Privacy
Policy

We collect information in three ways:

A — Directly from You

• Account credentials — your email address and password, stored securely via Supabase Auth.
• Ticket content — user stories, acceptance criteria, solution designs, and related documentation you paste or import into the Service.
• Integration credentials — OAuth tokens and API keys for Atlassian (Jira and Confluence), Linear, GitHub, GitLab, and TestRail connections.
• TestRail credentials — your TestRail domain, email, and API key when you connect that integration.
• Billing information — if you subscribe to a paid plan, payment, billing, and transaction details are collected and processed by Paddle, our billing and payment provider.

B — Automatically

• Usage data — features used, reviews generated, findings and test cases viewed or saved, and interactions with the Service.
• Log data — IP address, browser type, operating system, and request timestamps.
• Session data — authentication session tokens managed by Supabase.

C — From Third-Party Integrations

When you connect external tools, we access only the data necessary to provide the Service:

• Atlassian (Jira and Confluence) — Jira issue content, titles, descriptions, acceptance criteria, linked issue metadata, and linked Confluence page content or metadata needed to build review context.
• Linear — issue content, cycle data, and team metadata.
• GitHub — issue, pull request, and repository metadata from URLs or integrations you provide.
• GitLab — issue, merge request, and repository metadata from URLs or integrations you provide.
• TestRail — project and test suite metadata needed to push generated test cases or related QA artifacts.

We use the information we collect to:

• Provide, operate, and improve the Service — including importing story context from connected tools and generating findings, supporting test cases, regression guidance, and related QA outputs from that context.
• Process and store saved reviews, published runs, review history, and related workspace activity.
• Authenticate your identity and maintain your session securely.
• Support team workflows such as shared reviews, comments, mentions, visibility controls, and review state where those features are available in your plan or workspace.
• Use saved stories, saved review context, similar past defects, and related review outputs to improve future reviews and regression guidance.
• Push generated test suites or related QA outputs to connected integrations on your behalf.
• Monitor Service performance, diagnose errors, and prevent abuse.
• Communicate with you about your account, subscriptions, billing, or material changes to this policy.

Your account data and saved reviews are stored in a Supabase-managed PostgreSQL database. Integration credentials (OAuth tokens, API keys) are stored encrypted at rest.

We retain your data for as long as your account is active. You may delete individual saved reviews from your history at any time. You may request full account deletion by contacting us at privacy@alloyqa.com.

The Service integrates with and relies on the following third-party providers:

• Supabase — database, authentication, and storage infrastructure.
• Google Cloud Vertex AI — enterprise AI infrastructure used to generate findings, test cases, context normalization, regression guidance, and related QA outputs.
• Paddle — payment processing, subscription management, billing portal, invoicing, and related tax handling for paid plans.
• Atlassian (Jira and Confluence), Linear, GitHub, GitLab, TestRail — external platforms you choose to connect.

Each third-party service is governed by its own privacy policy. We are not responsible for their data practices. We only transmit the minimum data required to perform the action you request.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• With your connected third-party integrations, at your explicit direction (for example, loading Jira issues and linked Confluence context from Atlassian or pushing test cases to TestRail).
• With our AI provider (Google Cloud Vertex AI) to process ticket and review context for findings, test case generation, context shaping, and related QA guidance, under enterprise data-processing terms intended to prevent your content from being used to train shared foundation models.
• With Paddle to process payments, manage subscriptions, calculate taxes, issue invoices, and operate the hosted billing portal for paid plans.
• With service providers who help us operate the platform, under confidentiality obligations.
• If required by law, regulation, or valid legal process, or to protect the rights and safety of AlloyQA and its users.
• In connection with a merger, acquisition, or sale of assets — we will notify you before your data is transferred.

When you connect Atlassian (Jira and Confluence), Linear, GitHub, or GitLab via OAuth, we store the resulting access and refresh tokens in your user_integrations record for personal workspaces or team_integrations for shared team workspaces, encrypted at rest. These tokens are used exclusively to perform actions you initiate within the Service.

You can revoke any integration at any time from the Integrations settings panel. Disconnecting removes the stored tokens from our database. You should also revoke access from the provider's own settings to fully terminate the connection.

The Service uses session cookies managed by Supabase Auth to keep you logged in. We do not use third-party advertising cookies or tracking pixels.

We use PostHog analytics to understand how AlloyQA is used. No cookies, no personal data, no ads.

To prevent data loss if you accidentally refresh your page, your active working session (such as pasted ticket content, generated findings, test cases, or in-progress review context) may be temporarily held in your browser's sessionStorage. This data remains strictly local to your device and is automatically erased by your browser when the tab or window is closed. We do not use persistent localStorage for sensitive ticket data.

Depending on your jurisdiction and applicable law, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Deletion — request that we delete your account and associated data.
• Portability — request your saved reviews in a machine-readable format.
• Objection — object to certain processing activities.

These rights may vary depending on your location and applicable law. To exercise any of these rights, contact us at privacy@alloyqa.com. We will respond within 30 days.

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

We implement enterprise-grade security measures including encryption in transit (TLS/HTTPS), encrypted storage of sensitive credentials, and strict Row Level Security (RLS) designed to enforce tenant data isolation across our databases.

However, no method of transmission over the internet is 100% secure. We encourage you to use strong, unique passwords and to revoke integration tokens promptly if you suspect unauthorized access.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a revised effective date. Your continued use of the Service after changes are posted constitutes acceptance. For significant changes, we will make reasonable efforts to notify you by email.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out: