Conversation
hwennnn
requested review from
EricMulhernTinyfish,
KateZhang98,
londondavila and
uttambharadwaj
📝 WalkthroughWalkthroughThe PRIVACY.md file has been restructured from a minimal privacy notice into a comprehensive privacy policy document. The update replaces a brief header and reference link with detailed sections covering: Personal Information Collection, Data Types, Data Usage, Third-Party Sharing, User Rights, Data Security, Data Retention, International Data Transfers, Children's Privacy, Updates, and Contact information. An explicit effective date has been added to the policy. This is a documentation-only change with no modifications to application code or control flow logic. 🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Comment |
londondavila
left a comment
londondavila
left a comment
There was a problem hiding this comment.
Lean on markdown-lint if you do not have it - helps format quickly
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@dify/PRIVACY.md`:
- Around line 7-64: Update the PRIVACY.md effective date to a past or current
date (not "December 14, 2025") under the "Effective Date" or top-of-document
header, and reconcile this document's scope with the official TinyFish AgentQL
policy: add the contact email info@tinyfish.io, name Stripe as the payment
processor, include a children's/privacy/age-restriction section, document
Standard Contractual Clauses (SCCs) or equivalent safeguards for international
transfers, and state cookie retention periods; alternatively, explicitly label
this file as a plugin-specific template and call out deviations from the AgentQL
policy so reviewers know it is intentionally different.
🧹 Nitpick comments (1)
dify/PRIVACY.md (1)
1-5: Add a canonical link to the published privacy policy to prevent drift.Since the PR objective references the public policy, include a direct link so the repo doc can be cross-checked and kept in sync.
| TinyFish Inc. ("TinyFish," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, products, and services (collectively, the "Services"). | ||
|
|
||
| ## Personal Information Collection | ||
|
|
||
| We collect information that you provide directly to us when you register for an account, use our Services, communicate with us, or otherwise interact with TinyFish. We are transparent about what we collect and why. | ||
|
|
||
| ## Data Types Collected | ||
|
|
||
| We may collect the following types of information: | ||
|
|
||
| - **Registration Information:** Name, email address, company name, and account credentials when you create an account. | ||
| - **Device Information:** Device type, operating system, browser type, IP address, and unique device identifiers. | ||
| - **Usage Analytics:** Information about how you interact with our Services, including pages visited, features used, and time spent on our platform. | ||
| - **Cookies and Tracking:** We use cookies and similar technologies to recognize your browser or device, remember your preferences, and analyze usage patterns. | ||
| - **Payment Information:** Billing address and payment card details when you subscribe to our paid services. Payment processing is handled by third-party processors, and we do not store complete payment card information. | ||
|
|
||
| ## Data Usage | ||
|
|
||
| We use the information we collect to: | ||
|
|
||
| - **Provide Services:** Operate, maintain, and improve our Services, including processing your requests and providing customer support. | ||
| - **Marketing Communications:** Send you technical notices, updates, security alerts, and promotional messages (you may opt out at any time). | ||
| - **Fraud Prevention:** Detect, prevent, and address technical issues, security incidents, and fraudulent activity. | ||
| - **Legal Compliance:** Comply with applicable laws, regulations, and legal processes, or respond to lawful requests from public authorities. | ||
|
|
||
| ## Third-Party Sharing | ||
|
|
||
| We may share your information with third parties in the following circumstances: | ||
|
|
||
| - **Analytics Providers:** We work with third-party analytics services to understand how users interact with our Services. | ||
| - **Affiliates:** We may share information with our corporate affiliates for business purposes. | ||
| - **Payment Processors:** Payment information is shared with our payment processing partners to complete transactions. | ||
| - **Legal Requirements:** We may disclose information if required by law, court order, or governmental request. | ||
|
|
||
| We do not sell your personal information to third parties. | ||
|
|
||
| ## User Rights | ||
|
|
||
| Depending on your location, you may have certain rights regarding your personal information: | ||
|
|
||
| - **EU and UK Users:** Under GDPR, you have the right to access, correct, delete, or restrict processing of your personal data. You may also request data portability and object to certain processing activities. | ||
| - **California Residents:** Under CCPA, you have the right to know what personal information we collect, request deletion, and opt out of the sale of your information (though we do not sell personal information). | ||
| - **Other Jurisdictions:** You may have additional rights under applicable local laws. | ||
|
|
||
| To exercise your rights, please contact us using the information below. | ||
|
|
||
| ## Data Security | ||
|
|
||
| We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security. | ||
|
|
||
| ## Data Retention | ||
|
|
||
| We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. When we no longer need your information, we will securely delete or anonymize it. | ||
|
|
||
| ## International Data Transfers | ||
|
|
||
| Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those of your country. We take appropriate safeguards to ensure your information remains protected in accordance with this Privacy Policy. | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
TinyFish Inc privacy policy data practices
💡 Result:
Tiny Fish, Inc. (TinyFish) describes these privacy/data practices in its Privacy Policy for AgentQL (effective August 13, 2024) [1]:
-
Data they collect
- You provide: account registration info (name, email), any information you submit through the service, support communications (and newsletter fields like company/job title), job-application info, and payment info is processed by Stripe (Tiny Fish may receive some related info from the processor) [1].
