Legal

Privacy Policy

Last updated: April 4, 2026 · Operator: Ribix, operated by MindCore ("we," "us," or "our")

This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit ribix.dev (the "Site"), use the Ribix dashboard, install the Ribix GitHub App, use CLI or incident-analysis workflows, or otherwise interact with us in connection with our services (collectively, the "Services"). By using the Services, you agree to this policy. If you do not agree, do not use the Services.

1. Who We Are

Ribix, operated by MindCore, acts as the data controller (or equivalent under applicable law) for personal data collected through the Site, waitlist, and product-account relationship. Where Ribix processes data on behalf of a customer workspace (for example analyzing that customer's GitHub Issues or connected engineering workflows), Ribix acts as a data processor and the customer is the controller. Customers may request a Data Processing Agreement (DPA) at mindcore.official.dev@gmail.com.

2. Information We Collect

2a. Account and identity data

When you register with email and password, we store your email address, optional display name, and a hashed password. When you sign in via GitHub OAuth, we receive your GitHub username, display name, primary email address, avatar URL, and the GitHub organizations associated with your account when needed to associate you with the correct Workspace. We do not receive your GitHub password or private SSH keys.

2b. Repository and issue data

When you install the Ribix GitHub App, we access and process:

  • Issue content – title, body, labels, comments, author username, and timestamps of GitHub Issues in repositories you have selected for enrichment.
  • Git history metadata – commit hashes, commit messages, author/committer names and emails, file paths touched per commit, and git blame line-level attribution data. We use this to identify likely causes, suspect changes, and code owners.
  • Repository clone-cache data – for connected repositories, the backend may keep a local clone cache so it can derive candidate files, CODEOWNERS context, repository intelligence, and limited code snippets relevant to a bug report or analysis workflow. The product is not presented as a general-purpose code browser, and our primary persistent product records are issue, enrichment, knowledge, and operational data rather than a browsable copy of your repository.
  • Pull request metadata – PR titles, descriptions, author, review status, and linked issue references, used to enrich context around commit history.
  • Repository metadata – repository name, default branch, visibility (public/private flag), language breakdown, and installation ID.

2c. Connected-system and workflow data

When a workspace enables Linkroot or related connected workflows, Ribix may ingest ticket metadata, message or conversation snippets, incident descriptions, relationship data, and workflow references from configured services such as Slack, Discord, Linear, or Jira. We process only the data made available by the relevant integration path and workspace configuration.

2d. CLI and debug workflow data

When you use the Ribix CLI or debugging workflows, we may process prompts, repository identifiers, investigation context, trace references, and workflow outputs submitted through those product surfaces. Depending on the action, that can include locally derived context intentionally sent to the service to support issue, PR, or incident analysis.

2e. Waitlist and contact form data

When you submit a waitlist or contact form, we collect the information you provide: email address, name, company name, team size, and any free-text fields you complete (e.g., answers about your triage pain points or bug examples). This data is stored in our form processing provider's systems and in our internal records.

2f. Usage and telemetry data

We automatically collect information about how you use the Services, including: pages visited, features used, button clicks, dashboard navigation paths, CLI and investigation activity, API request counts, and enrichment quality signals (e.g., whether you marked an enrichment as helpful or unhelpful). This data helps us understand product usage and improve the Services.

2g. Technical and log data

Our servers and hosting infrastructure automatically log: IP addresses, HTTP request/response metadata, browser type and version, operating system, referrer URLs, and error traces. These logs are used for security monitoring, debugging, and abuse detection.

2h. Cookies and similar technologies

We use session cookies to maintain your authenticated session after you log in, whether by email/password or GitHub OAuth. We may use limited analytics cookies or local storage to remember UI preferences. We do not use third-party advertising cookies or sell data to ad networks. You can configure most browsers to refuse cookies, though this may break authenticated features.

3. How We Use Information

  • Providing and operating the Services – processing issues through the GitHub App, generating and posting Enrichments, powering the dashboard, CLI, PR and incident workflows, and maintaining your Account and Workspace.
  • Improving accuracy and quality – using anonymized or aggregated usage signals and explicit feedback (thumbs-up/down on Enrichments) to refine our ranking logic and product quality.
  • Communicating with you – sending product updates, waitlist notifications, security alerts, and billing notices to your Account email address. You may unsubscribe from marketing emails at any time.
  • Security and abuse prevention – detecting, investigating, and blocking fraudulent, unauthorized, or illegal use of the Services.
  • Legal compliance – fulfilling legal obligations, responding to lawful government requests, and enforcing our Terms of Service.

4. AI Processing

How product data is processed by AI. When Ribix handles an issue, PR brief, incident workflow, or CLI/debug request, it extracts relevant context and sends a structured payload to a third-party AI model provider to generate model-assisted output. Depending on the flow, that payload can include issue text, commit and blame metadata, related-issue summaries, candidate file paths, prompts, incident context, and limited code snippets derived from relevant files. We attempt to filter secrets and other unsafe material from issue bodies before model calls.

AI model training. We do not use your issue content or repository data to train our proprietary AI models on a per-customer basis without explicit consent. We may use aggregated, anonymized enrichment quality signals (e.g., feedback ratings) to improve our internal ranking and scoring logic. Queries sent to third-party AI providers are governed by those providers' data-use policies (see Section 6 on sharing and service providers).

Output accuracy. AI-generated Enrichments are probabilistic and may be wrong. They are not legal, security, or engineering advice. See our Terms of Service for liability limitations.

