IrisIris
GitHub

Privacy Policy

Last updated: 2026-05-02

Iris is open-source software (Apache 2.0). This Privacy Policy applies to the hosted deployment of Iris that you are currently accessing. The legal entity operating that deployment is the data Controller. If you self-host Iris or deploy a fork, you (or your organization) are the Controller for your own deployment, and you must publish your own Privacy Policy.

For this deployment:

  • Controller: ClickBus
  • Jurisdiction: São Paulo, Brazil
  • Privacy contact: dpo@clickbus.com
  • Data Protection Officer: dpo@clickbus.com

This Privacy Policy describes how the Controller collects, uses, and protects personal data through Iris ("the Service") — both the open-source CLI and the hosted platform you are accessing.

The hosted platform is access-restricted to authorized users. The CLI is open source under Apache 2.0 and runs entirely on your machine; this policy applies only when you connect the CLI to a hosted platform deployment or use the platform directly.

1. Data we collect

The CLI (running locally) does not transmit data to the Controller by default. It reads your Git repository's metadata (commits, diffs, PR information via the GitHub CLI) and produces a local report. Nothing leaves your machine unless you opt in to a hosted platform via iris push or to your own observability backend via OTEL_EXPORTER_OTLP_ENDPOINT (see docs/TELEMETRY.md).

The hosted platform collects:

  • Authentication data: name, email, GitHub login, and avatar URL — provided by GitHub OAuth when you sign in.
  • Repository metrics: aggregated, anonymized signals produced by the CLI (stabilization rate, churn, PR lifecycle timings, AI-tool detection counts). No source code is uploaded.
  • Org membership: the GitHub organizations you have access to, used to provision the workspace mirror in Iris.
  • Audit log: timestamps and types of administrative actions inside your workspace (member invitations, role changes, repository links).
  • Session cookies: a JWT-based NextAuth session token plus the language preference cookie (iris_lang).

We do not collect IP addresses, fine-grained device fingerprints, marketing pixels, or third-party analytics.

2. How we use the data

  • Authenticate you and authorize access to your workspace.
  • Render dashboards and trend reports across your organization's repositories.
  • Send transactional emails: invitations, ownership transfers, and (when applicable) verification codes — via Resend.
  • Operate the Service, troubleshoot issues, and improve reliability.

We do not sell, rent, or share personal data with third parties for advertising or profiling.

3. Where data is stored

  • Application data: Supabase (Postgres). Row-Level Security policies isolate each organization.
  • Email delivery: Resend (transactional email provider).
  • Hosting: Vercel.
  • Authentication: GitHub Inc. (subject to GitHub's own privacy policy).

The exact regions depend on the operator's deployment configuration.

4. Retention

Active workspace data is retained while your account is active. Audit log entries are retained for 12 months by default. You can request deletion at any time (see Section 6).

5. Sub-processors

| Provider | Purpose | |---|---| | Supabase | Database & file storage | | Vercel | Application hosting | | Resend | Transactional email | | GitHub | Authentication (OAuth) |

6. Your rights (LGPD / GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Delete your account and personal data (a "right to be forgotten")
  • Export your data in a portable format
  • Withdraw consent at any time
  • Object to specific processing activities
  • File a complaint with your local supervisory authority (e.g. the Brazilian National Data Protection Authority — ANPD)

To exercise any of these rights, contact the Controller at the privacy address above. We respond within 15 business days as required by LGPD Article 19.

7. Security

  • All traffic is encrypted with TLS 1.2+
  • Database access uses Supabase service-role keys, scoped to the server only
  • Strict Content-Security-Policy and HSTS headers (see platform/next.config.ts)
  • Vulnerability reports follow SECURITY.md

8. Changes to this policy

Material changes are announced via the platform UI and a commit to this file in the public repository. The "Last updated" date at the top reflects the most recent revision.

9. Contact

Use the privacy and DPO addresses listed at the top of this document. For vulnerability disclosure, see SECURITY.md.

This template is published as part of the open-source repository at github.com/RocketBus/clickbus-iris. The canonical version applicable to a specific hosted Service is rendered by that deployment with its own operator information.