Privacy Policy

This Privacy Policy explains how DevSignal ("we," "our," or "us") collects, uses, and protects your information when you use our service. We are committed to protecting your privacy and being transparent about our data practices.

1. Information We Collect

1.1 Account Information

When you sign up for DevSignal, we collect:

• GitHub username and email address (via GitHub OAuth)
• GitHub organization memberships
• Session identifier

1.2 Activity Metadata from Connected Tools

When you connect tools to DevSignal, we access the following metadata via their official APIs:

• GitHub: pull request titles, descriptions, status, and review state; commit messages and metadata; code review comments and status; issue titles, descriptions, and status; repository and organization metadata.
• Linear: issue titles, descriptions, status; comment text; cycle and project metadata; team membership.
• Slack: channel and thread metadata; message text within channels you have authorized for the DevSignal bot; user display name and email for users active in those channels.

Important: We do not access, read, store, or analyze your actual source code. We only process activity metadata — information about what was done, not the code itself. We do not access private direct messages in Slack.

1.3 Usage Data

We collect limited usage data to improve our service:

• Token consumption per signal or brief
• Generation timestamps
• Feature usage patterns (anonymized)

2. How We Use Your Information

We use the information we collect to:

• Generate signals, briefs, and structured reports based on your activity metadata
• Authenticate your identity and maintain your session
• Track and manage your token usage and quota
• Improve and optimize the service
• Communicate with you about your account and service updates

3. Data Storage and Retention

3.1 Generated Content

Generated signals, briefs, and reports are stored in your workspace and are accessible only to you and members of your workspace. They are retained until you delete them or close your account.

3.2 Activity Metadata

Recent activity metadata (last 90 days by default) is stored in our Supabase Postgres database to power signal generation. Older events age out automatically. Raw events that are not material to a signal are not retained beyond the rolling window.

3.3 Authentication Tokens

OAuth refresh tokens for connected tools (GitHub, Linear, Slack) are stored encrypted at rest in our database. Application sessions are managed by Supabase Auth with rotating refresh tokens. We never expose tokens to client-side JavaScript.

4. AI Processing

We use Anthropic's Claude API to analyze your activity metadata and generate signals and briefs. When processing your data:

• Only the activity metadata relevant to a candidate signal is sent — not source code, not raw refresh tokens, and not your full activity history
• By Anthropic's API terms, prompts and completions submitted via the API are not used to train their models
• AI processing occurs on-demand and is not retained by the AI provider after processing
• No DevSignal model is trained on customer data; per-team learning happens in our own per-tenant scoring layer in Postgres, not in any model weights

5. Data Sharing

We do not sell, trade, or rent your personal information. We may share your information only in the following circumstances:

• Service Providers: We use third-party services that process data on our behalf under standard data protection terms. The full list is published on our Security page (Vercel, Supabase, Anthropic, plus the connected source tools).
• Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Postgres Row Level Security (RLS) ensuring multi-tenant data isolation by workspace
• OAuth refresh tokens encrypted at rest
• TLS 1.3 encryption for all data in transit
• No client-side exposure of sensitive credentials
• Regular security reviews and updates

For more detail on our security posture, see the Security page.

7. Your Rights

You have the following rights regarding your data:

• Access: You can request a copy of the data we hold about you by emailing security@devsignal.app.
• Deletion: You can delete your account and all associated data from your account settings; this triggers our delete_user_only Postgres procedure which removes user-scoped rows in a single transaction.
• Portability: You can export your generated signals and briefs at any time.
• Revoke Access: You can revoke DevSignal's access to a connected tool at any time through that tool's settings (GitHub, Linear, or Slack), or from your DevSignal Settings page.

8. Cookies

We use only essential cookies required for the service to function:

• Authentication session cookie: Maintains your logged-in state via Supabase Auth
• Refresh token cookie: Secure, httpOnly cookie for session renewal

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Children's Privacy

DevSignal is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the service after any changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

hello@devsignal.app for general inquiries, or security@devsignal.app for data subject requests.