Privacy Policy

1. Information We Collect

We collect information you provide directly, as well as data generated through your use of the Service, including:

• Account information (name, email address, password hash)
• Organization name, team members, and role assignments
• Build configurations, workflow definitions, and environment variable keys (not values)
• Signing credentials — stored encrypted using AES-256-GCM, never logged in plaintext
• Build logs, artifact metadata, and usage statistics
• IP address, browser type, and session data for security purposes

2. How We Use Your Information

We use collected data to:

• Provide, maintain, and improve the Lycan platform
• Authenticate users and enforce access controls
• Process payments and manage billing
• Send transactional emails (build notifications, invitations, security alerts)
• Detect abuse, security incidents, and Terms violations
• Analyze aggregate usage patterns to improve the product

We do not sell your personal data. We do not use your source code or build artifacts for training AI models.

3. Data Security

We implement layered security measures to protect your data:

• All data in transit is encrypted using TLS 1.2+
• Secrets (certificates, API keys, keystores) are encrypted at rest using AES-256-GCM
• Passwords are hashed using bcrypt with a high work factor
• RBAC ensures team members access only what their role permits
• All sensitive actions are recorded in organization audit logs
• Regular security reviews and dependency audits

4. Data Retention

We retain your account data for as long as your account is active. Build logs are retained for 90 days by default (configurable on paid plans). Signing credentials are retained until explicitly deleted by an organization admin. After account termination, we retain data for 30 days to allow recovery, then permanently delete it.

5. Your Rights

You have the right to:

• Access and export your personal information via the dashboard or API
• Correct inaccurate personal data
• Request deletion of your account and all associated data
• Object to or restrict certain processing of your data
• Lodge a complaint with your local data protection authority

To exercise these rights, contact us at [email protected].

6. Cookies and Tracking

We use strictly necessary session cookies for authentication. We do not use third-party advertising trackers. We may use privacy-preserving analytics (aggregate, non-personal) to understand product usage. You can control cookie preferences through your browser settings; disabling session cookies will prevent login.

7. Third-Party Services

Lycan integrates with third-party services including cloud infrastructure providers, payment processors, and email delivery services. These providers access only the data necessary to perform their functions and are contractually bound to protect it. We do not share your source code, signing credentials, or build artifacts with third parties.

8. International Transfers

Lycan operates globally. Your data may be processed in countries outside your own. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms to ensure your data receives adequate protection during cross-border transfers. Enterprise customers can request data residency in specific regions.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email and an in-app notice before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.