Overview
Yanrix is a developer security tool built by SoluMates LLC. This policy describes how we collect, use, and protect information when you visit yanrix.dev, install the Yanrix GitHub App, use the Yanrix GitHub Action, or join our beta waitlist.
We collect only what we need to operate the product and understand how it is being used. We do not sell your data, and we do not use it for advertising.
This site and product are intended for individuals 18 years of age or older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has submitted personal information through this site or product, please contact us at privacy@yanrix.dev and we will delete it promptly.
Data Controller
The data controller responsible for your personal information is:
SoluMates LLC
Email: privacy@yanrix.dev
For any questions about how your data is handled, contact us at the address above.
How Yanrix Works — Data Flow Summary
Understanding what data goes where is central to evaluating this product. Yanrix is a GitHub Action that runs on your GitHub Actions runner. When it analyzes a pull request:
- The Action checks out your repository on your GitHub runner.
- It assembles architectural context from your codebase (dependency manifests, configuration files, framework patterns).
- It sends the assembled context directly to the LLM provider you configure (Anthropic, OpenAI, or Google), using your API key. This data goes from your runner to the LLM provider. It does not pass through Yanrix servers.
- The LLM returns a structured threat model, which Yanrix validates and posts as a PR comment.
- The threat model manifest is uploaded as a GitHub Artifact under your repository.
- Structured metadata about the scan (finding counts, severity distribution, scan duration) is sent to the Yanrix backend at api.yanrix.dev for telemetry. No source code, diffs, finding descriptions, or manifest content is included in this transmission.
What We Collect
When you visit yanrix.dev
Waitlist registration (via Beehiiv)
If you join the beta waitlist, we collect your email address and, optionally, your company name. This data is stored and processed by Beehiiv, our email service provider. We use it solely to notify you when Yanrix launches or enters beta. You can unsubscribe at any time using the link in any email we send.
Page analytics (via PostHog)
We use PostHog to collect anonymous behavioral data about how visitors interact with this page. We record four events: page load, demo interaction, waitlist section reveal, and waitlist form submission. We do not capture email addresses or any personally identifiable information in analytics events. Session replay is not enabled on this site.
PostHog is configured on US cloud infrastructure. Analytics data is retained for 90 days and then deleted.
When you install the Yanrix GitHub App
When you install the Yanrix GitHub App from the GitHub Marketplace, GitHub sends an installation webhook to our backend at api.yanrix.dev. We store the following installation record:
- Installation ID: a numeric identifier generated by GitHub
- Account: the GitHub organization or username that installed the App
- Repository list: which repositories were granted access at install time
- Registration timestamp: when the installation occurred
- Tier: your subscription tier (defaulted to "free" at this stage)
- Repository visibility: whether each granted repository is public or private, recorded at first observation
When you uninstall the App, we mark the installation record as inactive. We retain the record for audit trail purposes.
The installation ID, combined with the account field, constitutes pseudonymous personal data under GDPR and personal information under CCPA, because it can be correlated to an identifiable entity via the GitHub API.
When the Yanrix Action runs
Token exchange
Each time the Yanrix Action executes, it contacts the Yanrix backend at
api.yanrix.dev to obtain a short-lived, scoped access token. Your runner sends
the GitHub-provided GITHUB_TOKEN to our /checkout-token
endpoint. We use this token solely to verify that the Yanrix App is installed on
your repository. We do not store this token. The scoped token we return expires
within one hour.
Configuration retrieval
The Action requests its execution configuration from the Yanrix backend via the
/config endpoint, authenticating with a GitHub installation token.
This request contains the installation identifier and repository metadata. No
source code, diffs, or repository content is transmitted in this request.
LLM provider transmission
The assembled context from your codebase is sent directly from your GitHub runner to the LLM provider you configure (Anthropic, OpenAI, or Google), using your API key. Yanrix servers never receive, process, or store your source code, PR diffs, or repository content. Yanrix does not control what the LLM provider does with this data. You are responsible for reviewing and accepting your chosen provider's data handling terms:
- Anthropic: https://www.anthropic.com/policies/privacy
- OpenAI: https://openai.com/policies/privacy-policy
- Google: https://ai.google.dev/gemini-api/terms
Scan telemetry
After each analysis run, the Action sends structured metadata to the Yanrix backend at api.yanrix.dev. This metadata includes:
- Installation ID and repository name (derived from the authenticated token, not from the payload)
- Scan ID (a unique identifier for this run)
- Action version
- Execution mode
- Finding count
- Severity counts (critical, high, medium, low)
- Ecosystem identifier
- Pull request number
- Scan duration in milliseconds
What scan telemetry does not include: source code, PR diffs, manifest content, individual finding descriptions, CWE identifiers, or any data derived from your codebase beyond the numeric counts listed above.
Audit events
Installation lifecycle events (install, uninstall, tier changes) are logged to an append-only audit log via Cloudflare Workers Analytics Engine. These logs include the event type, installation ID, account, timestamp, and actor context where available.
When you use BYOK (Bring Your Own Key)
If you configure your own LLM API key as a GitHub Actions secret, that key is passed from your runner directly to your chosen LLM provider at runtime. The following commitments apply to how Yanrix handles your API key:
- Your API key is never logged in any Yanrix system, service, or observability tool.
- Your API key is never stored to any persistent storage medium by Yanrix.
- Your API key is used exclusively for the scope of the single analysis request in which it is provided.
- Your API key is never transmitted to any third party other than the LLM provider you selected, as required to fulfill the analysis request.
