ADO Pilot Privacy Policy
Last Updated: 2026-07-10
Effective Date: 2026-07-10
1. Introduction
Welcome to ADO Pilot ("we," "us," "our"). ADO Pilot provides AI-powered pull request review services for Azure DevOps ("Service"). We are committed to protecting your privacy and being transparent about how we handle your data.
This Privacy Policy explains:
- What data we collect and why
- How we process your source code
- Your rights and choices
- How we protect your information
Company Information:
- Legal Name: Glenn Technology LLC
- Address: 9039 Cross Park Dr, Ste 30458, Knoxville, Tennessee 37923, United States
- Privacy Contact: privacy@adopilot.dev
- Data Protection Officer: dpo@adopilot.dev
By using ADO Pilot, you agree to this Privacy Policy. If you don't agree, please don't use our Service.
Our Role Under Data Protection Law
Under GDPR and similar data protection laws, our role depends on the type of data:
- Account, billing, and usage data: We act as the data controller. We decide why and how this data (your account details, subscription and billing records, and aggregate usage metrics) is processed.
- Personal data in your source code and pull requests: We act as a data processor on your behalf. You (or your organization) are the data controller, and we process this data only to provide the review Service under your instructions.
For the personal data we process as your processor, our obligations are governed by a Data Processing Addendum (DPA), available on request from dpo@adopilot.dev.
2. What Data We Collect
We collect only the data necessary to provide and improve our Service.
2.1 Azure DevOps User Information
When you install and use ADO Pilot, we collect:
-
User Identity Data:
- Email address
- Display name
- Azure DevOps user ID
- Organization/project identifiers
-
Azure DevOps Metadata:
- Repository names and URLs
- Pull request metadata (PR number, title, author, creation date)
- Branch names
- Commit SHAs
Why we collect this: To authenticate users, associate reviews with the correct pull requests, and deliver review comments back to Azure DevOps.
<!-- AUTHORING-NOTE: NEEDS LEGAL/COUNSEL REVIEW before this ships to production. This "How we receive it" paragraph is an engineering draft describing real, already-implemented behavior: the "Sign in with Microsoft" SSO flow receives identity claims from Microsoft Entra ID, and the Azure DevOps browser extension sends a Microsoft-issued delegated access token to our backend to authorize user-initiated actions (reviewer-web/ado-integration/src/shared/ review-trigger.ts, install-notify.ts). Do not treat this paragraph as legally approved language. -->How we receive it: We receive this identity information directly from Microsoft during authenticated interactions with our Service and our Azure DevOps extension — for example, when you sign in to our portal using your Microsoft account (via Microsoft Entra ID), or when the extension takes an action on your behalf (such as manually triggering a review) using a short-lived, delegated access token that Microsoft issues to identify you. We use this identity information to authenticate you and authorize the specific action you request; where you install the extension into an organization that hasn't yet signed up for ADO Pilot, we also use the associated sign-in email for the installation outreach described in Section 2.5.
Legal basis (GDPR): Performance of contract (we need this to provide the Service you've subscribed to).
2.2 Source Code
What we process:
- Pull request diffs (changed files and line-by-line differences)
- File contents relevant to the pull request
- Commit messages and SHAs
Code Retention: Your source code is deleted from our systems immediately after each review. As an additional safeguard for the rare case a review doesn't finish cleanly, an automated process guarantees deletion of any remaining copy within seven days at most. Our AI provider (Anthropic) retains API inputs for a limited period — up to approximately 30 days — to operate the service and does not use them for training (see Section 4). We'll work with qualifying Enterprise customers to arrange a Zero Data Retention (ZDR) configuration under which neither we nor our subprocessors (including our AI provider) will retain your data at rest — contact sales@adopilot.dev to discuss your requirements.
No training: We will not use your source code to train AI models.
Legal basis (GDPR): Performance of contract (processing code is essential to providing AI PR reviews).
