Your data, your control.

Yanib is the data controller for personal data processed about you when you use our Service. For privacy questions or data-subject requests, email support@yanib.dev.

For paid subscriptions, Paddle.com Market Limited acts as Merchant of Record and is an independent data controller for the payment data it collects from you at checkout. Paddle's privacy notice is available at paddle.com/legal/privacy.

Account information: When you sign in with GitHub, GitLab, Google, or email, we receive your name, email address, and profile photo. For GitHub or GitLab sign-in, we also receive your username and an OAuth access token to interact with your repositories on your behalf.

Repository metadata: When you connect a repository, we access commit messages, pull/merge request titles and descriptions, release tags, and basic repository metadata via the GitHub or GitLab API. We do not access your source code.

Content you submit: Edits to changelog drafts, integration configurations (Slack channels, Discord webhooks, custom webhook URLs), team names, and similar inputs.

Usage and device data: Pages visited, features used, browser type, device type, IP address (transient, used for rate-limiting and security) and approximate timestamps. Collected via PostHog (product analytics) and Sentry (error reporting). Both are configured to scrub personally identifiable values from event payloads where reasonably possible.

Payment information: If you subscribe, Paddle collects your billing name, billing address, and payment details (card or alternative). We receive only a Paddle customer ID, subscription status, and the last four digits of your card from Paddle webhooks. We do not store full card numbers.

Bring-Your-Own-Key (BYOK): If you provide your own Anthropic API key, we store it encrypted at rest and use it only to make AI requests on your behalf.

We process your data for the following purposes:

• Provide the Service — generate AI changelogs and digests from your commit/PR data, deliver them to your configured integrations, host public changelog pages and developer profiles. Legal basis: performance of a contract.
• Account and billing — authenticate you, manage your subscription, send transactional emails (invoices, draft notifications, team invites). Legal basis: performance of a contract.
• Service improvement and security — debug issues, prevent abuse, monitor performance, enforce rate limits. Legal basis: legitimate interest in operating a reliable, secure Service.
• Legal compliance — meet tax, accounting, and regulatory obligations. Legal basis: legal obligation.
• Marketing emails — only with your separate consent or where permitted under soft opt-in for similar products. You can unsubscribe at any time.

Yanib uses Anthropic's Claude AI to generate changelogs, summaries, and digest reports. Your commit messages, pull/merge request titles and descriptions, and any draft content you ask us to rewrite are sent to the Anthropic API for processing. We do not send source code to any AI provider.

Anthropic processes this data as our sub-processor under its commercial terms, which prohibit using customer data to train its models. AI responses are cached for up to 1 hour to reduce cost and latency. If you use BYOK, requests run against your own Anthropic account, your key is encrypted at rest, and your cache is isolated from other users.

We do not sell your personal data. We share data only with the following sub-processors and partners, each bound by appropriate data-protection terms:

• Anthropic, PBC (USA) — AI processing of commit and PR metadata.
• Paddle.com Market Limited (UK) — payment processing and Merchant of Record services.
• Resend, Inc. (USA) — transactional and subscriber email delivery.
• Neon, Inc. (USA) — managed PostgreSQL database hosting.
• Vercel Inc. (USA) — application hosting and CDN.
• Inngest, Inc. (USA) — background job orchestration.
• Sentry (Functional Software, Inc.) (USA) — application error tracking.
• PostHog, Inc. (USA / EU region) — product analytics.
• GitHub, Inc. and GitLab Inc. — only the OAuth tokens and API calls needed to read repository metadata you have explicitly connected.

We may also disclose data when required by law, to enforce our Terms of Service, or to protect the rights, property, or safety of Yanib, our users, or others.

Yanib is operated globally and several of our sub-processors are based in the United States. When we transfer personal data of users in the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) as the legal transfer mechanism. Where our sub-processors offer EU-region data residency we use it by default.

We use a small number of cookies and similar technologies:

• Strictly necessary — session and authentication cookies (NextAuth) and CSRF tokens. The Service cannot function without these.
• Functional — remembering your active team / workspace context.
• Analytics — first-party PostHog identifiers used to aggregate product usage. You can opt out with a standard browser content blocker; the Service will continue to work normally.

We do not use cookies for advertising or cross-site tracking.

We retain your data for as long as your account is active. When you delete a team or disconnect a repository, associated data is soft-deleted and permanently removed within 30 days. Webhook payloads are kept for up to 90 days for replay and debugging, then deleted.

Billing records (invoices, transaction IDs, tax data) are retained for as long as required by applicable tax and accounting law — typically 7 years. Deleted accounts are removed from analytics within 30 days.

All data is transmitted over TLS/HTTPS. Webhook signatures are cryptographically verified. BYOK API keys are encrypted at rest and never logged. Database connections use SSL. Access to production data is limited to authorised engineers and protected by strong authentication and audit logging. Despite reasonable safeguards, no system is perfectly secure; you use the Service at your own risk.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data ("right to erasure").
• Restrict or object to certain processing.
• Receive your data in a portable format ("data portability").
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local data protection authority. EEA users may contact their national supervisory authority; UK users may contact the ICO at ico.org.uk.

California residents (CCPA/CPRA): you have the right to know what personal information we collect, request deletion, opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioural advertising), and not be discriminated against for exercising these rights.

To exercise any of these rights, email support@yanib.dev. We will respond within 30 days (or the shorter period required by your local law). You can also export and delete most data directly from your dashboard under Settings.

Yanib is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact support@yanib.dev and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice and updated here with a new "Last updated" date. Continued use of the Service after a change constitutes acceptance of the revised Policy.

For privacy, data-protection, billing, or general enquiries, email support@yanib.dev.