Privacy Policy

Last updated: 2026-04-26

Data controller

The data controller for personal data collected via Inlinr is Thibault Fayard, reachable at contact@inlinr.com.

Guiding principle

Inlinr is designed to minimize collection. No source-code line ever leaves your machine. IDE plugins send only metadata: file path (relative to the repository), language, editor, git branch, and the optional presence of an AI assistant. File contents are never collected.

Data we collect

• Identity & account — email, name, and avatar from GitHub (via OAuth), GitHub handle, subscription plan.
• Coding activity — heartbeats sent by plugins (file path, language, editor, branch, duration, AI attribution), manual entries (meetings, calls, etc.), commits imported from GitHub if integration is enabled.
• Billing — for Pro users: name, billing address, optional VAT number, country of residence, Stripe customer ID. Card data is handled exclusively by Stripe; Inlinr never sees and never stores it.
• Technical logs — IP address at sign-in (rotated after 30 days), browser user-agent, device identifier for IDE plugins.

Purposes of processing

• Provide the time-tracking service and produce the related statistics.
• Manage paid subscriptions, invoicing, and accounting/tax obligations.
• Authenticate user sessions and connected devices (IDE plugins).
• Communicate with users (opt-in weekly digest, transactional notifications, customer support).
• Detect and prevent payment fraud (via Stripe Radar).

Legal bases (GDPR art. 6)

• Performance of the contract — for data strictly necessary to provide the Service (account, activity, Pro billing).
• Legal obligation — for retention of invoices (10 years, French Commercial Code art. L123-22) and VAT records.
• Legitimate interest — for technical logs (Service security) and fraud prevention.
• Consent — for the weekly digest (revocable from Settings) and for the public stats page at /u/<handle> (explicit opt-in in settings).

Retention

• File-level heartbeats — 6 months (Free) or 12 months (Pro); beyond that, anonymized daily aggregation.
• Aggregated daily summaries — for the lifetime of the account.
• Billing data — 10 years after the last transaction (accounting obligation).
• Connection logs — 30 days.
• Full account deletion — on request to contact@inlinr.com or via Settings → Delete account. Billing data is kept as inactive archives for the legal duration.

Sub-processors (GDPR art. 28)

Inlinr relies on the following sub-processors, all bound by GDPR-compliant Data Processing Agreements:

• Hetzner Online GmbH — application and database hosting. Server location: Germany (EU).
• Stripe Payments Europe Ltd. — payment and tax processing. PCI DSS Level 1 compliant, based in Ireland (EU).
• Resend — transactional email delivery (digest, notifications). Hosted in the United States; transfers framed by Standard Contractual Clauses (SCC).
• GitHub Inc. — OAuth identity provider. No data is shared with GitHub beyond authentication; the public profile (handle, avatar) is fetched at sign-in.

Your rights

Under the GDPR you have the following rights regarding your data:

• Access — obtain a copy of all your data. Exportable at any time from the dashboard (CSV / JSON per project, iCal for manual entries).
• Rectification — correct an inaccurate piece of data (email, name, etc.) from Settings.
• Erasure — delete your account and all your data (except for accounting archives kept by legal obligation).
• Restriction & objection — you may object to a specific processing (e.g. disable the weekly digest in Settings).
• Portability — retrieve your data in a structured format (JSON) via /api/v1/export/<projectId>?format=json.

To exercise these rights, write to contact@inlinr.com. A response will be sent within 30 days.

Cookies

Inlinr uses only strictly necessary cookies (session cookie for authentication). No advertising cookies, no third-party analytics tools (Google Analytics, etc.). Under French CNIL deliberation 2020-091, no prior consent is required for these cookies.

Security

Data is stored on servers located in the European Union, encrypted at rest and in transit (TLS 1.3). Passwords are not stored (authentication is via GitHub OAuth or device tokens for plugins only). Backups are encrypted and kept for 30 days.

Complaints

If you believe the processing of your data does not comply with the GDPR, you may lodge a complaint with the French data-protection authority (CNIL): cnil.fr/en/plaintes.