5. Legal Bases for Processing (EEA / UK Visitors)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract performance – processing necessary to provide the Services you have signed up for (e.g., authenticating your Account, posting Enrichments to your issues).
  • Legitimate interests – security monitoring, fraud prevention, product analytics, and improving the Services, where our interests do not override your rights.
  • Consent – for marketing emails and, where required, analytics cookies. You may withdraw consent at any time.
  • Legal obligation – responding to lawful government requests or court orders.

6. Sharing and Service Providers

We share information only as described below. We do not sell personal data to third parties.

Infrastructure and hosting. Your Account data and Workspace data are stored in our database hosted on Supabase (PostgreSQL) and our web application is hosted on Vercel. Our backend enrichment service runs on Railway. All providers are contractually bound to process data only on our instructions and to maintain appropriate security safeguards.

AI model provider. Issue content and git metadata are sent to OpenAI for Enrichment generation and related model-assisted workflows. OpenAI processes this data under its API data processing terms. We do not intentionally send personal data beyond what is already present in issue text, prompts, incident context, or commit metadata relevant to the workflow.

Form processing. Waitlist and contact form submissions are processed by Formspree, subject to Formspree's privacy policy.

Billing. Billing and customer-portal workflows are handled through Stripe.

GitHub. As a GitHub App, Ribix receives and posts data via the GitHub API. GitHub processes data as described in GitHub's privacy policy. Ribix is not affiliated with GitHub.

Optional connected systems. If your workspace enables Slack, Discord, Linear, Jira, or similar workflow integrations, Ribix will process data from those systems only for the enabled workspace flows.

Legal disclosures. We may disclose information if required by law, subpoena, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Ribix, our users, or the public.

Business transfers. If Ribix is acquired, merges, or sells all or substantially all of its assets, your information may be transferred as part of that transaction. We will notify you via email or prominent site notice before your data becomes subject to a different privacy policy.

7. Data Retention

  • Account and Workspace data – retained for the life of your Account and deleted within 90 days of verified closure or account termination, except where a longer retention period is required by law.
  • Enrichment records – retained for as long as your Workspace is active and for up to 90 days after closure. Enrichment content is also posted publicly or privately to your GitHub Issues as a comment, which persists on GitHub independently of Ribix's systems.
  • Git history metadata and repository cache data – retained in our systems for as long as needed to power semantic search, related-issue features, blame, and repository intelligence. Deleted within 90 days of repository disconnection or account closure.
  • Connected-system, CLI, and debug workflow data – retained for as long as needed to support the active workflow record and deleted under the normal workspace retention lifecycle unless a longer period is required by law or separately agreed in writing.
  • Waitlist and contact data – retained until you request deletion or unsubscribe, subject to legal holds.
  • Log data – retained for up to 90 days for security and debugging purposes.

8. Security

We implement reasonable technical and organizational security measures including: TLS encryption in transit, encryption at rest for database storage, access controls and role-based permissions, and regular security reviews. We also use Supabase's row-level security features to isolate Workspace data. That said, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security and you use the Services at your own risk with respect to security.

A higher-level description of our current control areas and incident reporting path is available on our Security page.

If we become aware of a data breach that affects your personal data and that is likely to result in a risk to your rights, we will notify you in accordance with applicable law (e.g., within 72 hours for GDPR-covered breaches where feasible).

9. Your Rights and Choices

9a. General rights

Regardless of your location, you may:

  • Access and update some Account information through the dashboard where available, or by contacting us;
  • Delete your Account and associated data by contacting us at mindcore.official.dev@gmail.com, or by using any supported self-serve closure flow we later make available;
  • Opt out of marketing emails by clicking the unsubscribe link in any marketing email or contacting us.

9b. EEA and UK residents (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the GDPR or UK GDPR:

  • Right of access – to obtain a copy of your personal data we hold;
  • Right to rectification – to correct inaccurate or incomplete data;
  • Right to erasure ("right to be forgotten") – to request deletion under certain conditions;
  • Right to restriction – to request we limit processing in certain circumstances;
  • Right to data portability – to receive data you provided to us in a machine-readable format;
  • Right to object – to processing based on legitimate interests or for direct marketing;
  • Right to withdraw consent – where processing is consent-based, you may withdraw at any time without affecting prior lawful processing.

To exercise these rights, contact us at mindcore.official.dev@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9c. California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, and sell (we do not sell personal information);
  • Delete personal information we have collected, subject to certain exceptions;
  • Correct inaccurate personal information;
  • Opt out of the sale or sharing of personal information for cross-context behavioral advertising (we do not engage in this);
  • Non-discrimination – we will not discriminate against you for exercising these rights.

To exercise these rights, contact us at mindcore.official.dev@gmail.com. We will verify your identity before fulfilling requests.

10. International Data Transfers

Ribix operates primarily from the United States. If you access the Services from outside the US, your information may be transferred to, stored, and processed in the US or other countries where our service providers operate. For transfers of personal data from the EEA, UK, or Switzerland to the US, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other transfer mechanisms permitted under applicable law.

11. Children

The Services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us at mindcore.official.dev@gmail.com and we will promptly delete it.

12. Do Not Track

We do not respond to "Do Not Track" (DNT) browser signals, as there is no industry standard for what DNT means in practice. We limit our tracking to what is described in this policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email to your Account address, in-app notification, or prominent site notice. Continued use of the Services after the updated policy takes effect constitutes acceptance. If you do not agree to the updated policy, stop using the Services and contact us to request account or workspace closure before the effective date.

14. Contact, DPA, and Trust Requests

For privacy questions, rights requests, or to request a Data Processing Agreement:

We aim to respond to all privacy requests within 30 days. For complex requests, we may extend this period by up to two additional months and will notify you of the extension.

Current public trust material is also available on our Security page.

Back to home

See productStart beta