Privacy Policy

Last updated: March 3, 2026

1. Introduction

Zerobillbot ("we," "us," or "our") operates the Zerobillbot GitHub App and the Zerobillbot.dev website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you consent to the data practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Data from GitHub Webhooks

When you install the Zerobillbot GitHub App, we receive the following data via GitHub webhook payloads:

  • Repository metadata: Repository name, owner (organization or user), visibility (public/private)
  • Pull request metadata: PR number, title, author, branch names, timestamps
  • File diffs: Changed file paths and diff content for infrastructure-as-code files (.tf, .yaml, .yml, .json, .template)
  • Installation metadata: GitHub App installation ID, organization or user account info

2.2 Data We Do NOT Collect or Store

We want to be explicit about what we do not access:

  • Source code: We do not clone your repository or access non-IaC files
  • Secrets or credentials: We never access, store, or transmit secrets, API keys, tokens, or passwords
  • Personal code: We only read infrastructure-as-code file diffs, not application source code
  • Git history: We do not access your commit history beyond the current PR diff

2.3 Account Information

When you sign up or install Zerobillbot, we may collect:

  • GitHub username and profile information (as provided by GitHub OAuth)
  • Email address (for account communication and support)
  • Organization name and billing information (for paid plans)

2.4 Usage Data

We automatically collect certain information about your use of the Service:

  • Number of PR scans performed
  • Feature usage patterns (anonymized)
  • Error and performance logs
  • IP address and browser information when visiting Zerobillbot.dev

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Analyze infrastructure-as-code changes and calculate cost estimates
  • Post cost analysis comments on your pull requests
  • Create and manage GitHub Check Runs
  • Send notifications (Slack, Teams) when configured
  • Generate usage analytics and historical cost trend data (Pro and Enterprise plans)
  • Communicate with you about your account, updates, and support requests
  • Detect and prevent abuse, fraud, or technical issues

4. Data Retention

We retain your data as follows:

  • PR analysis data: Retained for up to 90 days for Free plan users, and for the duration of your subscription plus 30 days for Pro and Enterprise users
  • Historical cost trend data: Retained for up to 12 months for Pro users and up to 24 months for Enterprise users
  • Account information: Retained as long as your account is active, plus 30 days after deletion
  • File diffs: Processed in memory and discarded after analysis. We do not persist raw file diffs to disk or database

You can request deletion of your data at any time by contacting us at privacy@Zerobillbot.dev.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share data with:

  • Service providers: Third-party services that help us operate our business (hosting, payment processing, analytics), under strict data processing agreements
  • Legal requirements: When required by law, regulation, legal process, or governmental request
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice

5.1 Third-Party Services

Our Service uses the following third-party services:

  • Railway: Application hosting (EU/US data centers)
  • Stripe: Payment processing (PCI DSS compliant)
  • GitHub: OAuth authentication and webhook delivery
  • Plausible Analytics: Privacy-friendly website analytics (no cookies)

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security audits and vulnerability assessments
  • Access controls and authentication for internal systems
  • Webhook signature verification for all GitHub webhook deliveries

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. GDPR Compliance

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR):

  • Right to access: Request a copy of the data we hold about you
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your data ("right to be forgotten")
  • Right to data portability: Request your data in a structured, machine-readable format
  • Right to object: Object to processing of your data for certain purposes
  • Right to restrict processing: Request that we limit how we use your data

To exercise any of these rights, contact us at privacy@Zerobillbot.dev. We will respond to your request within 30 days.

Legal basis for processing: We process your data based on (a) your consent when installing the GitHub App, (b) the necessity to perform our contractual obligations to you, and (c) our legitimate interest in operating and improving the Service.

8. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how we use it
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

9. Cookies

The Zerobillbot.dev website uses minimal cookies for essential functionality only (e.g., theme preference). We use Plausible Analytics, which is cookie-free and does not track individual users. We do not use third-party tracking cookies or advertising cookies.

10. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: