Privacy Policy
Last updated: 26 June 2026
This Privacy Policy explains how BytesBrains Pte Ltd ("BytesBrains", "we", "us"), a company incorporated in Singapore, handles information in connection with wrokin — the wrokin GitHub App and the dashboard at app.wrok.in (the "Service"). Our company website is bytesbrains.com.
1. Who is responsible
For account and billing data we act as the data controller. For your repository content that the Service processes to do its work, you (or your organisation) are the controller and we act as your processor — see our Data Processing Addendum.
2. What we process
- Account & installation data — your GitHub account/organisation identifiers, the repositories you install the Service on, and plan/billing status (from GitHub Marketplace).
- Repository content — when an agent runs, we read the relevant files, diffs, issues and pull requests needed for that task, and (for the Builder) write code via pull requests. Source code may contain personal data; we treat it as such.
- Your LLM API keys (BYOK) — stored encrypted at rest, scoped to your installation, never logged, and never shown back to you (only a
…last4hint). - Operational data — a record of agent runs (role, status, timing) for your dashboard and our diagnostics.
3. Why we process it (lawful basis)
To provide and operate the Service you requested (performance of a contract), to secure and improve it (legitimate interests), and to comply with law. Under Singapore's PDPA we rely on consent and the legitimate-interests/business-improvement exceptions; for EU/UK users, Art. 6(1)(b)/(f) GDPR; for India, the applicable bases under the DPDP Act, 2023.
4. Bring Your Own Key (BYOK)
You connect your own key for an LLM provider you choose. When an agent runs, the relevant repository context is sent to that provider, using your key, under your account and that provider's terms. We do not mark up or meter inference, and we are a conduit for that transfer — see sub-processors below.
5. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting (Workers, KV, D1, Queues, Pages) | Global edge |
| The LLM provider you select — Anthropic, OpenAI, Google, Mistral, DeepSeek, or OpenRouter | Processing repository context to produce agent output, using your BYOK key | Varies (often US) |
We maintain the current list in the DPA and will give notice of changes.
6. No training on your code
We do not use your repository content to train models. Whether your selected LLM provider trains on inputs is governed by your own account and plan with that provider; we do not control that and you should review your provider's terms.
7. Retention
- Repository content is processed transiently. A "Scout" context bundle is cached for up to ~7 days per commit to let your agents share it, then expires.
- Encrypted BYOK keys are retained until you remove them or uninstall the App.
- Agent-run records and account data are retained while your installation is active and for a reasonable period afterwards, then deleted or anonymised.
- Uninstalling the App revokes our access immediately.
8. International transfers
We are based in Singapore and use providers that may process data outside your country (e.g. the US). Where required we rely on appropriate safeguards (such as Standard Contractual Clauses). Under BYOK, transfers to your selected LLM provider are directed by you to your own provider account.
9. Security
BYOK keys are encrypted at rest; every tenant's data is scoped to its installation; keys are never logged. The Service is not a substitute for your own security review, and we do not claim end-to-end encryption, SOC 2, or that "we never see your code". See our honest description of what the Service does in the dashboard.
10. Your rights
Subject to applicable law (Singapore PDPA; GDPR for EU/UK; India DPDP Act), you may request access to, correction of, or deletion of your personal data, and may withdraw consent. Contact us at contact@bytesbrains.com. You may also lodge a complaint with your local data-protection authority.
11. Cookies & local storage
The dashboard stores your session token in your browser's sessionStorage to keep you signed in. We do not use advertising or cross-site tracking cookies.
12. Changes
We may update this policy; we'll change the "Last updated" date and, for material changes, provide notice. Continued use after changes means you accept them.
13. Contact
BytesBrains Pte Ltd, Singapore — contact@bytesbrains.com · bytesbrains.com