Privacy Policy
Last Updated: December 2024
This Privacy Policy explains how UnfoldCI ("we," "us," "our") collects, uses, and protects your information when you use our flaky test detection service.
By using UnfoldCI, you consent to the practices described in this Privacy Policy.
1. Information We Collect
1.1 Account Information
When you install the UnfoldCI GitHub App:
- GitHub username (from GitHub OAuth)
- Email address (from GitHub or fallback to noreply address)
- Avatar URL (from GitHub profile)
- GitHub user ID (for authentication)
- Installation ID (links your GitHub App installation to your account)
1.2 Repository Information
- Repository name and URL
- Repository owner
- Default branch name
- Installation timestamp
- GitHub repository ID
1.3 Test Data
We collect and store:
- Test names and file paths
- Test outcomes (pass/fail for last 100 runs per test)
- Test duration (execution time in milliseconds)
- Flake scores and pass rates (calculated metrics)
- Test framework and language (detected from files)
- Code hash (SHA-256 hash of test file for version tracking)
We do NOT store:
- Test inputs or outputs
- Test assertions or expected values
- Stack traces or detailed error messages (beyond temporary analysis)
1.4 CI/CD Run Information
- Commit SHA
- Branch name
- Commit message
- Triggered by (GitHub username who triggered the workflow)
- Run timestamps
- Test counts (total, passed, failed, flaky)
1.5 Temporary Data (Not Stored)
During analysis only, we temporarily access:
- Test file source code (fetched from GitHub, analyzed, then discarded)
- Imported dependencies (up to 5 files imported by the test)
- Error messages and stack traces (sent to AI, not stored in database)
This data is processed in-memory and never written to our database.
1.6 API Usage Data
- API key usage (last used timestamp)
- Request counts (for rate limiting)
- Analysis events (when AI analysis runs)
- PR creation events (when fix PRs are generated)
1.7 Technical Data
- IP addresses (server logs only, not stored in database)
- User agent strings (for debugging errors)
- GitHub Action version (for compatibility)
- Node.js version and OS (from CI environment)
2. How We Use Your Information
2.1 To Provide the Service
- Detect flaky tests in your CI/CD pipelines
- Calculate flake scores and pass rates
- Analyze test code to identify root causes
- Generate pull requests with suggested fixes
- Display test metrics in the dashboard
2.2 To Improve the Service
- Monitor service performance and uptime
- Debug errors and crashes
- Improve flake detection algorithms
- Enhance AI analysis accuracy
- Identify common flaky test patterns
2.3 For Security and Compliance
- Authenticate users via GitHub OAuth
- Validate API keys
- Enforce rate limits
- Detect and prevent abuse
- Comply with legal obligations
2.4 For Communication
- Send notification emails (if you enable notifications)
- Notify you of service changes or updates
- Respond to support requests
- Notify you of security issues
We will NEVER:
- Sell your data to third parties
- Use your code for any purpose other than analysis
- Share your test data with other users
- Train AI models on your proprietary code (per OpenAI/Anthropic API policies)
3. How We Share Your Information
3.1 Third-Party Service Providers
We share data with trusted third parties to operate our service:
| Service | Data Shared | Purpose |
|---|---|---|
| GitHub | Username, email, repo metadata | Authentication, code access, PR creation |
| OpenAI | Test code (in-memory only) | AI-powered root cause analysis |
| Anthropic | Test code (in-memory only) | Escalated AI analysis (when GPT-4 confidence is low) |
| AWS | All application data | Infrastructure (database, API, queue) |
Important:
- OpenAI and Anthropic do not train models on data sent via API
- Code sent to AI providers is processed in-memory and not retained
- All API calls use TLS 1.3 encryption
3.2 When Required by Law
We may disclose your information if:
- Required by court order, subpoena, or legal process
- Necessary to comply with applicable laws
- Needed to protect our rights or safety
- Required to enforce these Terms or prevent abuse
3.3 Business Transfers
If UnfoldCI is acquired or merged, your data may be transferred to the new owner. You will be notified via email if this occurs.