- Automatically: inferred general location (via IP), device/browser/OS info, and usage/activity data (pages/content viewed, timestamps) [1].
- Cookies/trackers: uses cookies/pixels/web beacons; lists “strictly necessary” cookies (e.g., session/auth) and analytics/performance cookies (e.g., product improvement), with retention periods shown (commonly 6 months for key cookies) [1].
- From third parties: if you link a third‑party account, it may receive profile and related info from that service [1].
-
How they use data
- Provide/maintain/improve services, personalize experience, analytics & product development, customer support/communications, marketing/advertising, deidentified/aggregated analytics, fraud prevention/security, and legal/compliance purposes [1].
-
How they share/disclose data
- With affiliates, vendors/service providers, customers/employers (if you use the service as part of a customer relationship), analytics providers (e.g., Google Analytics), for legal requests/safety, and during corporate transactions (merger/sale), or with your consent [1].
-
Your choices & rights
- Unsubscribe from marketing emails; describes EEA/UK rights (access, correction, deletion, portability, restrict/object, withdraw consent) and notes they may retain some data for backups, legal obligations, fraud prevention, etc. [1].
-
Retention, security, other notes
- Retains data only as long as needed for stated purposes (or longer if required by law); uses “reasonable” safeguards but cannot guarantee security; not directed to children under 13; services hosted in the U.S. and may transfer data internationally using mechanisms like Standard Contractual Clauses [1].
-
Contact
- Email: info@tinyfish.io; mailing address in Cupertino, CA [1].
Sources: AgentQL / Tiny Fish, Inc. Privacy Policy [1]; TinyFish Terms of Service (references/incorporates the Privacy Policy) [2].
🏁 Script executed:
# Check if dify is TinyFish's codebase and search for data collection/handling code
git ls-files | head -20Repository: tinyfish-io/tinyfish-web-agent-integrations
Length of output: 515
🏁 Script executed:
# Search for data collection, user tracking, analytics implementation
rg -i "(collect|track|analytics|telemetry|cookie)" --type js --type py --type ts | head -30Repository: tinyfish-io/tinyfish-web-agent-integrations
Length of output: 391
🏁 Script executed:
# Check for any references to privacy policy URLs or canonical sources
rg "privacy" -i | head -20Repository: tinyfish-io/tinyfish-web-agent-integrations
Length of output: 1638
🏁 Script executed:
# Look for payment/billing related code that might contradict "we do not store complete payment card information"
rg -i "(payment|card|billing)" --type js --type py --type ts | head -20Repository: tinyfish-io/tinyfish-web-agent-integrations
Length of output: 69
Fix effective date and verify policy scope alignment.
The effective date "December 14, 2025" is a future date and must be corrected. Additionally, this policy diverges significantly from the published TinyFish AgentQL Privacy Policy (effective August 13, 2024)—it omits contact email (info@tinyfish.io), specific payment processor details (Stripe), children's privacy restrictions, Standard Contractual Clauses for international transfers, and cookie retention periods. Clarify whether this is a plugin-specific template or should align with the official published policy before merging.
🤖 Prompt for AI Agents
In `@dify/PRIVACY.md` around lines 7 - 64, Update the PRIVACY.md effective date to
a past or current date (not "December 14, 2025") under the "Effective Date" or
top-of-document header, and reconcile this document's scope with the official
TinyFish AgentQL policy: add the contact email info@tinyfish.io, name Stripe as
the payment processor, include a children's/privacy/age-restriction section,
document Standard Contractual Clauses (SCCs) or equivalent safeguards for
international transfers, and state cookie retention periods; alternatively,
explicitly label this file as a plugin-specific template and call out deviations
from the AgentQL policy so reviewers know it is intentionally different.
3 participants
As per title, update the docs according to https://www.tinyfish.ai/privacy-policy