What we do not collect
- Passwords or authentication credentials (beyond the transient token exchange described above)
- Payment information (billing is not active at this stage)
- Device fingerprints or persistent tracking identifiers
- Information from third-party data brokers
- Source code, PR diffs, or repository content on Yanrix servers
- IP addresses at the application level (Cloudflare may process IP addresses at the infrastructure level as part of serving requests)
Why We Collect It
| Data | Purpose | Legal Basis |
|---|---|---|
| Waitlist email address | To notify you when Yanrix enters beta | Consent (given at form submission) |
| Company name (optional) | To understand the types of organizations interested in Yanrix | Consent (voluntary field) |
| Page analytics | To measure page effectiveness and visitor journey completion | Legitimate interest (anonymized event data, no session replay) |
| Installation records | To manage App installations, verify authorization, and enforce access policies | Legitimate interest (necessary for product operation); contractual necessity (required to deliver the service) |
| Scan telemetry | To understand product usage patterns, identify issues, and improve analysis quality | Legitimate interest (aggregated operational metrics, no source code or finding content) |
| Audit event log | To maintain a security audit trail for installation lifecycle events | Legitimate interest (security and compliance) |
| Token exchange | To verify App installation and issue scoped access credentials | Contractual necessity (required to deliver the service) |
Third-Party Service Providers
We share data with the following service providers:
| Provider | Role | Data Processed | Privacy Policy |
|---|---|---|---|
| Beehiiv | Email platform for waitlist | Email address, company name | Beehiiv Privacy Policy |
| PostHog | Analytics (US cloud) | Anonymous page interaction events | PostHog Privacy Policy |
| Cloudflare | CDN, DDoS protection, backend hosting (Workers, KV storage, R2 object storage) | Network traffic (may include IP addresses); installation records; scan telemetry; audit logs | Cloudflare Privacy Policy |
| GitHub | Platform for App installation, Action execution, artifact storage | Installation events, repository metadata, PR comments, manifest artifacts | GitHub Privacy Statement |
LLM providers (customer-selected): When you use Yanrix, assembled context from your codebase is sent directly from your GitHub runner to the LLM provider you configure. Yanrix does not act as an intermediary for this data transfer. The LLM provider you select is your sub-processor for that data, not ours. Supported providers and their privacy policies are listed in the "LLM provider transmission" section above.
We do not sell your personal information to any third party. We do not use advertising networks or tracking pixels.
Data Retention
| Data | Retention Period |
|---|---|
| Waitlist email addresses | Until you unsubscribe, or until 30 days after Yanrix public launch, whichever comes first. Data is deleted from Beehiiv unless you opt in to continued communication. |
| Company name (optional) | Same schedule as email address. |
| Page analytics | 90 days in PostHog, then automatically deleted. |
| Installation records | Retained for the life of the installation. When you uninstall, the record is marked inactive but retained for audit trail purposes. Deletion available on request (see Your Rights below). |
| Scan telemetry | Retained for product operation and analysis improvement. Deletion available on request for data associated with your installation. |
| Audit event log | Retained in accordance with our security and compliance requirements. Append-only by design. |
| Token exchange data | Not retained. Tokens are transient and expire within one hour. |
Your Rights
You have the right to access, correct, or delete your personal information. If you are in California, you have rights under CCPA including the right to know what data we hold and to request deletion. If you are in the EU or UK, you have rights under GDPR including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.
To exercise your rights:
- Unsubscribe from waitlist email: Use the unsubscribe link at the bottom of any email we send. This is the fastest path.
- Request deletion of all data: Email privacy@yanrix.dev with the subject line "Data Deletion Request." We will confirm receipt and complete deletion within 30 days. Deletion will be applied across Beehiiv, PostHog, and any Yanrix backend records associated with your identity.
- Request deletion of installation data: Email privacy@yanrix.dev with the subject line "Installation Data Deletion Request" and include the GitHub organization or username associated with your installation.
- Request a copy of your data: Email privacy@yanrix.dev with the subject line "Data Access Request."
- EU/UK residents: You have the right to lodge a complaint with your local supervisory authority if you believe your data is being handled in violation of GDPR.
Cookies and Tracking
This site does not use advertising cookies or cross-site tracking. PostHog may set a first-party analytics cookie to distinguish sessions. This cookie does not leave yanrix.dev. Fonts are self-hosted; no external font CDN requests are made.
Session replay is not active on this site. If session replay is enabled in a future version, it will require your explicit consent via a consent banner, and input fields will be masked before any recording occurs.
International Data Transfers
PostHog analytics data is processed on US cloud infrastructure. If you are located in the EU or UK, this constitutes a transfer of data outside the EU/EEA. PostHog maintains Standard Contractual Clauses (SCCs) as the transfer mechanism for EU/UK personal data.
Cloudflare processes data across its global network, which may include locations outside the EU/EEA. Cloudflare maintains appropriate transfer mechanisms as described in their privacy policy.
Beehiiv processes waitlist data in the United States. If you are located in the EU or UK, this constitutes a transfer of data outside the EU/EEA.
Security
This site is served over HTTPS. DNS and edge security are provided by Cloudflare. The Yanrix backend at api.yanrix.dev runs on Cloudflare Workers with TLS encryption in transit.
Waitlist data is stored by Beehiiv; we do not maintain a separate copy. Installation records and scan telemetry are stored in Cloudflare KV, which provides encryption at rest. Audit logs are stored in Cloudflare Workers Analytics Engine.
Access to backend infrastructure and secrets is restricted to authorized personnel. Credentials are stored as Cloudflare Worker secrets and are never committed to any repository.
Changes to This Policy
We will update this policy when material changes occur in how we process data or when new product features affect data collection. The effective date at the top of this page will reflect the most recent revision. We will not reduce your rights under this policy without providing notice.
Contact
Questions about this policy or how your data is handled:
privacy@yanrix.dev
SoluMates LLC