Privacy Notice

How ActionsManager Self-Hosted Beta handles your data.

Table of contents
  1. Where Data is Stored
  2. What the Application May Store
  3. Secrets and Credentials
  4. Telemetry and External Calls
  5. Backups and Deletion
  6. Related Topics

Note: This notice describes the current self-hosted beta behavior. It is product documentation, not legal advice. Privacy terms for any future Cloud/SaaS or paid offering will be reviewed and published separately before launch.

Where Data is Stored

The self-hosted beta runs on infrastructure controlled by the operator. ActionsManager stores application data in the user-configured database for that deployment:

  • Default: SQLite stored in the mounted application data volume
  • Optional: PostgreSQL, where configured by the operator

The operator controls where this infrastructure runs and who has access to it.

What the Application May Store

Depending on how the application is used, stored data may include:

  • GitHub account identifiers, usernames, avatar URLs, and related profile metadata
  • Repository names, organization or owner names, project configuration, workflow YAML, workflow state, and configuration metadata
  • Pull request metadata, branch names, workflow rollout state, drift-detection state, and audit or webhook metadata needed by enabled features
  • License tier metadata derived from a configured self-hosted LICENSE_KEY, when present

Secrets and Credentials

Repository secret values are not stored locally by ActionsManager. Secret names or metadata may be tracked where needed to support repository and environment secret management.

Operators must protect:

  • GitHub OAuth client secrets
  • Saved personal access tokens
  • Local environment variables and .env.self-hosted files
  • Database files and backups
  • Webhook secrets, license keys, and any optional external API keys

Never commit a real .env file or token to source control.

Telemetry and External Calls

The self-hosted beta does not include documented product telemetry, crash reporting, or phone-home analytics.

The application does call external services that the operator configures or explicitly uses:

  • GitHub APIs for authentication and repository/workflow operations
  • Optional AI features — if an operator configures an external API key (e.g., OPENAI_API_KEY), prompts or workflow-generation data may be sent to that provider. Do not configure external API keys if you do not want those features to make external API calls.

Backups and Deletion

Self-hosted operators control database backups, retention, access, and deletion. Review backups before sharing logs or support bundles, as they may contain repository metadata, workflow YAML, pull request metadata, credentials metadata, and other configuration details.