2.3 Usage Data and Analytics
We collect aggregated usage data to improve the Service:
-
Service Usage:
- Number of reviews performed
- Review duration and performance metrics
- Feature usage statistics
- Error logs and diagnostic information
-
Technical Data:
- Browser type and version
- Operating system
- IP address (for security and analytics)
- Time zone and language preferences
What we DON'T collect: We don't sell your personal information or build advertising/behavioral profiles. Our product analytics use a privacy-protective Google Analytics 4 configuration with advertising features off (see Section 10). Separately, if you arrive from a paid ad campaign (currently: Reddit Ads) and later sign up, we send Reddit a server-side signal — a Reddit-issued click identifier plus the fact that a signup occurred — so Reddit can measure and optimize that campaign; no client-side ad script or pixel of any ad network ever runs in your browser, and no name, email, or source code is ever sent. This only happens if you haven't opted out of Advertising (see Section 10).
<!-- AUTHORING-NOTE: NEEDS LEGAL/COUNSEL REVIEW before this ships to production. This sentence and the parallel Section 3, 5.5, 8.2, and 10.1/10.2 changes describe real, already-implemented behavior added alongside the Reddit Ads CAPI integration: reviewer-agent's reddit-conversions-api.ts sends a server-side conversion event (Reddit's Conversions API) from the Stripe subscription.created webhook, gated on the wizard having threaded an `rdtClickId` — which it does only when the new Advertising consent category resolves to granted (see lib/analytics.ts in both reviewer-web/public-website and reviewer-web/onboarding-wizard). No client-side Reddit pixel/script is loaded; the click id is captured by the site's own first-party code reading `?rdt_cid=` off the landing URL (reddit-click-id.ts), the same category of thing as the existing UTM/ gclid capture. Sending conversion data to an ad network for campaign optimization is treated here as CCPA/CPRA "sharing" for cross-context behavioral advertising (Section 8.2) even though no cookie of Reddit's is ever set — that characterization has NOT been reviewed by counsel. Do not treat this comment or the surrounding language as legally approved. -->Legal basis (GDPR): Legitimate interest (improving service quality and security).
2.4 Billing and Payment Information
If you subscribe to a paid plan:
-
Billing Data:
- Subscription tier and status
- Usage-based billing metrics
- Invoice history
-
Payment Information:
- For Azure Marketplace purchases: Microsoft handles payment processing. We only receive confirmation of your subscription status.
- For direct billing: Payment processing is handled by third-party payment processors. We never store credit card numbers directly.
Legal basis (GDPR): Performance of contract and legal obligation (tax and accounting compliance).
2.5 Communications Data
If you contact us or opt in to marketing:
- Public support form submissions — if you submit a request at app.adopilot.dev/support (no account required), we collect your name, email address, subject, category, and the description you provide. We also collect your IP address and browser user-agent to operate the Cloudflare Turnstile bot-detection widget that protects the form. This data is used solely to respond to your inquiry.
- Email correspondence with support
- Feedback and survey responses
- Marketing communication preferences
- Installation outreach — if you install the extension into an Azure DevOps organization that has not yet signed up for ADO Pilot, we use the sign-in email address associated with that installation to send a "getting started" email explaining how to complete setup, resent at most once every 30 days for as long as the organization remains unregistered. You can unsubscribe at any time via the link in that email, after which we will not email that address again for this purpose.
- Pre-signup convenience data — if you install the extension, or select a "Sign up" action inside the extension (in the Settings page or the pull-request action menu), before your organization has an ADO Pilot account, we briefly store the Azure DevOps sign-in email address and organization identifier associated with that action so we can pre-fill the signup form for you when you follow the link. This data is held in a short-lived store, is automatically deleted after 30 days regardless of whether you ever sign up, and is used only to make signing up faster — never to create an account on your behalf or to contact you beyond the installation-outreach email described above.
Legal basis (GDPR): Legitimate interest (for support communications, including the public form; for the installation outreach email above — our interest in helping an installer complete setup, balanced against the narrow, capped-frequency, easily-declined nature of the email; and for the pre-signup convenience data above — our interest in reducing signup friction, balanced against the short 30-day retention and the fact that the data is never used to contact you) and consent (for marketing).
