Privacy
Policy

We collect information in three ways:

A — Directly from You

• Account credentials — your email address and password, stored securely via Supabase Auth.
• Ticket content — user stories, acceptance criteria, and technical design documents you paste or import into the Service.
• Integration credentials — OAuth tokens and API keys for Jira, Linear, GitHub, GitLab, and TestRail connections.
• TestRail credentials — your TestRail domain, email, and API key when you connect that integration.

B — Automatically

• Usage data — features used, test cases generated, and interactions with the Service.
• Log data — IP address, browser type, operating system, and request timestamps.
• Session data — authentication session tokens managed by Supabase.

C — From Third-Party Integrations

When you connect external tools, we access only the data necessary to provide the Service:

• Jira — issue content, titles, descriptions, acceptance criteria, and sprint metadata.
• Linear — issue content, cycle data, and team metadata.
• GitHub — issue content and repository metadata from URLs you provide.
• GitLab — repository access for configuring Auto-QA webhooks on merge requests.
• TestRail — project and test suite metadata needed to push generated test cases.

We use the information we collect to:

• Provide, operate, and improve the Service — including generating AI-powered test cases from your ticket content.
• Process and store your test runs in your personal workspace history.
• Authenticate your identity and maintain your session securely.
• Store specific historical bugs that you manually link to failed test runs to improve future AI generation.
• Push generated test suites to connected integrations on your behalf.
• Monitor Service performance, diagnose errors, and prevent abuse.
• Communicate with you about your account or material changes to this policy.

Your account data and saved test runs are stored in a Supabase-managed PostgreSQL database. Integration credentials (OAuth tokens, API keys) are stored encrypted at rest.

We retain your data for as long as your account is active. You may delete individual test runs from your History at any time. You may request full account deletion by contacting us at privacy@alloyqa.com.

The Service integrates with and relies on the following third-party providers:

• Supabase — database, authentication, and storage infrastructure.
• Google Gemini API — Enterprise-tier AI model used for test case generation.
• Jira / Atlassian, Linear, GitHub, GitLab, TestRail — external platforms you choose to connect.

Each third-party service is governed by its own privacy policy. We are not responsible for their data practices. We only transmit the minimum data required to perform the action you request.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• With your connected third-party integrations, at your explicit direction (e.g., pushing test cases to TestRail).
• With our AI provider (Google Cloud) to process ticket content for test case generation, under a strict enterprise data processing agreement that guarantees your data is never used to train their foundational models.
• With service providers who help us operate the platform, under confidentiality obligations.
• If required by law, regulation, or valid legal process, or to protect the rights and safety of AlloyQA and its users.
• In connection with a merger, acquisition, or sale of assets — we will notify you before your data is transferred.

When you connect Jira, Linear, GitHub, or GitLab via OAuth, we store the resulting access and refresh tokens in your user_integrations record, encrypted at rest. These tokens are used exclusively to perform actions you initiate within the Service.

You can revoke any integration at any time from the Integrations settings panel. Disconnecting removes the stored tokens from our database. You should also revoke access from the provider's own settings to fully terminate the connection.

The Service uses session cookies managed by Supabase Auth to keep you logged in. We do not use third-party advertising cookies or tracking pixels.

To prevent data loss if you accidentally refresh your page, your active working session (such as drafted test cases or loaded ticket data) is temporarily held in your browser's sessionStorage. This data remains strictly local to your device and is automatically erased by your browser the moment you close the tab or window. We do not use persistent localStorage for sensitive ticket data.

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Deletion — request that we delete your account and associated data.
• Portability — request your saved test runs in a machine-readable format.
• Objection — object to certain processing activities.

To exercise any of these rights, contact us at privacy@alloyqa.com. We will respond within 30 days.

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

We implement enterprise-grade security measures including encryption in transit (TLS/HTTPS), encrypted storage of sensitive credentials, and strict Row Level Security (RLS) to ensure absolute tenant data isolation across our databases.

However, no method of transmission over the internet is 100% secure. We encourage you to use strong, unique passwords and to revoke integration tokens promptly if you suspect unauthorized access.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a revised effective date. Your continued use of the Service after changes are posted constitutes acceptance. For significant changes, we will make reasonable efforts to notify you by email.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out: