Privacy Policy & License Agreement

Last updated: May 27, 2026

Applies to Yulio CLI v1.2.4.

1. Introduction

Welcome to Yulio Labs (“we”, “our”, or “us”). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you visit our website or use the Yulio CLI.

By using our services, you agree to the collection and use of information in accordance with this policy. Our practices are designed to comply with global privacy standards, including the Personal Data Protection Act (PDPA) and the General Data Protection Regulation (GDPR).

2. Zero-Knowledge Security & API Keys

Strict Zero-Storage Policy

Yulio servers never see your GitHub Personal Access Token, Vercel token, or MongoDB Atlas API key. All third-party credentials are stored locally on your machine at ~/.yulio/config.json with file mode 0600 (owner read/write only), and are used exclusively to call the relevant provider APIs directly from your machine.

Our architecture is intentionally designed to maximize security and keep you in full control. The generated code belongs to you, runs on your infrastructure, and communicates directly with your chosen third-party providers without routing through our servers.

What stays on your machine:

GitHub Personal Access Token — used only to call api.github.com.
Vercel token — used only to call api.vercel.com.
MongoDB Atlas API key pair — used only to call the Atlas Administration API.
Yulio JWT tokens — sent only to api.yuliolabs.com to authenticate Yulio account requests.
Your generated code — written to your local filesystem and committed to your own Git repository. Yulio does not retain copies of generated code.

3. Data Collection & PDPA Compliance

Under the PDPA and applicable privacy frameworks, we collect only the minimal necessary personal data required to provide our services:

Account Information: Name, email address, and authentication data (e.g. via OAuth) when you register for a premium tier or support.
Authenticated API requests: Login, token refresh, and module entitlement checks are sent to api.yuliolabs.com over HTTPS. We may retain authenticated request metadata for billing and abuse prevention.
CLI version header: Each CLI request includes the yulio-cli version string for compatibility checks. No machine identifiers, no IP fingerprinting, no usage telemetry beyond version + authenticated requests.
Payment Details: Processed securely by our payment gateway partners (e.g. Stripe). We do not store your full credit card information on our servers.

You maintain full rights to access, rectify, or request the deletion of your personal data. See section 9 (Account deletion) for how to exercise these rights.

4. Software Licensing

The Yulio CLI operates under a hybrid licensing model:

Generated Code: Code generated onto your machine by the Yulio CLI is yours. You hold full intellectual property rights to your specific product implementation and may use it for unlimited commercial purposes.
Open Source Modules: Certain starter templates and core CLI tools are open source and governed by their respective licenses (e.g. MIT).
Premium CLI Components: The proprietary premium UI components, advanced architecture patterns, and the internal engine of the premium CLI are licensed to you on a per-seat or per-team basis. Redistribution or resale of the core premium Yulio CLI files as a competing starter kit or boilerplate is strictly prohibited.

The generated code contains no analytics SDKs, no tracking pixels, and no calls back to Yulio infrastructure. Once you scaffold a project, it operates entirely independently of Yulio — you can revoke your Yulio subscription and your running application is unaffected.

Want to see what production-ready code from Yulio looks like? Browse the free reference starters: NestJS · Next.js.

5. Network Egress

Every external host the Yulio CLI contacts during normal operation, and the credential attached (if any):

Host	Triggered by	Credential
api.github.com	auth setup/update, deploy	GitHub PAT
api.vercel.com	auth setup/update, deploy	Vercel token
cloud.mongodb.com	auth setup, db setup	Atlas keys (HTTP Digest)
api.yuliolabs.com	login, refresh, add, manifest fetch	Yulio JWT (where required)
github.com	deploy (git push)	GitHub PAT (per-command)
api.ipify.org	db setup (IP detection for Atlas allowlist)	none
registry.npmjs.org	every CLI invocation (cached 12h); npm install during scaffold	none

Disable update notifications by setting NO_UPDATE_NOTIFIER=1 in your environment.

6. Token Scopes Required

GitHub Personal Access Token: repo scope (full control of private repositories). Generate at github.com/settings/tokens.
Vercel access token: Project access scoped to your team. Generate at vercel.com/account/tokens.
MongoDB Atlas API key: Project Owner role on the organization. Generate at cloud.mongodb.com under Organization Access Manager.

You can revoke any token at any time from the respective provider’s dashboard. After revocation, run yulio auth update to provide a fresh token.

7. Known Limitations

Plaintext credential file. ~/.yulio/config.json stores third-party tokens in plaintext. File permissions are 0600 (owner read/write only), but any process running as your user can read it. We do not use macOS Keychain, Windows Credential Manager, or Linux Secret Service today. Roadmap: v1.5.
GitHub PAT-based authentication. Browser-based OAuth flow is on the roadmap for v1.4 — it will replace persistent PAT storage with short-lived OAuth tokens.
No two-factor authentication on Yulio accounts today. Roadmap: v1.4.
The Yulio CLI source is not currently public. We may open-source it in the future. Until then, security-conscious users should evaluate based on documented behavior and the network egress disclosed in section 5.

8. Compliance Posture

Yulio is an early-stage product (v1.2.4, May 2026). We do not hold SOC 2, ISO 27001, HIPAA, or formal GDPR certifications. We follow industry-standard practices: TLS 1.2+ for all network traffic, password hashing on the backend, scoped credential storage at OS-level file permissions on your machine, and no plaintext storage of secrets in transit.

For regulated workloads (PHI, PCI primary storage, enterprise contracts requiring formal certifications), Yulio is not the right fit today. We will pursue SOC 2 Type I as the user base grows.

9. Account Deletion (GDPR / PDPA)

Email privacy@yuliolabs.com with subject “Delete my account” from your registered email address. We delete your account record and associated logs within 7 days. A self-service DELETE /api/users/me endpoint is on the roadmap for v1.4.

10. Vulnerability Disclosure

Found a security issue? Email privacy@yuliolabs.com. We respond within 24 hours. Please don’t file public issues for security reports — coordinated disclosure benefits all users.

11. Third-Party Services

We may employ third-party companies and individuals to facilitate our service (“Service Providers”), provide the service on our behalf, perform service-related tasks, or assist us in analyzing how our service is used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose. The hosts the CLI contacts directly are disclosed in section 5.

12. Policy Updates

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date at the top of this document. You are advised to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions about this Privacy Policy, licensing terms, or our data security practices, please contact us:

Privacy / Securityprivacy@yuliolabs.com
Legal / Licensinglegal@yuliolabs.com