3. How We Use Your Data
We use your data only for the following purposes:
3.1 To Provide the Service
- Authenticate users and organizations
- Fetch pull request data from Azure DevOps
- Perform AI-powered code reviews
- Post review comments and status checks back to Azure DevOps
- Manage subscriptions and billing
3.2 To Improve the Service
- Analyze aggregate usage patterns to identify bugs and performance issues
- Develop new features based on how customers use the Service
- Create anonymized benchmarks (e.g., "average review time across all customers")
Note: We never share customer-specific data or use individual customer data for marketing. All research and benchmarking uses anonymized, aggregate data only.
3.3 To Communicate With You
- Send transactional emails (review completed, errors, subscription changes, and account-security notices such as email-change alerts, sign-in links, and two-factor-authentication changes)
- Provide customer support
- Send product updates and feature announcements (you can opt out)
- If you install the extension before creating an account, send a "getting started" email to the installation's sign-in email address, resent at most once every 30 days while the organization stays unregistered (you can opt out via the link in that email)
- Respond to legal requests or enforce our Terms of Service
3.4 For Security and Compliance
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations (tax laws, data breach notifications, court orders)
- Enforce our Terms of Service
We will NEVER:
- Sell your data to third parties
- Use your source code to train AI models
- Share your code with anyone except our AI provider for the sole purpose of performing reviews
- Build advertising or behavioral profiles from your data, or use your product usage, account, or source-code data for advertising
One narrow exception: if you convert from a paid ad campaign and haven't opted out of Advertising, we send the ad network (currently: Reddit Ads) a bare "this ad click led to a signup" signal — see Section 2.3 and Section 5.5. No source code, name, or email is ever included, and no client-side ad script ever runs in your browser.
4. How We Handle Your Source Code
Your source code is your most sensitive asset. Here's exactly how we handle it:
4.1 How We Handle Source Code
Your raw source code is deleted from our systems immediately after each review. As an additional safeguard, an automated process guarantees deletion of any remaining copy within seven days at most. Here is the full picture, including our AI provider:
-
Fetch: When a PR is created/updated in Azure DevOps, our Service receives a webhook notification and fetches the PR diff from Azure DevOps using your organization's credentials.
-
Process: The code diff is sent to Anthropic's Claude API for AI-powered analysis. Anthropic retains API inputs and outputs for a limited period — up to approximately 30 days — to operate and secure the API, after which they are deleted. Anthropic does not use your code to train its models.
-
Delete: Once the review is complete and posted back to Azure DevOps, the code diff is deleted from our systems immediately. As an additional safeguard, an automated process guarantees deletion of any remaining copy within seven days at most, even if a review doesn't finish cleanly. We do not cache code, store it "for performance," or retain it "for troubleshooting" beyond that. If we need to re-review a PR, we fetch it fresh from Azure DevOps.
Processing duration on our systems: Your code is written to temporary, encrypted, access-controlled storage only for the duration of the review, and is deleted immediately once the review completes. An automated safeguard guarantees deletion of any remaining copy within seven days at most, even if a review doesn't finish cleanly.
Review results: The review comments, findings, and summaries we generate (which are derived from, but are not, your source code) are stored in your account so you can view your review history. They remain until you delete them or your account (see Section 7).
Zero Data Retention (Enterprise): We'll work with qualifying Enterprise customers to arrange a Zero Data Retention (ZDR) configuration under which neither we nor our subprocessors (including our AI provider) will retain your data at rest. Contact sales@adopilot.dev to discuss your requirements.
4.2 Security Measures for Code in Transit
While your code is being processed:
- Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS)
- Encryption at rest: Code written to disk during processing is encrypted using Azure-managed keys
- Memory isolation: Code processing happens in isolated, ephemeral compute environments
- No logging: Source code is never written to application logs
4.3 No AI Model Training
We do not, and will not, use your private source code to train AI models. This applies to:
- Our own potential future models
- Anthropic's models (Anthropic has contractual commitments to not train on customer data)
- Any third-party AI providers we may use
Note: If you make a repository public, Anthropic or other AI providers may include public code in their general training datasets (like GitHub Copilot does). This Privacy Policy applies only to private code processed through ADO Pilot.
