Privacy Policy

Last updated: February 28, 2026

1. What We Collect

When you create an account, we collect your GitHub username, email address, and avatar URL through GitHub OAuth. We generate an API key for your account and store a SHA-256 hash of it — we do not store plaintext API keys.

When you use the Dealgo API, we log governance decisions including: agent identifier, action intent, verdict, risk score, decision hash, and timestamp. These logs form your tamper-evident audit chain and are necessary for the service to function.

2. How We Use Your Data

  • To authenticate your API requests and manage your account
  • To enforce governance policies on agent actions
  • To maintain your tamper-evident audit chain
  • To enforce usage quotas based on your subscription tier
  • To send escalation notifications when founder approval is required
  • To process billing through Stripe

3. What We Do Not Do

  • We do not sell your data to third parties
  • We do not use your governance data to train AI models
  • We do not share agent decision logs with other tenants
  • We do not store plaintext API keys or credentials
  • We do not track you across third-party websites

4. Data Storage & Security

Your data is stored in PostgreSQL databases hosted on Neon (US-East-1). All connections use TLS encryption. API keys are stored as SHA-256 hashes with timing-safe comparison. Audit chains use HMAC-SHA256 for tamper evidence. See our Security page for full architectural details.

5. Data Retention

Governance decision logs are retained according to your configured retention policy. Enterprise customers can set custom retention periods per tenant. Account data is retained while your account is active and deleted within 30 days of account closure.

6. Third-Party Services

  • GitHub — OAuth authentication
  • Stripe — Payment processing (we do not store card details)
  • Sentry — Error monitoring (no PII in error reports)
  • Resend — Transactional email delivery
  • Upstash — Rate limiting (stores request counts, no content)

7. Your Rights

You may request export or deletion of your data at any time by contacting privacy@dealgo.io. We will respond within 30 days.

8. Changes to This Policy

We will notify registered users of material changes to this policy via email. Continued use of the service after notification constitutes acceptance.

9. Contact

For privacy-related questions, contact privacy@dealgo.io.