Privacy Policy

This Privacy Policy describes how DirectiveOps ("we," "us," "our") processes personal and other data when You use our hosted service ("Service"). It applies to data we collect through the Service, our website, and in connection with support and sales. The open-source CLI scanner runs locally and does not send data to us unless You configure it to do so. This policy does not apply to data processed by GitHub or other third parties under their own policies.

We collect: (a) account and profile information (e.g., name, email, GitHub identifier) when You sign in or manage Your organization; (b) repository metadata and instruction-file content necessary to perform scanning, drift detection, and rollout operations; (c) usage and audit data related to the Service; (d) billing and payment information as needed for subscription management; (e) communications and support correspondence. We obtain repository and instruction-file data via the DirectiveOps GitHub App in accordance with the GitHub App Data Access Disclosure.

We process data to provide, operate, and improve the Service; to enforce our terms and policies; to communicate with You; and to comply with legal obligations. Where applicable law requires a lawful basis, we rely on performance of a contract (providing the Service), legitimate interests (security, analytics, product improvement), consent where we ask for it explicitly, and legal obligation where required.

We retain account, repository, findings, rollout, and audit data for the duration of Your subscription and in accordance with Your Plan (e.g., history retention days). After termination, we may retain data as necessary for legal, audit, or dispute resolution purposes, and we may delete or anonymize data in accordance with our data retention schedule. Specific retention periods are described in the Data Processing Addendum where applicable.

We do not sell Your personal data. We may share data with service providers who act as subprocessors (e.g., hosting, payment processing, email). Our current subprocessors are listed in the Subprocessor List. We may disclose data where required by law or to protect rights and safety. In the event of a merger or acquisition, data may be transferred as part of that transaction.

Depending on Your jurisdiction, You may have rights to access, correct, delete, restrict processing, port data, or object to processing. You may exercise these by contacting us at privacy@directiveops.dev or through Your account settings. You may also have the right to lodge a complaint with a supervisory authority. For California residents, see our CCPA-related disclosures in this policy or in a separate notice.

We implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, disclosure, or destruction. Details are set out in our Security Policy.

Data controller: DirectiveOps. For privacy inquiries: privacy@directiveops.dev. For the contact address, see the Contact and Legal Notice document.