5. Third-Party Service Providers (Subprocessors)
We share data with the following third-party service providers who help us deliver the Service:
5.1 Anthropic, PBC (AI Provider)
What they do: Provide the AI models (Claude) that power our code reviews.
What data we share: Pull request diffs and file contents necessary for code review.
Data retention by Anthropic:
- Limited retention: Anthropic retains API inputs and outputs for a limited period — up to approximately 30 days — to operate and secure the API, after which they are deleted. See Anthropic's Commercial Terms.
- No training: Anthropic does not use your data to train their AI models.
- Zero Data Retention: We'll work with qualifying Enterprise customers to arrange a Zero Data Retention (ZDR) configuration under which neither we nor our subprocessors (including Anthropic) will retain your data at rest. Contact sales@adopilot.dev to discuss your requirements.
Data location: Anthropic processes data in the United States. For EU customers, data transfer is protected by Standard Contractual Clauses (SCCs) as required by GDPR.
Learn more:
5.2 Microsoft Azure (Infrastructure Provider)
What they do: Provide cloud infrastructure (compute, storage, networking) for ADO Pilot.
What data they process:
- All data described in this Privacy Policy is hosted on Microsoft Azure
- Azure provides infrastructure security, encryption, and compliance certifications
Data location: United States (may expand to other regions in the future).
Security: Azure provides SOC 2 Type II, ISO 27001, and other security certifications. See Azure Trust Center.
5.3 Microsoft Azure DevOps
What they do: Provide the Azure DevOps platform where your code is hosted.
Data flow: We fetch code from Azure DevOps using your organization's authorized credentials and post review comments back to Azure DevOps. We do not send your code to Microsoft (it's already there). Separately, when you sign in to our portal using your Microsoft account or take an action through the browser extension (such as manually triggering a review), Microsoft also provides us your identity information via a sign-in credential or delegated access token — see Section 2.1 for how we use it.
5.4 Payment Processors (if applicable)
If we offer direct billing (separate from Azure Marketplace):
- Payment processor: Stripe, Inc.
- What they process: Payment information (credit card, billing address)
- Data retention: Governed by the payment processor's privacy policy
Note: We never store credit card numbers directly.
5.5 Other Service Providers
We currently use the following additional service providers:
- Transactional email: Twilio Inc. (SendGrid) — delivers account and notification emails (recipient email address and message content).
- Service telemetry: Microsoft Azure Application Insights — operational telemetry from our servers and, on a best-effort basis, from the Azure DevOps browser extension (error/diagnostic messages and request timing; never your credentials, tokens, or source code).
- Product analytics: Google LLC (Google Analytics 4) — first-party usage analytics on our websites (a pseudonymous client identifier and page/event data). Configured with advertising features and Google Signals off; no personal information (such as name or email) is sent to Google. In the EEA, the UK, and Switzerland we set analytics cookies only with your prior consent (opt-in); elsewhere you can opt out at any time. Use "Your Privacy Choices" (Section 10) or a Global Privacy Control signal.
- Ad conversion measurement: Reddit, Inc. — if you arrive at our site from a Reddit ad and later sign up, we send Reddit a server-side signup-conversion signal: a Reddit-issued click identifier and the fact that a signup occurred. No client-side Reddit script, pixel, or cookie is ever loaded in your browser, and no name, email, or source code is sent to Reddit. Sent only when you haven't opted out of Advertising. In the EEA, the UK, and Switzerland this is off unless you opt in; elsewhere you can opt out at any time via "Your Privacy Choices" (Section 10) or a Global Privacy Control signal.
- Customer support ticketing: Atlassian, Inc. (Jira Service Management) — routes and stores support ticket content (requester name, email address, subject, and description) for support-request tracking and response. Atlassian does not receive your source code or pull-request data. (The request category you select is retained only in our own records, not sent to Atlassian.)
