picolayer
sign in Book a demo

Privacy Policy

Last updated: April 21, 2026.

Short version

We collect the minimum we need to run the Service: an email if you sign up for early access, GitHub installation metadata, metrics about runs Picolayer performs on your repos, and any feedback you send us. We don't sell or share your data with advertisers. GitHub is the source of truth for your code and repositories; we keep a small derived cache on our infrastructure.

What we collect

  • Email address — when you submit the early-access form or use the feedback form and choose to leave one.
  • GitHub identity — your GitHub login, user ID, and the list of installations you can access, via OAuth (read:user scope) when you sign in to the dashboard.
  • Installation metadata — installation IDs, repository names, and the events GitHub sends us (push, issues, pull requests).
  • Run metrics — survey outcomes, verdicts, cost, timings, and links to the issues and pull requests Picolayer opens. Stored in a small SQLite database.
  • BYOK keys — if you provide your own LLM API keys (Gemini, Anthropic), they are encrypted at rest with AES-GCM before being stored. We show you only the last four characters.
  • Feedback — anything you type into the feedback form, plus an optional email if you want a reply.
  • Analytics — aggregate page views via Plausible (cookieless) and, in regions where applicable, Google Analytics 4 after explicit consent.

What we don't collect

  • The contents of your repository outside of what is processed inside an ephemeral sandbox per run. Sandboxes are destroyed when the run ends.
  • Your GitHub password, personal access tokens, or secrets stored in your repositories.
  • Behavioral data sold or shared with advertising networks.

How we use what we collect

  • To run the Service (survey your repos, file issues, open pull requests).
  • To operate the dashboard and scope what each user can see.
  • To diagnose errors and improve the Service.
  • To send product updates to early-access subscribers. You can unsubscribe at any time.
  • To reply to feedback you send us.

Where data lives

Our application runs on Fly.io. The SQLite database lives on a Fly.io persistent volume. Sandboxes run on Daytona and are created fresh per run, then deleted. LLM calls go directly from our server to the provider (Google or Anthropic) using the key configured for your installation; we do not proxy responses through third parties.

Cookies

We set a session cookie when you sign in to the dashboard so we can keep you signed in. If Google Analytics 4 is enabled, it may set cookies only after you accept the banner (shown to visitors in Europe). Plausible is cookieless.

Your rights

You can uninstall the Picolayer GitHub App from your account or organization at any time. To request deletion of your data (early-access email, feedback, run metrics, BYOK keys), send a note via the feedback form. We will wipe your rows within a reasonable time.

Security

BYOK keys are encrypted at rest with AES-GCM. Session cookies are signed with HS256. HTTPS is required for all traffic to picolayer.com. We do our best, but Picolayer is early-stage software. Report suspected vulnerabilities via the feedback form.

Children

Picolayer is built for software engineering teams. We do not knowingly collect data from anyone under 16.

Changes

We may update this policy as the Service evolves. Material changes will be announced on this page; continued use of the Service after changes means you accept the updated policy.

Contact

Picolayer is not currently incorporated. Reach us through the feedback form.

← Back to home