Privacy Policy

1. Who we are

This Privacy Policy explains how «Registered legal entity name, e.g. Pyor Software SAS / Pyor Software, Inc.» (“Pyor”, “we”, “us”) collects and uses personal data in connection with the Pyor website at pyor.review and the Pyor desktop and web applications (together, the “Services”). For the processing described here, we are the data controller (GDPR) / the organisation accountable for your information (PIPEDA & Québec Law 25) / the business (CCPA/CPRA).

Registered office: «Registered street address», «Postal code» «City», «Region / State / Province», «Country». Legal form: «Legal form, e.g. SAS / Inc. / Ltd.».

• General privacy contact: privacy@pyor.review
• Data Protection Officer (where appointed): «DPO name, or "not appointed — contact privacy@pyor.review"» — dpo@pyor.review
• EU representative (Art. 27 GDPR, where applicable): «EU representative name + address, if controller is outside the EU»
• Canadian Privacy Officer: «Privacy Officer name, or "contact privacy@pyor.review"»

2. Our privacy model — what makes Pyor different

Pyor is a client-side product. There is no Pyor-operated backend that receives, stores, or indexes your repositories, pull requests, diffs, or review comments. When you use the app:

• The app communicates directly with GitHub’s API from your device, using your own GitHub credentials.
• Your GitHub personal access token is stored locally — in your operating system’s secure keychain on desktop (macOS Keychain, Windows DPAPI, Linux libsecret via the OS), or in your browser’s localStorage on the web build. It is never transmitted to us.
• Cached PR data and your private, on-device review notes live on your machine. They are not uploaded to us.

As a result, your code and the contents of your reviews are not personal data that we process. Your use of GitHub remains subject to GitHub’s own terms and privacy statement. The rest of this policy concerns the limited personal data we do process to run the website, accounts, and billing.

3. What we process, and why

We do not collect special-category data, we do not run advertising profiles, and we do not build a profile of you across other websites.

4. Legal bases for processing (GDPR / UK GDPR)

• Performance of a contract (Art. 6(1)(b)) — creating your account, providing the Services, and billing Teams.
• Legitimate interests (Art. 6(1)(f)) — securing the site, preventing fraud and abuse, and understanding aggregate usage. We balance these against your rights.
• Consent (Art. 6(1)(a)) — non-essential analytics and any marketing emails. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — keeping tax and accounting records.

5. Cookies & analytics

We use strictly-necessary storage to make the site work, and — only with your consent — privacy-friendly, cookieless analytics. We set no advertising or cross-site tracking cookies. You choose when you first visit, and can change your mind anytime via “Manage cookies” in the footer. Full detail is in our Cookie Policy.

6. How we share data

We don’t sell your personal data, and we don’t share it for cross-context behavioural advertising. We disclose data only to:

• Service providers (sub-processors) who process data on our behalf under contract — payments, hosting, email, and analytics. The current list is at Sub-processors.
• Legal & safety — where required by law, to enforce our terms, or to protect rights and safety. We require valid legal process and disclose the minimum necessary.
• Corporate events — if we’re involved in a merger or acquisition, data may transfer under this policy; we’ll notify you of any material change.

Business customers can sign our Data Processing Agreement, which includes the EU Standard Contractual Clauses.

7. International data transfers

We and some sub-processors may process data outside your country, including in the United States. Where we transfer personal data out of the EEA, UK, Switzerland, or Canada, we rely on appropriate safeguards — chiefly the European Commission’s Standard Contractual Clauses (and the UK Addendum), plus a transfer-impact assessment and additional measures where needed. Ask us for a copy of the relevant safeguards at privacy@pyor.review.

8. How long we keep data

• Account data — for as long as your account is active, then deleted or anonymised within a reasonable period after closure.
• Billing & tax records — for the period required by applicable tax and accounting law (commonly up to 6–10 years).
• Analytics — kept in aggregate; no long-lived per-visitor profiles.
• Support emails — kept only as long as needed to help you and keep a reasonable record.

9. Security

We keep the data we hold to a minimum and protect it with encryption in transit (TLS), access controls, and reputable infrastructure providers. The strongest control is architectural: your code and token never reach us in the first place. See our Security page, including how to report a vulnerability. No method of transmission or storage is perfectly secure, and we can’t guarantee absolute security.

10. Your rights & choices

Wherever you live, you can reach us at privacy@pyor.review to exercise the rights below. We don’t charge a fee (absent manifestly unfounded or excessive requests), we may need to verify your identity, and we’ll respond within the time the law allows.

European Economic Area, United Kingdom & Switzerland (GDPR)

You have the right to:

• access a copy of your personal data;
• rectify inaccurate data and complete incomplete data;
• erasure (“right to be forgotten”) in the circumstances the law provides;
• restrict or object to processing, including processing based on legitimate interests;
• data portability for data you provided, in a machine-readable format;
• withdraw consent at any time, without affecting prior processing; and
• lodge a complaint with a supervisory authority — in France, the CNIL (Commission nationale de l’informatique et des libertés).

Canada (PIPEDA & Québec Law 25)

You may:

• access the personal information we hold about you and ask how it’s used and disclosed;
• request correction of inaccurate information;
• withdraw consent, subject to legal or contractual limits;
• request portability and, in Québec, de-indexing/“right to cease dissemination” where the law applies; and
• complain to the Office of the Privacy Commissioner of Canada or, in Québec, the Commission d’accès à l’information.

Our Privacy Officer is «Privacy Officer name, or "contact privacy@pyor.review"» and oversees compliance, including breach assessment and reporting.

United States — California (CCPA/CPRA) & other states

In the past 12 months we collected the categories described in §3 (identifiers, customer records, commercial/billing information, and internet activity if you consent to analytics). We collect these for the business purposes described above and disclose them only to the service providers in §6.

• We do not “sell” and do not “share” your personal information as those terms are defined under the CCPA/CPRA, and we have not in the prior 12 months.
• You can request to know, delete, and correct your personal information, and to limit use of sensitive information (we don’t use sensitive information for inferring characteristics).
• Because we don’t sell or share, our “Your privacy choices” control is your standing opt-out — there’s nothing further to switch off.
• We won’t discriminate against you for exercising your rights. You may use an authorized agent, and you may appeal a decision by replying to our response.

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws have analogous rights to access, delete, correct, and opt out of targeted advertising and sale — which we don’t do. Use the same contact to exercise them.

11. Children

Pyor is a developer tool intended for adults and is not directed to children. We don’t knowingly collect personal data from anyone under 16 (or the age your local law sets). If you believe a child has given us data, contact us and we’ll delete it.

12. Automated decision-making

We don’t make decisions producing legal or similarly significant effects about you based solely on automated processing, and we don’t profile you for advertising.

13. Changes to this policy

We’ll update this policy as our practices or the law evolve, and we’ll change the “Last updated” date above and bump the version. For material changes we’ll give prominent notice (e.g. on the site or by email). Your continued use after an update means you accept the revised policy where the law allows.

14. Contact & complaints

Questions or requests: privacy@pyor.review (or dpo@pyor.review for the DPO). You can always complain to your local supervisory authority, but we’d appreciate the chance to resolve things first.