Background
Latchkey
Last Updated:May 18, 2026

Privacy Policy

Latchkey is committed to protecting the privacy and security of your data. This Privacy Policy explains how we collect, use, and safeguard your information.

TL;DR: Your Privacy Matters

  • We collect CI/CD metadata, logs, workflow YAML files, and runner telemetry — we never store or retain your source code
  • Latchkey Runners execute your jobs in ephemeral, isolated runners that are destroyed at job completion
  • We don't store passwords or payment info (handled by Clerk/GitHub OAuth and Stripe), and we never sell your data

Introduction

Latchkey ("we," "our," or "us") is committed to protecting the privacy and security of your data. This Privacy Policy explains how we collect, use, and safeguard your information when you use our website located at https://www.latchkey.dev/ (the "Site") and our AI-powered CI/CD monitoring services (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy.

Effective Date: May 18, 2026
Contact: legal@latchkey.dev

Information We Collect

We collect only the minimum amount of data required to provide actionable insights and optimize your pipelines.

Account & Billing Information

  • Authentication: We use Clerk as our managed authentication provider, which handles sign-in via GitHub OAuth. We do not collect, view, or store your passwords.
  • Billing: All payments are processed securely by our third-party payment processor, Stripe. We do not collect or store your credit card numbers, bank account details, or financial information on our servers.

Pipeline & Usage Data

  • Workflow Metadata: Run IDs, job names, timestamps, failure/success statuses, and duration metrics.
  • Workflow YAML Files: We read your .github/workflows YAML files to analyze job structure, caching, and dependencies. This powers AI-driven optimization recommendations and AI Scan runner configurations.
  • Resource Usage: CPU and memory usage statistics used to calculate cost efficiency.
  • Log Data: Build logs and error messages required to identify bottlenecks and failures.
  • Runner Telemetry: When you use Latchkey Runners, we process runtime telemetry — CPU, memory, disk usage, exit codes, job durations, and per-runner metering data — to operate the runners, bill usage, surface analytics, and power self-healing.
  • Self-Healing Agent Data: When self-healing engages on a failing build step, the agent processes that step's stderr, stdout, exit code, and a curated set of manifest files (e.g., package.json, requirements.txt, Cargo.toml). The agent does not have access to your source code, and its actions are bounded to a vetted allowlist.
  • AI Privacy: We do not use your proprietary logs or source code to train global, multi-tenant AI models. AI insights, self-healing diagnoses, and AI Scan results are generated for your workspace only.
  • Permissions Scope: For analytics, we request read-only access to GitHub Actions metadata and workflow YAML. For pull request creation, we request the minimum write scope required to open PRs you explicitly request — we never push commits or merge code on your behalf. For Latchkey Runners, your workflow YAML directs jobs to Latchkey runners via the runs-on label; no additional GitHub permissions are required.

Source Code: Not Stored, Not Retained

Latchkey does not store or retain your source code. The analytics integration analyzes metadata, workflow YAML files, and logs — never source code. When you use Latchkey Runners, your code is checked out into an ephemeral, isolated runner instance solely to execute that job, and the runner is destroyed at job completion. No source code persists on Latchkey infrastructure between jobs.

AI Data Usage

By default, Latchkey does not use your proprietary logs, workflow files, or source code to train global, multi-tenant AI models. AI features — insights, AI Scan runner configurations, and self-healing — operate on your workspace's data for your workspace's benefit. We reserve the right to use de-identified, aggregated metadata (such as job durations and failure-category counts) to improve our algorithms and service performance, in a form that cannot be traced back to you or your workspace.

How We Use Your Information

We use the collected data for the following purposes:

Service Delivery

To generate analytics dashboards, cost reports, and optimization insights.

Runner Operation

To provision, operate, and tear down the ephemeral Latchkey Runner instances that execute your workflow jobs, and to meter their usage for billing.

Self-Healing

To detect, diagnose, and apply bounded fixes to failing build steps on Latchkey Runners, and to display the result of each heal attempt in the dashboard's Recent Heals view.

AI Scan & Optimization

To analyze your repository structure and workflow YAML files in order to generate AI Scan runner configurations and surface optimization recommendations you can choose to apply via a Latchkey-created pull request.

Security & Reliability

To detect technical issues, security risks, or abuse of the Service.

Billing Automation

To facilitate seamless plan transitions and automated billing via Stripe.

Data Sharing and Disclosure

We do not sell, trade, or rent your personal data to third parties.

Cloud Hosting & Runner Compute

AWS hosts our application, database, and the compute that backs Latchkey Runners. Customer data and runner instances are kept in isolated environments.

Authentication

Clerk handles authentication, including sign-in via GitHub OAuth. We do not see or store your GitHub credentials.

Payment Processing

Stripe facilitates your subscription, seat, and runner-minute payments.

AI Processing

We use third-party large language model providers to power optimization insights, AI Scan runner configurations, and self-healing diagnoses. The data we send to these providers is limited to what's required for the request — for example, a failing step's stderr, exit code, and manifest files for self-healing — and never includes your source code. We do not authorize these providers to train their models on your data.

Data Security

We use industry-standard security measures to protect your data: TLS 1.2 or higher for data in transit and AES-256 for data at rest. We do not store passwords or payment information.

Latchkey runs on AWS, which is SOC 2 compliant. Customer data and Latchkey Runner instances are kept in isolated environments with strict access controls, and Latchkey Runners are ephemeral — each runner is destroyed after the job it serves completes, so no data, artifacts, or state persists between jobs.

Data Retention

We retain data in an active status for up to one year after which it is transferred to cold storage. While historical analysis remains available, retrieval from cold storage may require additional time to load. You may request full data deletion at any time following the cancellation of your plan. Archived data is typically purged after five years unless otherwise required by law.

Your Privacy Rights

Depending on your location (e.g., GDPR, CCPA), you may have rights regarding access, correction, or deletion of your personal data.

Cookies and Tracking Technologies

We use essential cookies for authentication and session management. Refer to general data collection practices outlined above.

Third-Party Services

Refer to the Data Sharing and Disclosure section for information about our infrastructure providers.

Contact Us

If you have questions about this Privacy Policy, please contact us at:

Policy Updates

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a prominent notice on our platform.

We use cookies to improve your experience. Privacy Policy