Infralyst Logoinfralyst

Privacy Policy

Last updated: 28 November 2025

This Privacy Policy explains how Infralyst ("we", "us", "our") collects, uses, and protects information when you use our website and products.

We've tried to write this in clear, straightforward language. This document is for information only and is not legal advice. If you have questions, you can always email us at [email protected].

1.Who we are

Infralyst is operated by:

Saankofi Limited (Hong Kong)
14/F Hill Lodge
1 Lok Fung Path
Fo Tan, New Territories
Hong Kong
Company number: 79143950

Infralyst helps engineering teams reduce cloud spend by turning under-utilized infrastructure into small, reviewable Terraform pull requests.

This Privacy Policy applies to:

  • The Infralyst web application at infralyst.io
  • The marketing site at infralyst.io
  • Our articles and documentation
  • Any other services that link to this policy

2.Information we collect

We collect information in three main ways:

  1. Information you give us directly
  2. Data we receive from services you connect to Infralyst (like AWS and GitHub)
  3. Usage and analytics data about how you use Infralyst

We describe each in more detail below.

2.1 Information you provide to us

When you create and use an Infralyst account, we collect:

  • Account details
    • Name (where provided)
    • Email address
    • Authentication details (e.g. magic link tokens, password hashes if you choose a password)
  • Workspace / organization details
    • Workspace / organization name
    • Workspace slug / external ID
    • Team membership and roles (e.g. owner, admin, member)
  • Billing and subscription information
    • Plan type (e.g. Free, Pro)
    • Subscription status and Stripe customer/subscription IDs
    • Optional tax information you provide (company name, billing address, tax ID type/value, verification status)

Payment card details themselves are handled by Stripe and never touch our servers.

  • Support and communication
    • Messages you send us by email or through the app
    • Your contact details and any information you choose to include in those messages

2.2 Data from your connected services

Infralyst is built to be read-only by design, with a narrow set of permissions. We use the minimum data needed to find cost-saving opportunities and generate safe, reviewable Terraform PRs.

AWS

When you connect AWS, you add the Infralyst Terraform module and configure a read-only IAM role for us to assume. We store:

  • AWS account IDs and a human-readable display name
  • The role ARN and connection status
  • Regions, services, and resource identifiers that are relevant to our analysis (for example, EC2 instance IDs, Auto Scaling Group names, cluster names)
  • Utilization metrics and configuration metadata for those resources (for example, CPU/memory usage, instance type, desired/min/max capacity, warm pool size)

We do not store your AWS access keys or secrets. Access is via role assumption.

GitHub & Terraform state

When you connect GitHub, we store:

  • GitHub organization, repo owner, and repo name for infrastructure repositories you select
  • Branch names we use to open PRs
  • Webhook IDs/secrets so we can receive relevant events
  • Terraform state mapping information, such as:
    • Which AWS accounts and projects a state file relates to
    • S3 bucket names, keys, and regions (for S3-backed state)
    • Filenames and paths for state files inside repos

We do not ingest your application code or Terraform module contents for any purpose other than cost-saving analysis and PR generation.

When a recommendation is implemented, we store:

  • Linked recommendation IDs
  • The pull request URL
  • Status (pending, PR created, merged, closed)

Slack (optional)

If you connect Slack for notifications and PR generation:

  • We store workspace/channel identifiers, destinations, and metadata needed to send notifications or trigger PRs.
  • We log which notifications were sent and when.
  • We do not index or store the full contents of your wider Slack workspace.

You can disconnect Slack at any time from your workspace settings.

2.3 Usage, analytics, and logs

To understand how Infralyst is used and keep the service reliable, we collect:

  • Session and device data
    • IP address
    • Browser user agent
    • Login timestamps
    • Basic device and browser information
  • Product usage data
    • Which pages/screens you visit
    • Which features you use (for example, connecting an AWS account, generating a PR, dismissing a recommendation)
    • Clicks, events, and timestamps

We use PostHog for product analytics and Sentry for error monitoring. We configure these tools to use IDs and metadata and avoid sending the contents of your infrastructure resources or other unnecessary data.

2.4 Cookies and similar technologies

We use cookies and similar technologies to:

  • Keep you signed in
  • Provide core app functionality
  • Measure simple product usage (via PostHog)
  • Improve reliability and performance

You can control cookies through your browser settings. If you block all cookies, some parts of Infralyst may not work correctly.

