Privacy Policy

Last updated: June 11, 2026

Welcome to vitrus.dev, a service operated by CAGAN YAZILIM TEKNOLOJILERI SANAYI VE TICARET LIMITED SIRKETI (“Company”, “we”, “us”), built and maintained by ahmet vural and theUglyCode. This policy explains what we collect when you use our website, API, or command-line interface (“Services”), and the rights you have over it.

1. Information We Collect

Account data — your email and name, received from your sign-in provider (e.g. GitHub OAuth).
Workspace content — the documents and sources you explicitly connect or upload (Markdown, Slack, GitHub, docs…). You choose what is connected.
Usage data — query logs (visible to your workspace admins in the audit log), sync status and technical logs needed to operate the service.
Payment data — handled by our merchant of record, Paddle. We receive subscription status, plan and seat counts; we never store your full card details.
Support data — the tickets and messages you send to our support desk.

2. How We Use Your Information

We use this data to operate and secure the Services, authenticate you, answer your support requests, process billing, and comply with legal obligations. We do not sell personal data, and we do not use your workspace content to train AI models.

3. Your Workspace Content

Content is isolated per organization (enforced with database row-level security) and respects the source’s own permissions: access control lists are captured on every sync, and a member never sees content they aren’t authorized to see. Connector credentials are stored encrypted (AES-256-GCM). The source of truth is portable Markdown — you can export your brain or request deletion of your workspace at any time.

4. Third-Party Processors

Paddle.com Market Ltd — payments, tax and invoicing (merchant of record).
Hetzner Online GmbH — server hosting (EU data centers).
Cloudflare — DNS, TLS and traffic proxying.
GitHub — sign-in (OAuth) and, if you connect it, repository content.
Optional model providers (e.g. OpenAI, Anthropic) — only if your workspace configures them for embeddings or synthesis; by default Vitrus runs with offline, deterministic providers.

5. Cookies

We use a single essential session cookie (signed, httpOnly) to keep you logged in to the dashboard, plus the cookies our payment provider requires during checkout. We do not use advertising cookies.

6. Data Retention and Security

Account and workspace data are retained while your account is active. Data is protected with industry-standard measures, including encryption in transit (TLS), encrypted credential storage, tenant isolation, and least-privilege database roles. On verified deletion requests, workspace data is removed from production systems within 30 days.

7. Your Rights (GDPR / KVKK)

Depending on your jurisdiction (including the EU’s GDPR and Türkiye’s KVKK), you may have the right to access, correct, export or delete your personal data, and to object to or restrict certain processing. To exercise these rights, open a support ticket or email [email protected].

8. International Transfers

The Services are hosted in the European Union. Where data is transferred across borders (e.g. to payment or sign-in providers), we rely on appropriate safeguards such as standard contractual clauses provided by those processors.

9. Changes to This Policy

We may update this policy from time to time; material changes will be announced on this page.

10. Contact

Privacy questions: [email protected]
Operator: CAGAN YAZILIM TEKNOLOJILERI SANAYI VE TICARET LIMITED SIRKETI.