- Bot and abuse protection: Cloudflare, Inc. (Turnstile) — performs a bot-detection check on requests submitted via the public support form at app.adopilot.dev/support, using your IP address and browser characteristics. Cloudflare does not receive your account data or source code. Cloudflare processes these signals as our processor to run the check, but its own Turnstile Privacy Policy (linked above) states it also acts as an independent controller of the same signals to improve Turnstile's bot detection across its network — a use that is Cloudflare's own, not one we direct.
We will update this list if we add further providers. Subprocessor list: A complete and current list of subprocessors is available on request from dpo@adopilot.dev. We will notify customers 30 days before adding new subprocessors that process customer code. The Atlassian and Cloudflare entries above process support-requester contact data only — not customer source code — so the customer-code notification commitment does not apply to them.
6. Data Storage and Security
6.1 Where We Store Data
Primary data location: United States (Microsoft Azure US regions)
Source code: Deleted immediately after each review; an automated safeguard guarantees deletion within seven days at most in every case (see Section 4)
Other data (accounts, billing, analytics): Stored in Azure US regions with encryption at rest.
Future expansion: We may offer data residency options (EU, Asia-Pacific) in the future. If you have specific data residency requirements, contact us at privacy@adopilot.dev.
6.2 Security Measures
We implement appropriate technical and organizational security measures to protect your data:
Technical measures:
- Encryption at rest: All data encrypted using AES-256 via Azure Storage Service Encryption
- Encryption in transit: TLS 1.2+ for all network communication
- Access control: Role-based access control (RBAC) and Azure AD managed identities
- Secret management: All credentials and API keys stored in Azure Key Vault
- Network isolation: Services run in isolated virtual networks with minimal internet exposure
Organizational measures:
- Least privilege: Employees have access only to data necessary for their role
- Security training: All team members receive security awareness training
- Incident response plan: We have procedures to detect, respond to, and recover from security incidents
We maintain a written information security program informed by recognized frameworks such as the NIST Privacy Framework.
Limitations: No security is perfect. While we take reasonable precautions, we cannot guarantee absolute security. You use the Service at your own risk.
6.3 Security Certifications
Current status (MVP): Relying on Azure's security certifications and best practices.
Penetration testing: We plan to conduct annual third-party security audits.
Enterprise customers: If you require specific certifications, contact us to discuss timing and requirements.
7. Data Retention and Deletion
7.1 Source Code
As described in Section 4, your raw source code is deleted from our systems immediately after each review, with an automated safeguard guaranteeing deletion within seven days at most even if a review doesn't finish cleanly. Our AI provider retains API inputs for a limited period (up to approximately 30 days) and does not train on them. Review comments, findings, and summaries we generate are stored in your account until you delete them or your account.
7.2 User Account Data
While your account is active: We retain your account data (email, name, organization ID, subscription info) indefinitely to provide continuous service.
After account deletion: We delete your account data from our active systems within 30 days of a deletion request, except as noted below. Residual copies may persist in encrypted backups for up to a further 30 days before they are fully erased.
7.3 Billing Records
Retention period: 7 years from the end of the fiscal year in which the transaction occurred.
Why: Required for tax compliance (IRS), accounting audits, and dispute resolution.
What's retained: Invoice data, subscription history, payment records. No source code or review content.
7.4 Usage Analytics
Aggregate data: Anonymized usage statistics (e.g., "total reviews performed this month") are retained indefinitely for business analytics.
Customer-specific data: Deleted within 30 days of account deletion.
7.5 Legal Holds
If we receive a valid legal request (court order, subpoena), we may be required to retain data beyond normal retention periods. We will notify you if legally permitted.
7.6 Review Results and History
The review comments, findings, and summaries the Service generates (which are derived from, but are not, your source code) are stored in your account so you can view your review history. They are retained until you delete them or your account, at which point they are removed on the schedule in Section 7.2. While your account is active, these review results are not subject to a fixed expiry.
7.7 Pre-Signup Prefill Data
As described in Section 2.5 ("Pre-signup convenience data"), if you install the extension or click a "Sign up" action before your organization has an account, we briefly store your sign-in email and organization identifiers to pre-fill the signup form. This data is automatically deleted after 30 days, whether or not you complete signup — there is no separate deletion request needed, and no residual backup copy (this store is never backed up).
8. Your Rights and Choices
Depending on your location, you may have specific rights regarding your personal data.
8.1 GDPR Rights (European Economic Area, UK, Switzerland)
If you're in the EU/EEA, UK, or Switzerland, you have the following rights:
Right to access: Request a copy of all personal data we hold about you.
Right to rectification: Correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): Request deletion of your data (subject to legal retention requirements like billing records).
Right to restriction of processing: Ask us to stop processing your data in certain circumstances.
Right to data portability: Receive your data in a machine-readable format (JSON) and transfer it to another service.
Right to object: Object to processing based on legitimate interests (e.g., marketing).
Right to withdraw consent: Withdraw consent for processing that requires it (e.g., marketing emails).
Right to lodge a complaint: File a complaint with your local data protection authority.
How to exercise rights: Email us at dpo@adopilot.dev. We will respond within 30 days (or 60 days for complex requests, with explanation).
8.2 CCPA Rights (California Residents)
If you're a California resident, you have the following rights:
Right to know: Request disclosure of what personal information we collect, use, disclose, and sell.
Right to delete: Request deletion of your personal data (subject to exceptions).
Right to correct: Request that we correct inaccurate personal information we maintain about you. We will use commercially reasonable efforts to correct it as directed, taking into account the nature of the information and the purposes of processing.
Right to opt-out of sale or sharing: We do NOT sell personal information. We do share a limited signal with an advertising network (currently Reddit Ads) for cross-context behavioral advertising — see Section 5.5 — but only when you haven't opted out. You can opt out of this sharing at any time via the "Your Privacy Choices" control's Advertising toggle (Section 10.2), and we honor Global Privacy Control (GPC) signals by disabling both Advertising and Analytics.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
How to exercise rights: Email us at privacy@adopilot.dev. We will respond within 45 days.
Verification: We may ask for additional information to verify your identity before processing requests.
8.3 Rights for All Users (Regardless of Location)
Even if you're not covered by GDPR or CCPA, we offer these rights to all users:
Access your data: Request a copy of your account data and usage history.
Correct your data: Update your sign-in email via your account settings; to correct your name or other account information, contact support.
Delete your account: You can delete your account at any time by contacting support. We will delete your data within 30 days (except billing records retained for 7 years).
Opt out of marketing: Unsubscribe from marketing emails via the link in any email or by contacting privacy@adopilot.dev.
Export your data: Email dpo@adopilot.dev to request an export of your account data, review history, and usage data. We will provide it in a machine-readable format (JSON). Exports are prepared by our team rather than through a self-service download.
Scope and how we handle requests: ADO Pilot is a business-to-business service. Account deletion removes your organization's data from our active systems (see Section 7). For a request about a specific individual's personal data within an organization, we act on the organization's behalf as a data processor — email dpo@adopilot.dev and we will action it. Data-subject requests are handled by our team rather than through a self-service interface.
9. International Data Transfers
ADO Pilot is based in the United States, and your data is primarily stored in US data centers (Microsoft Azure).
9.1 Transfers Outside Your Country
If you're located outside the United States, your data will be transferred to and processed in the United States.
For EU/EEA users:
- Legal mechanism: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers to the United States.
- Anthropic data transfers: When we send your code to Anthropic (US-based), this transfer is also protected by SCCs included in our agreement with Anthropic.
- Adequacy: While the EU-US Data Privacy Framework is in place, we use SCCs as an additional safeguard.
For UK users:
- Legal mechanism: UK International Data Transfer Agreement (IDTA) or SCCs approved by the UK Information Commissioner's Office (ICO).
For other regions: We use appropriate safeguards consistent with local data protection laws.
9.2 Your Consent
By using ADO Pilot, you consent to the transfer of your data to the United States and processing as described in this Privacy Policy.
If you do not consent, please do not use the Service. In the future, we may offer data residency options (EU hosting, for example) to address this concern.
10. Cookies and Tracking Technologies
10.1 What We Use
Strictly necessary cookies: We use a session cookie to authenticate users and maintain login state. This is required for the Service to function.
Analytics: We use Google Analytics 4 (GA4) to understand how our public websites are used (for example, which pages and features are visited) so we can improve them. GA4 sets first-party analytics cookies (such as _ga and _ga_*) in your browser and assigns a pseudonymous identifier. We also collect operational telemetry via Azure Application Insights — from our servers, and, on a best-effort basis, from the Azure DevOps browser extension (see Section 5.5) — using neither cookies nor local storage in the extension, so this collection is not gated by the cookie-consent choices below. Our GA4 configuration is privacy-protective: advertising features and Google Signals are turned off, IP addresses are not stored by GA4, and we never send personal information (such as your name or email) to Google. Analytics is region-aware (see Section 10.2): in the European Economic Area (EEA), the United Kingdom, and Switzerland it is off by default and runs only if you opt in; elsewhere (including the United States) it is on by default and you can opt out at any time. We honor Global Privacy Control in every region.
Advertising: If you arrive at our site by clicking a paid ad (currently: Reddit Ads) and later sign up, we capture the ad network's click identifier from the destination URL using our own first-party code — no ad network's script or pixel ever loads in your browser — and store it in a first-party cookie of ours so it survives until you convert. If and when you sign up, we send that click identifier and the fact of the signup to the ad network as a server-side conversion signal, so it can measure and optimize the campaign. Advertising is region-aware, the same as analytics: off by default in the EEA, the UK, and Switzerland unless you opt in; on by default elsewhere, with an opt-out available at any time.
What we DON'T use:
- No third-party advertising script or pixel ever runs in your browser
- No cross-site tracking of your browsing beyond the single ad-click-to-signup conversion signal described above (and in Section 8.2)
- No behavioral profiling for marketing beyond that same bare conversion signal
10.2 Your Choices
Cookie management: You can block cookies in your browser settings. Note that blocking strictly necessary cookies will prevent you from using the Service.
Your choices ("Your Privacy Choices"): We offer two independent categories — Analytics and Advertising — each on or off by default depending on your region. In the EEA, the UK, and Switzerland, both are off until you opt in. Everywhere else (including the United States), both are on by default and you can opt out of either independently. Use the "Your Privacy Choices" control — in the footer of our marketing site, and in the corner of the onboarding app — to change your choice for either category. It opens a preference center where you can enable or disable each one; your choice is remembered on your browser and applies across our adopilot.dev sites.
Global Privacy Control (GPC): We honor the Global Privacy Control signal. If your browser or extension sends a GPC signal, we automatically disable both Analytics and Advertising for that browser — you don't need to do anything else.
Sale or sharing: We do not sell your personal information. We do share a limited advertising-conversion signal as described above when you haven't opted out — see Section 8.2 for how to exercise your CCPA/CPRA right to opt out of that sharing. We use Google Analytics only as a service provider/processor for our own first-party analytics, configured with advertising features off.
Do Not Track: Browsers vary in how they send Do Not Track (DNT), and there is no industry-standard response, so we do not rely on DNT. Instead, we honor the Global Privacy Control (GPC) signal and provide the "Your Privacy Choices" control to disable analytics and advertising cookies (see Section 10.2).
11. Data Breach Notification
11.1 Our Commitment
We take data security seriously. In the event of a data breach that affects your personal data, we will respond as follows. Our specific notification obligations depend on our role for the affected data (see "Our Role Under Data Protection Law" above):
Investigation:
- Internal detection: Upon becoming aware of a suspected breach, we will promptly investigate and work to confirm the nature and scope of the incident without undue delay.
Notification:
- Where we are the data controller (account and billing data): Where the breach affects data for which we are the controller, and notification is required, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by GDPR Article 33(1). We will notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
- Where we are a data processor (source code and pull request data): Where the breach affects personal data that we process on a customer's behalf, we will notify the affected customer (the controller) without undue delay after becoming aware of it, so that the customer can meet its own notification obligations. As your processor we do not notify supervisory authorities or your users directly on your behalf unless agreed in our Data Processing Addendum.
- Customer notification (general): We will notify affected customers without undue delay after becoming aware of a confirmed breach affecting their data.
