Skip to content
Exlogare

Last updated:

Privacy Policy

This document is a solid template and reflects how Exlogare actually operates. It has not yet been reviewed by outside counsel — consult your own lawyer before relying on it contractually.

1. Who we are

Exlogare ("we", "us", "our") operates the website at exlogare.net and the application at app.exlogare.net. We provide an AI-powered CI/CD failure analysis service. For the purposes of the EU GDPR and UK GDPR, Exlogare is the data controller for information we collect directly from visitors and customers.

You can contact our data protection point of contact at privacy@exlogare.net.

2. What we collect

  • Account data — email address, tenant (company) name, role, and authentication metadata (magic-link issuance times, IP of the issuing device, user agent, session identifiers).
  • Integration data — tokens, webhook secrets, and OAuth credentials that you provide to connect Exlogare to GitLab, Jenkins, Slack, Telegram, or Matrix. Credentials are encrypted at rest.
  • Pipeline logs (transient, in memory) — redacted excerpts of your CI/CD job logs are processed by our analysis layer strictly in memory and discarded as soon as the RCA is generated. Our redaction layer strips JWTs, AWS keys, GitLab tokens, basic-auth URLs, and other high-entropy secrets before the analysis layer sees them. Raw logs are never persisted to our database.
  • Analysis output — the RCA (root cause analysis) text, suggested fixes, severity, confidence, and the minimal routing metadata we need to deliver it (project, pipeline URL, MR ID). This is the only log-derived artefact we store.
  • Billing data — plan, usage counters, and invoice metadata. Card/wallet data is handled entirely by our payment processor (YooMoney) and is never stored on our servers.
  • Technical logs — request logs, error traces (via Sentry), and rate-limit counters, retained for up to 30 days.

3. Why we process it (legal bases)

  • Contract (Art. 6(1)(b)) — to provide the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to keep the service secure, debug errors, and prevent abuse.
  • Legal obligation (Art. 6(1)(c)) — to keep invoices and tax records.
  • Consent (Art. 6(1)(a)) — only where strictly required (e.g. future analytics cookies).

4. Sub-processors

We rely on the following third parties to deliver parts of the service:

  • YooMoney — payment processing (RU/EEA).
  • Sentry (Functional Software, Inc.) — error tracking (US).
  • The SMTP provider you configure for magic-link email (customer-controlled).

For each sub-processor we maintain an appropriate data-processing agreement or standard contractual clauses. Today Exlogare is delivered only as a managed SaaS; a self-hosted distribution is planned for a future release.

5. Your rights

Under GDPR and similar laws, you have the right to access, rectify, delete, port, restrict, and object to the processing of your personal data. You also have the right to lodge a complaint with a supervisory authority. To exercise any of these rights, email privacy@exlogare.net; we respond within 30 days.

6. Retention

  • Pipeline logsnot retained. Logs are processed in memory by our analysis layer and discarded at the end of the job.
  • Account data — for the life of the account + 90 days after deletion.
  • RCA history — up to 365 days, or the plan's retention window, whichever is shorter. You can delete any RCA at any time from the dashboard.
  • Usage events (for billing) — retained for the current billing cycle plus 90 days.
  • Billing records — retained 6 years to meet tax law.
  • Technical logs / Sentry events — 30 days.

7. Security

Transport is TLS 1.2+ on every edge. Session cookies are HttpOnly; Secure; SameSite=Lax. CSRF is enforced via double-submit on state-changing API calls. Integration tokens and webhook secrets are encrypted at rest with symmetric keys rotated on a defined schedule.

8. Changes

We will announce material changes to this policy in-app and by email at least 30 days before they take effect.