Privacy
Policy

We collect information in three ways:

A — Directly from You

• Account credentials — your email address and password, stored securely via Supabase Auth.
• Ticket, QA, and implementation content — issue titles, descriptions, acceptance criteria, comments, workflow status, linked context, approved updates, answered decisions, QA coverage, PR/MR metadata, diffs, changed files, test-change signals, implementation check results, and related metadata from tickets or repositories you create, paste, import, or connect through Jira, Linear, GitHub, GitLab, or other enabled integrations.
• Integration credentials — OAuth tokens and API keys for Atlassian (Jira and Confluence) and Linear connections, and where enabled, other tools like GitHub, GitLab, or TestRail.
• Billing information — if you subscribe to a paid plan, payment, billing, and transaction details are collected and processed by Paddle, our billing and payment provider.

B — Automatically

• Usage data — features used, reviews generated, findings and test cases viewed or saved, and interactions with the Service.
• Log data — IP address, browser type, operating system, and request timestamps.
• Session data — authentication session tokens managed by Supabase.

C — From Third-Party Integrations

When you connect external tools, we access only the data necessary to provide the Service:

• Atlassian Jira and Linear — issue content, workflow status, comments, team/project metadata, and related context needed to create reviews, post review links, and update tickets when approved.
• GitHub and GitLab — pull request or merge request metadata, changed files, diffs, test-change signals, comments, repository metadata, and linked issue references needed to run implementation checks and post status comments.
• Other Integrations (where enabled) — Jira Service Management, Confluence, GitHub, GitLab, or TestRail details if you explicitly choose to connect these systems.

We use the information we collect to:

• Run ticket reviews when configured workflow statuses change.
• Generate suggested updates, open decisions, QA coverage, regression checks, exploratory areas, and test data.
• Run implementation checks when configured PRs or MRs are opened or updated.
• Compare PR/MR diffs, changed files, and test-change signals against finalized requirements and QA coverage.
• Post implementation check comments or status summaries to connected GitHub or GitLab PRs/MRs.
• Post short review comments, implementation check comments, or links to connected Jira, Linear, GitHub, or GitLab work items.
• Prepare ticket updates for your team to approve before writing them back.
• Store approved updates, answered decisions, review history, and locked review snapshots.
• Build team memory from accepted rules, approved decisions, and bug patterns to improve future reviews.
• Authenticate your identity and maintain your session securely.
• Monitor Service performance, diagnose errors, and prevent abuse.
• Communicate with you about your account, subscriptions, billing, or material changes to this policy.

Your account data, saved reviews, and active team workspace configurations are stored in a Supabase-managed PostgreSQL database. Integration credentials (OAuth tokens, API keys) are stored encrypted at rest.

When your team finalizes a review or runs an implementation check, we may store the original ticket snapshot, accepted updates, answered decisions, final approved ticket update, QA coverage, PR/MR metadata, changed-file summaries, implementation check results, provider issue or PR/MR ID, timestamp, and related workspace activity for audit, history, and future review context.

We retain your data for as long as your account is active. You may delete individual saved reviews from your history at any time. You may request full account deletion by contacting us at privacy@alloyqa.com.

The Service integrates with and relies on the following third-party providers:

• Supabase — database, authentication, and storage infrastructure.
• Google Cloud Vertex AI — enterprise AI infrastructure used to generate ticket reviews, suggested updates, open decisions, final ticket updates, QA coverage, summaries, and memory extraction.
• Paddle — payment processing, subscription management, billing portal, invoicing, and related tax handling for paid plans.
• Atlassian (Jira and Confluence) and Linear — core workflow platforms we connect to.
• Other integrations (where enabled) — such as GitHub, GitLab, or TestRail.

Each third-party service is governed by its own privacy policy. We are not responsible for their data practices. We only transmit the minimum data required to perform the action you request.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• With connected third-party integrations, at your direction, such as reading Jira or Linear issue content, posting short review comments, or updating tickets after your team approves changes (or other integrations like pushing test results to TestRail where enabled).
• With our AI provider (Google Cloud Vertex AI) to process ticket and review context for findings, test case generation, context shaping, and related QA guidance, under enterprise data-processing terms intended to prevent your content from being used to train shared foundation models.
• With Paddle to process payments, manage subscriptions, calculate taxes, issue invoices, and operate the hosted billing portal for paid plans.
• With service providers who help us operate the platform, under confidentiality obligations.
• If required by law, regulation, or valid legal process, or to protect the rights and safety of AlloyQA and its users.
• In connection with a merger, acquisition, or sale of assets — we will notify you before your data is transferred.

When you connect Atlassian, Linear, GitHub, GitLab, TestRail, or other supported services via OAuth or API key, we store the resulting access and refresh tokens in your user_integrations record for personal workspaces or team_integrations for shared team workspaces, encrypted at rest. These tokens are used only to perform actions you initiate or configure within AlloyQA, such as reading issue context, responding to workflow status changes, reading PR/MR diffs, posting review or implementation check comments, sending QA coverage to test management tools, and updating tickets after approval.

You can revoke any integration at any time from the Integrations settings panel. Disconnecting removes the stored tokens from our database. You should also revoke access from the provider's own settings to fully terminate the connection.

The Service uses session cookies managed by Supabase Auth to keep you logged in. We do not use third-party advertising cookies or tracking pixels.

We use PostHog analytics to understand how AlloyQA is used. We do not use advertising cookies or sell analytics data.

To prevent data loss if you accidentally refresh your page, your active working session (such as pasted ticket content, generated findings, test cases, implementation check results, or in-progress review context) may be temporarily held in your browser's sessionStorage. This data remains strictly local to your device and is automatically erased by your browser when the tab or window is closed. We do not use persistent localStorage for sensitive ticket data.

Depending on your jurisdiction and applicable law, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Deletion — request that we delete your account and associated data.
• Portability — request your saved reviews in a machine-readable format.
• Objection — object to certain processing activities.

These rights may vary depending on your location and applicable law. To exercise any of these rights, contact us at privacy@alloyqa.com. We will respond within 30 days.

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

We implement enterprise-grade security measures including encryption in transit (TLS/HTTPS), encrypted storage of sensitive credentials, and strict Row Level Security (RLS) designed to enforce tenant data isolation across our databases.

However, no method of transmission over the internet is 100% secure. We encourage you to use strong, unique passwords and to revoke integration tokens promptly if you suspect unauthorized access.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a revised effective date. Your continued use of the Service after changes are posted constitutes acceptance. For significant changes, we will make reasonable efforts to notify you by email.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out: