data
Repository metadata (name, visibility, language, default branch), pull request metadata (title, author, state, labels, review status), commit statuses, and workflow run data (status, conclusion, timing).
Write actions: TinyOps may perform the following write actions on your behalf when configured in rules: post PR comments, create/close issues, add/remove labels, and update commit statuses.
1.6 Vercel Data
Project billing information, deployment metadata (status, URL, timing, branch), and bandwidth usage metrics.
Write actions: When configured, TinyOps may trigger redeployments and rollbacks on your behalf.
1.7 Slack Data
Channel counts and channel names for rule targeting. We do not read message content.
Write actions: When configured, TinyOps may send messages to channels, send direct messages, and upload files on your behalf.
1.8 Supabase Data
Table counts and authenticated user counts for monitoring rules. We do not access row-level data.
1.9 Rule Execution Data
Rule name, trigger events, conditions evaluated, actions taken, execution timing, success/failure status, shadow mode statistics (simulated vs. actual), and creator/updater user IDs. Webhook secrets and HMAC signing keys used in rule actions are encrypted with AES-256-GCM.
1.10 PR Health Findings
Automated findings from PR analysis including severity, category, description, file path, line numbers, and suggested fixes.
1.11 Webhook Delivery Data
Incoming webhook headers, request body, source IP address, delivery timestamps, and response status codes.
1.12 Policy Evaluation Data
Repository name, pull request reference, commit SHA, pass/fail result, enforcement level (block, warn, notify), specific violations detected, and any override decisions with justifications.
1.13 Approval Workflow Data
Requester identity, action type, rule snapshot at time of request, requester notes, approver/denier responses, and resolution timestamps.
1.14 Notification Data
Notification category, title, body, read/unread status, delivery channel (in-app, email), and email delivery metadata (sent timestamp, open tracking, bounce status).
1.15 Audit Event Data
Actor identity, action performed, resource type and ID, metadata (IP address, user agent), and timestamp. Audit events are immutable once created.
1.16 Usage Analytics
Page views and performance metrics collected via Vercel Speed Insights. This data contains no personally identifiable information and uses no cookies.
2How We Store Your Data
- Database: PostgreSQL hosted on Railway (US-based infrastructure). All data is tenant-isolated; every query is scoped to your organization.
- Job Queue: Redis (via BullMQ) for asynchronous task processing. Job payloads are transient and cleared after execution.
- Encryption at rest: All sensitive credentials are encrypted using AES-256-GCM with per-organization keys.
- Encryption in transit: All connections use TLS 1.2+. No data is transmitted in plaintext.
- Password hashing: bcrypt with a cost factor of 12.
- Sessions: JWT-based authentication tokens with 24-hour expiry, stored as HTTP-only secure cookies with SameSite=Lax.
3Data Retention
- Execution logs: 30 days on Free plan, 90 days on paid plans.
- PR health findings: Retained for the lifetime of your account.
- Audit events: Retained for the lifetime of your account.
- Rules and configurations: Retained for the lifetime of your account.
- Webhook delivery data: Retained for the lifetime of your account.
- Email engagement data: Retained for analytics purposes (open rates, bounce rates) to improve delivery reliability.
After Account Deletion
Upon account deletion request, all data is removed from production systems within 30 days. Backups may retain data for up to 90 days after deletion, after which it is permanently purged.
4How We Use Your Data
We use your data exclusively to:
- Execute automation rules you configure
- Display dashboards, analytics, and rule execution history
- Send notifications (in-app and email) based on your preferences
- Process payments via Stripe
- Monitor system health and performance
- Prevent abuse and enforce rate limits
We do NOT use your data for:
- Advertising or ad targeting
- Training AI/ML models
- Any purpose beyond operating and improving TinyOps
5Third-Party Services (Subprocessors)
We share data only with the following services required to operate TinyOps:
| Service | Purpose | Data Shared |
|---|---|---|
| Railway | Database hosting | All application data |
| Vercel | Frontend hosting, analytics | Page views (no PII) |
| Resend | Transactional email | Recipient email addresses |
| Stripe | Payment processing | Billing data |
| GitHub | OAuth authentication | OAuth tokens |
| Redis (BullMQ) | Job queue | Execution payloads (transient) |
We do not sell your data. Your data is never shared with third parties for their own marketing or commercial purposes.
Subprocessor Changes
We will notify you via email at least 30 days before adding a new subprocessor. Enterprise customers with a DPA may negotiate custom subprocessor change rights.
7Your Rights
GDPR Rights (EU/EEA Residents)
Under the General Data Protection Regulation, you have the right to:
- Access: Request a copy of all personal data we hold about you
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data (“right to be forgotten”)
- Restrict processing: Limit how we use your data
- Data portability: Receive your data in a structured, machine-readable format
- Object: Object to processing based on legitimate interests
- Automated decision-making: Not be subject to decisions based solely on automated processing (see Section 14)
- Lodge a complaint: File a complaint with your local supervisory authority
CCPA Rights (California Residents)
Under the California Consumer Privacy Act, you have the right to:
- Know: What personal information we collect, use, disclose, and sell
- Delete: Request deletion of personal information we collected from you
- Opt-out: Opt out of the sale of personal information (we do not sell data)
- Non-discrimination: Not be discriminated against for exercising your rights
You may designate an authorized agent to make requests on your behalf. We may require identity verification before fulfilling requests.
