§ 01
What we collect
When you use the Manticore GitHub Action or our hosted application, we collect:
- Your work email, used only to sign you in via magic link.
- The lockfile changes in pull requests you point us at: package names, versions, hashes.
- Organization and repository identifiers, so reports land in the right place.
- Aggregate usage metrics (job count, duration, verdict distribution) scoped to your organization.
§ 02
Why we collect it
To detonate the packages you pointed us at, write the verdict back to the right PR, and bill the right organization. That's the whole list.
§ 03
What we don't do
- We don't read your source code. We only analyze the third-party packages referenced by your lockfiles.
- We don't run trackers or analytics SDKs on this website. No Google Analytics, no Segment, no session replay.
- We don't sell customer data. We're offering behavioral intelligence software to analyze packages.
§ 04
Sandbox data
Packages we detonate are public by definition. The behavioral traces we produce (process trees, network endpoints, file accesses) describe the package, not your code. We may aggregate and publish these traces in our Intelligence feed to warn the ecosystem; your organization is never identified in that publication.
§ 05
Retention
Pull-request reports are retained for 90 days by default, or until you delete them. Sign-in logs are retained for 30 days. Aggregate usage metrics are retained indefinitely in anonymized form. Your organization's raw lockfiles are not stored after the detonation completes.
§ 06
Your rights
You can request export or deletion of all data associated with your organization at any time, in writing. We'll confirm within 30 days under GDPR and within the timelines mandated by your jurisdiction. Data-subject requests from EU residents: hello@tazarsec.dev.
§ 07
Contact
Data controller: TazarSec Oy, Jyväskylä, Central Finland.
Questions, requests, concerns, security disclosures: hello@tazarsec.dev.