Privacy Policy

This Privacy Policy describes how DirectiveOps ("we," "us," "our") processes personal and other data when You use our hosted service ("Service"). It applies to data we collect through the Service, our website, and in connection with support and sales. The open-source CLI scanner runs locally and does not send data to us unless You configure it to do so. This policy does not apply to data processed by GitHub or other third parties under their own policies.

We collect: (a) account and profile information (e.g., name, email, GitHub identifier) when You sign in or manage Your organization; (b) repository metadata and instruction-file content necessary to perform scanning, drift detection, and rollout operations; (c) usage and audit data related to the Service; (d) billing and payment information as needed for subscription management; (e) communications and support correspondence. We obtain repository and instruction-file data via the DirectiveOps GitHub App in accordance with the GitHub App Data Access Disclosure.

We process data to provide, operate, and improve the Service; to enforce our terms and policies; to communicate with You; and to comply with legal obligations. Where applicable law requires a lawful basis, we rely on performance of a contract (providing the Service), legitimate interests (security, analytics, product improvement), consent where we ask for it explicitly, and legal obligation where required.

We retain account, repository, findings, rollout, and audit data for the duration of Your subscription and in accordance with Your Plan (e.g., history retention days). After termination, we may retain data as necessary for legal, audit, or dispute resolution purposes, and we may delete or anonymize data in accordance with our data retention schedule. Specific retention periods are described in the Data Processing Addendum where applicable. By category: account and profile data for the life of the account plus a reasonable period after closure; repository and instruction-file content for the retention period specified in Your Plan; usage and audit logs as required for security and compliance, typically not longer than the Plan retention or as required by law; billing records as required for tax and accounting, typically seven (7) years or as required by applicable law; support correspondence for the duration of the matter plus a reasonable period.

We do not sell Your personal data. We may share data with service providers who act as subprocessors (e.g., hosting, payment processing, email). Our current subprocessors are listed in the Subprocessor List. We may disclose data where required by law or to protect rights and safety. In the event of a merger or acquisition, data may be transferred as part of that transaction.

Your data may be processed in the United States or in other countries where we or our subprocessors operate. If You are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a lawful transfer mechanism, we implement appropriate safeguards. These may include the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement or UK Addendum, adequacy decisions where applicable, or other mechanisms approved by the relevant authority. Details and copies of the transfer mechanisms we use are available in our Data Processing Addendum or upon request at hello@directiveops.dev.

Depending on Your jurisdiction, You may have rights to access, correct, delete, restrict processing, port data, or object to processing. You may exercise these by contacting us at hello@directiveops.dev or through Your account settings. You may also have the right to lodge a complaint with a supervisory authority. We will respond to valid requests within the timeframes required by applicable law (e.g., 30 days under GDPR for most requests; 45 days under CCPA, with a possible 45-day extension where permitted).

If You are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may afford You additional rights. Categories of personal information we collect: identifiers (e.g., name, email, GitHub identifier); commercial information (e.g., subscription, billing); internet or network activity (e.g., usage, logs); professional or employment-related information (e.g., organization); and inferences drawn from the above. We collect these categories for the purposes described in Section 3. We do not sell personal information as defined under the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising. You have the right to know what personal information we collect, use, and disclose; to delete personal information subject to certain exceptions; to correct inaccurate personal information; to limit use and disclosure of sensitive personal information to purposes permitted by law; and to non-discrimination for exercising these rights. To submit a request: email hello@directiveops.dev with "CCPA Request" in the subject line, or use the contact method in Your account. We may verify Your identity before fulfilling a request. You may designate an authorized agent subject to verification requirements under the CCPA/CPRA.

We implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, disclosure, or destruction. Details are set out in our Security Policy.

Data controller: DirectiveOps. For privacy inquiries: hello@directiveops.dev. For the contact address, see the Contact and Legal Notice document.