User Controls
Within TinyOps, you can directly:
- Manage notification preferences (email, in-app, per-category)
- Connect and disconnect integrations at any time
- Create, modify, enable, disable, or delete rules
To exercise any of these rights, contact us at hello@tinyops.cc. We respond within 30 days for GDPR requests and 45 days for CCPA requests.
8Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide TinyOps services as described in our Terms of Service. This covers account management, rule execution, notifications, and integration functionality.
- Legitimate interest (Art. 6(1)(f)): Processing necessary for security monitoring, fraud prevention, service improvement, and usage analytics. We balance our interests against your rights and freedoms.
- Consent (Art. 6(1)(a)): Where required, we obtain your explicit consent before processing. You may withdraw consent at any time without affecting the lawfulness of prior processing.
9International Data Transfers
TinyOps infrastructure is hosted in the United States. If you access TinyOps from outside the US, your data will be transferred to and processed in the US.
For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure adequate data protection.
If you have questions about our transfer mechanisms or need documentation for compliance purposes, contact us at hello@tinyops.cc.
10Security Practices
We implement the following security measures to protect your data:
- Encryption at rest: AES-256-GCM for all credentials and sensitive data
- Encryption in transit: TLS 1.2+ on all connections
- Password hashing: bcrypt with cost factor 12
- Tenant isolation: All queries scoped by organization ID
- Session security: JWT tokens with 24-hour expiry, HTTP-only cookies
- Audit logging: All administrative actions are logged immutably
- Email suppression: Automated bounce and complaint handling
- Security assessments: Periodic internal security reviews
- SOC 2 alignment: Controls aligned with SOC 2 Type II principles
Breach Notification
In the event of a data breach affecting your personal data, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
Responsible Disclosure
If you discover a security vulnerability, please report it to hello@tinyops.cc. We acknowledge reports within 48 hours and will work with you to resolve the issue.
Status Page
System status and incident history are available on our status page. We communicate proactively during service disruptions.
11Data Processing Agreement (DPA)
Enterprise customers who require a Data Processing Agreement can request one by contacting hello@tinyops.cc. We are happy to work with your legal team to execute a DPA that meets your compliance requirements.
Enterprise DPA customers receive additional rights including audit rights (with reasonable notice), custom data retention periods, and subprocessor change approval workflows.
12What Happens When You Disconnect
When you disconnect an integration (GitHub, Vercel, Slack, Supabase):
- We immediately stop collecting new data from that service
- Integration credentials (tokens, API keys) are deleted immediately
- Previously collected data (execution logs, findings) is retained per our standard retention policy
- Rules targeting that integration are automatically disabled
To request deletion of all previously collected data from a disconnected integration, contact us at hello@tinyops.cc.
13Children's Privacy
TinyOps is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.
If you believe a child under 13 has provided us with personal information, please contact us at hello@tinyops.cc.
14Automated Decision-Making
TinyOps includes an automation rules engine that executes actions based on triggers and conditions. It is important to understand:
- The rules engine executes your configured rules only. We do not make autonomous decisions about your repositories or infrastructure.
- You have full control over every rule: create, modify, disable, or delete at any time.
- Rules can be placed in shadow mode to simulate execution without taking action.
- Approval workflows allow you to require human review before sensitive actions are executed.
No decisions with legal or similarly significant effects are made solely by automated processing without human oversight.
15Changes to This Policy
We may update this Privacy Policy as our practices or legal requirements evolve.
- Material changes: We will notify you via email at least 30 days before they take effect.
- What Changed summary: Every update includes a clear summary of what changed and why.
- Previous versions: Available on our GitHub repository or by request.
Continued use of TinyOps after the effective date of changes constitutes acceptance of the updated policy.
16Privacy FAQ
Can TinyOps read my source code?
No. TinyOps accesses repository metadata (names, branches, PR titles, labels) and workflow/deployment data. We do not clone repositories or read file contents. The GitHub token scopes we request do not include code read access beyond what is needed for commit status and PR metadata.
What happens if I revoke my GitHub token?
TinyOps will immediately lose access to your GitHub data. Rules targeting GitHub will fail gracefully and be automatically paused. You can re-authenticate at any time to restore functionality.
Who can see my organization's data?
Only members of your organization can view your data. All data access is tenant-isolated. TinyOps engineering staff can access data only for support purposes with your explicit permission or to resolve security incidents.
What happens in case of a data breach?
We will notify affected users within 72 hours via email, describing the nature of the breach, what data was affected, and what steps we are taking. We will also notify relevant supervisory authorities where required by law.
Can I export all my data?
Yes. You can request a full data export by emailing hello@tinyops.cc. We will provide your data in a structured, machine-readable format (JSON) within 30 days.
17Contact
For privacy-related questions, data requests, or concerns:
- Email: hello@tinyops.cc
- Security issues: hello@tinyops.cc (subject: Security Vulnerability Report)
- Response time: Within 30 days
As a small team, we are not required to appoint a Data Protection Officer under GDPR Article 37 (organization size threshold). However, we take our privacy obligations seriously and will address every inquiry personally.