3.How we use your information

We use the information described above to:

  • Provide and operate Infralyst
    • Create and manage your account and workspaces
    • Connect to your AWS accounts, GitHub repos, and optional Slack workspace
    • Analyze infrastructure usage and configuration to detect cost-saving opportunities
    • Generate and track Terraform pull requests
  • Improve and develop the product
    • Understand which features are useful
    • Diagnose issues and errors
    • Plan improvements based on real usage patterns
  • Communicate with you
    • Send service-related emails (for example, onboarding, security notices, changes to policies)
    • Respond to your support requests
    • Share information about new features or updates (you can usually opt out of non-essential emails)
  • Billing and account management
    • Manage subscriptions, invoicing, and payments through Stripe
    • Handle upgrades, downgrades, and cancellations
  • Security, fraud prevention, and legal compliance
    • Monitor for suspicious or abusive activity
    • Investigate and respond to security issues
    • Comply with applicable laws and regulations

We do not sell your data or use it for third-party advertising.

5.How we share information

We share information only where necessary to provide the service, comply with the law, or protect our rights. In particular:

5.1 Service providers ("processors")

We use third-party providers to run Infralyst. Depending on how you use the service, your data may be processed by:

  • Hosting and infrastructure providers (for example, cloud hosting, databases, backups)
  • Analytics and error monitoring – PostHog and Sentry
  • Payment processing – Stripe
  • Email delivery – for example, AWS SES or similar providers

These providers act on our instructions and are only allowed to use your data to provide their services to us.

5.2 Business transfers

If we are involved in a merger, acquisition, financing, or sale of all or part of our business, your information may be transferred as part of that transaction, subject to appropriate confidentiality protections.

5.3 Legal and safety

We may disclose information if we reasonably believe it is necessary to:

  • Comply with applicable law, regulation, or legal process
  • Respond to lawful requests from public authorities
  • Protect the rights, property, or safety of Infralyst, our users, or others

We do not share your data with third parties for their own marketing purposes.

6.International data transfers

Infralyst is operated from Hong Kong, and some of our service providers may be located in other countries.

By using Infralyst, you understand that your information may be transferred to, stored in, and processed in countries that may have different data protection laws than your own. Where required, we take steps to ensure that appropriate safeguards are in place.

7.Data retention

We keep information only for as long as we need it for the purposes described in this policy, unless a longer retention period is required or permitted by law.

In general:

  • Account and workspace data
    • Kept for as long as your workspace is active.
    • If you delete your workspace, we delete or anonymize associated data within a reasonable period, subject to backup and log retention.
  • Infrastructure metrics and analyses
    • Detailed infrastructure metrics are typically kept for up to 12 months to support trends and safe rightsizing analysis, unless you delete your workspace sooner.
  • Logs and security-related data
    • Kept for a limited time to ensure security, troubleshoot issues, and maintain service reliability.
  • Billing and transaction records
    • Kept as long as necessary for accounting, tax, and legal obligations.

If you'd like more detail on how long we keep a specific type of data, you can contact us at [email protected].

8.Security

We take security seriously and design Infralyst to minimize access and permissions:

  • Read-only by design – Access to your AWS accounts is via narrowly scoped, read-only IAM roles. Apart from creating branches and PRs, everything we do is read-only.
  • Least privilege – Permissions for AWS, GitHub, and Slack are limited to what we need to provide the service.
  • Encryption – We use HTTPS to encrypt traffic in transit and encrypt sensitive data at rest.
  • Infrastructure – We run on managed infrastructure with up-to-date operating systems, libraries, and dependencies.
  • Access controls – Access to production systems is limited to authorized personnel and protected by authentication controls.

No method of transmission or storage is perfectly secure. However, we work to protect your information and improve our security practices over time.

If you believe you've found a security vulnerability, please email our security team at [email protected].

9.Your choices and rights

Depending on where you live, you may have certain rights over your personal data, such as:

  • Accessing the personal data we hold about you
  • Requesting correction of inaccurate information
  • Requesting deletion of your personal data
  • Objecting to or restricting certain types of processing
  • Porting your data to another service, where technically feasible

You can also:

  • Manage your account – Update your details from within the app.
  • Delete your workspace – Remove a workspace and associated data, subject to retention described above.
  • Unsubscribe from emails – Use the unsubscribe links in non-essential emails or contact us.

To exercise any of these rights, contact us at [email protected]. We may need to verify your identity before responding. We will respond within a reasonable time and in accordance with applicable laws.

10.Children's privacy

Infralyst is designed for professional use by adults. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

11.Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top
  • Where appropriate, notify you by email or through the app

Your continued use of Infralyst after a change means you accept the updated policy.

12.Contact us

If you have questions about this Privacy Policy or how we handle your data, please contact:

  • Email (general privacy & data questions): [email protected]
  • Email (security & vulnerabilities): [email protected]
  • Address: Saankofi Limited (Hong Kong), 14/F Hill Lodge, 1 Lok Fung Path, Fo Tan, New Territories, Hong Kong

We're happy to clarify how we handle data or discuss any concerns you may have.