Privacy Policy
Last updated: March 9, 2026
Summary
Invariant Systems, Inc. ("we", "us", "our") respects your privacy. We collect almost nothing, store almost nothing, and sell nothing. This policy covers invariantsystems.io and the AIIR open-source tool.
What AIIR collects
Nothing. AIIR runs entirely on your machine. It makes zero network calls in default mode. It does not phone home, send telemetry, or collect any data. Receipts are generated locally and stored wherever you configure — your repo, your CI artifacts, your filesystem.
When you enable Sigstore signing, AIIR communicates with the public Sigstore infrastructure (Fulcio, Rekor) to obtain a short-lived certificate and log the signature. This is a direct interaction between your machine and Sigstore — Invariant Systems is not an intermediary and does not receive any data from this process.
What this website collects
Analytics
We use Plausible Analytics, a privacy-focused, cookie-free, GDPR-compliant analytics service. Plausible does not use cookies, does not collect personal data, and does not track users across websites. All data is aggregated — we see page view counts, not individual visitors.
Email signups
If you voluntarily subscribe to product updates, we store your email address to send product announcements. To prevent abuse and enforce rate limiting, the signup process also records your IP address, country (from Cloudflare headers), and a truncated user-agent string (first 200 characters). This data is stored in Cloudflare Workers KV with a 365-day TTL and is automatically deleted after expiry. We never share this data with third parties. You can request deletion at any time by emailing noah@invariantsystems.io.
Cookies
This website does not set any cookies. No tracking cookies, no session cookies, no analytics cookies. Zero.
What we do NOT collect
- Source code — AIIR receipts contain commit metadata and diff hashes, never source code
- Personal data beyond what is described in the Email signups section above
- Usage telemetry from the CLI, GitHub Action, GitLab component, or MCP server
- IP addresses in analytics — Plausible does not log individual IP addresses (note: the signup endpoint records IP addresses for rate limiting as described above)
- Browsing history or cross-site tracking data
Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Plausible Analytics | Aggregate website analytics | Page URLs, referrers (no personal data) |
| GitHub Pages | Website hosting | Standard HTTP request logs (GitHub's policy applies) |
| Cloudflare | DNS, edge caching, and signup worker | Standard HTTP request processing; signup worker stores email, IP, country, truncated UA in Workers KV (365-day TTL) (Cloudflare's policy) |
| PyPI | Package distribution | Package downloads are public; PyPI's privacy policy applies |
| Sigstore | Code signing (opt-in) | OIDC identity + signature, logged publicly in Rekor |
Data retention
Email signup records (including associated IP, country, and truncated user-agent data) are stored with a 365-day TTL in Cloudflare Workers KV and are automatically deleted after expiry. You can request early deletion by emailing noah@invariantsystems.io. Plausible analytics data is retained according to Plausible's data policy. We do not maintain any other user databases.
GDPR and international users
This website is GDPR compliant by design: no cookies, no cross-site tracking, and minimal data collection. The only personal data we process is what you voluntarily provide through the email signup form (email, IP address, country, and truncated user-agent — stored for 365 days as described above). We process this data under the GDPR lawful basis of consent (Article 6(1)(a)); you may withdraw consent and request deletion at any time. Plausible Analytics is EU-hosted, does not collect personal data, and does not transfer data outside the EU. If you are in the EEA and have questions about your data or wish to exercise your rights under GDPR, contact us at noah@invariantsystems.io.
Children's privacy
Our services are not directed at children under 13. We do not knowingly collect personal information from children.
Changes to this policy
We may update this policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be noted in our product update emails.
Contact
Questions about this privacy policy? Contact us at noah@invariantsystems.io.
Invariant Systems, Inc.
Delaware, USA