3.4 What We Do NOT Share
We will NEVER:
- Sell your data to data brokers or advertisers
- Share your source code with third parties (except AI providers for analysis)
- Publicly disclose your test results
- Share data with competitors
4. Data Security
4.1 Encryption
- In Transit: All data uses TLS 1.3 encryption
- At Rest: Database encrypted with AES-256 (AWS RDS)
- Backups: Encrypted with AWS KMS
- API Keys: Hashed with bcrypt (never stored in plain text)
4.2 Access Controls
- GitHub installation tokens are scoped to read-only code access and write-only PR creation
- API keys are per-installation and can be revoked instantly
- Database access is restricted to authorized services only
- All API requests are authenticated
4.3 Infrastructure Security
- Hosted on AWS (SOC 2 Type II compliant)
- Regular security updates and patching
- Automated vulnerability scanning
- No direct database access (API-only architecture)
4.4 Code Access
- We fetch test files only when AI analysis is triggered
- Code is never written to disk (processed in-memory only)
- No persistent storage of source code
- Code access is auditable via GitHub's installation logs
5. Data Retention
5.1 Active Accounts
While you use UnfoldCI:
- Test outcomes: Last 100 runs per test (rolling window)
- Test metadata: Retained indefinitely while repo is monitored
- CI run data: Retained indefinitely
- AI analysis results: Retained until repo is uninstalled
- Usage metrics: 12 months (for billing/rate limiting)
5.2 Uninstallation
When you uninstall the GitHub App:
- All repository data is immediately soft-deleted (archived)
- Active analyses are stopped
- API keys are invalidated
- No new data is collected
5.3 Permanent Deletion
Archived data is permanently deleted after 30 days.
To request immediate deletion:
- Email contact@unfoldci.com with your GitHub username and installation ID
- We will delete all data within 7 business days
6. Your Privacy Rights
6.1 GDPR Rights (EU Users)
If you are in the European Union, you have the right to:
- Access your data (request a copy)
- Rectify incorrect data (update in Settings)
- Erase your data (uninstall + request deletion)
- Restrict processing (uninstall the app)
- Data portability (export your data)
- Object to processing (uninstall the app)
To exercise these rights, contact contact@unfoldci.com.
6.2 CCPA Rights (California Users)
If you are in California, you have the right to:
- Know what personal data we collect
- Know if we sell your data (we do NOT)
- Request deletion of your data
- Opt-out of data sales (not applicable)
- Not be discriminated against for exercising your rights
6.3 How to Exercise Your Rights
To access your data:
- View in the dashboard at app.unfoldci.com
- Request export via contact@unfoldci.com
To delete your data:
- Uninstall the GitHub App (automatic 30-day deletion)
- Request immediate deletion via contact@unfoldci.com
To update your data:
- Go to Settings in the dashboard
- Update your GitHub profile (email, username, avatar)
7. Cookies and Tracking
7.1 What We Use
- Session cookies (to keep you logged in)
- Authentication tokens (GitHub OAuth)
- Local storage (dashboard preferences)
7.2 What We Do NOT Use
- No advertising cookies
- No third-party tracking pixels
- No analytics cookies (we do not use Google Analytics or similar)
7.3 How to Control Cookies
You can disable cookies in your browser settings. However, this will prevent you from logging in to the dashboard.
8. Children's Privacy
UnfoldCI is not intended for users under 13. We do not knowingly collect data from children. If we discover we have collected data from a child, we will delete it immediately.
9. International Data Transfers
9.1 Data Location
All data is stored in AWS us-east-1 (Virginia, USA).
9.2 EU-US Transfers
If you are in the EU, your data is transferred to the USA. We rely on:
- AWS's SOC 2 and ISO 27001 certifications
- Standard Contractual Clauses (SCCs)
- Your explicit consent to data transfer by using the Service
9.3 Your Rights
If you do not consent to data transfer to the USA, do not use UnfoldCI.
10. Changes to This Privacy Policy
We may update this Privacy Policy at any time. Changes are effective immediately upon posting.
We will notify you of material changes via:
- Email to your registered address
- Notice in the dashboard
- Update to "Last Updated" date
Continued use of the Service after changes constitutes acceptance.
11. Data Breach Notification
If a data breach occurs that affects your personal information:
- We will notify you within 72 hours (per GDPR)
- We will describe what data was affected
- We will explain what steps we are taking
- We will provide guidance on protecting yourself
12. Third-Party Links
Our Service may contain links to third-party websites (GitHub, OpenAI, etc.). We are not responsible for their privacy practices. Review their privacy policies separately.
13. Contact Us
For privacy questions, data requests, or to report a security issue:
Email: contact@unfoldci.com
Response Time: Within 24 hours for urgent security issues, 5 business days for general inquiries.
14. Legal Basis for Processing (GDPR)
We process your data based on:
- Consent: You consent by installing the GitHub App
- Contractual necessity: To provide the Service you requested
- Legitimate interests: To improve the Service and prevent abuse
15. Your California Privacy Rights
California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing.
By using UnfoldCI, you acknowledge that:
- You have read and understood this Privacy Policy
- You consent to the collection and use of your data as described
- You consent to data transfers to the USA (if outside the USA)
- You understand that source code is only temporarily accessed for analysis