What we'll tell you:
- Nature of the breach (what data was affected)
- Likely consequences
- Measures we've taken to address the breach
- Recommended actions for you to take (e.g., change passwords)
11.2 Legal Compliance
We comply with the data breach notification laws applicable to our Service, including:
- Tennessee: Tennessee's data breach notification statute (Tenn. Code Ann. § 47-18-2107), part of the Tennessee Identity Theft Deterrence Act within the Tennessee Consumer Protection Act. We notify affected Tennessee residents no later than 45 days after discovery of a breach (subject to legitimate law-enforcement delay). Notification is not triggered by the unauthorized acquisition of encrypted information unless the encryption key or process is also acquired.
- GDPR: 72-hour notification to supervisory authority and affected individuals
- CCPA: Notice to California Attorney General if 500+ CA residents affected
- Other applicable laws: We also comply with all other data breach notification laws that apply to us, including other U.S. state laws.
11.3 Your Responsibility
If you suspect unauthorized access to your account, immediately:
- Change your Azure DevOps credentials
- Revoke ADO Pilot's access in Azure DevOps settings
- Contact us at security@adopilot.dev
12. Children's Privacy
ADO Pilot is a B2B service not directed at minors. You must be at least 16 years old to use the Service (see Terms of Service, Section 3.2). We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us with personal information, contact privacy@adopilot.dev and we will delete it.
13. Changes to This Privacy Policy
13.1 How We Update
We may update this Privacy Policy from time to time to reflect:
- Changes to the Service or features
- New legal requirements
- Feedback from customers
- Changes in our data practices
13.2 Notice of Changes
Material changes: If we make material changes that significantly affect your rights or how we use data, we will:
- Email you at your registered email address at least 30 days before the changes take effect
- Display a prominent notice in the ADO Pilot web app
- Update the "Last Updated" date at the top of this policy
Non-material changes: For minor updates (typos, clarifications, adding examples), we will update the policy without advance notice.
13.3 Your Acceptance
By continuing to use ADO Pilot after changes take effect, you accept the updated Privacy Policy. If you don't agree with the changes, you must stop using the Service and delete your account.
Version history: We maintain a version history of this Privacy Policy; prior versions are available on request.
14. Contact Us
14.1 Privacy Questions
For questions, concerns, or requests related to this Privacy Policy:
Email: privacy@adopilot.dev
Data Protection Officer: dpo@adopilot.dev
Mail: Glenn Technology LLC 9039 Cross Park Dr, Ste 30458 Knoxville, Tennessee 37923 United States
14.2 GDPR Representative (EU)
If we process significant amounts of EU data in the future, we may appoint an EU representative as required by GDPR Article 27. Contact details will be provided here.
14.3 Response Time
We aim to respond to all privacy inquiries within:
- GDPR requests: 30 days (or 60 days for complex requests)
- CCPA requests: 45 days
15. Legal and Compliance
15.1 Governing Law
This Privacy Policy is governed by the laws of the State of Tennessee and the United States, without regard to conflict of law principles.
Jurisdiction: Any disputes relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in Tennessee.
15.2 Compliance
We design our practices to align with applicable data protection laws, including:
- Tennessee state data protection laws
- FTC Act (unfair and deceptive practices)
- GDPR (for EU users, where it applies)
- CCPA (for California residents, where applicable)
We hold no third-party certifications at this time and rely on Microsoft Azure's certifications for the underlying infrastructure (see Section 5.2).
15.3 Regulatory Authorities
For EU users: You have the right to lodge a complaint with your local data protection authority. Find your authority at https://edpb.europa.eu/about-edpb/board/members_en.
For California users: California Privacy Protection Agency (CPPA) - https://cppa.ca.gov/
For Tennessee users: Tennessee does not have a dedicated data protection authority. Contact us directly or file a complaint with the Tennessee Attorney General's Office.
Appendix: Data Processing Summary (GDPR Article 30)
For EU customers, here's a summary of our data processing activities:
| Data Category | Purpose | Legal Basis | Retention | Recipient(s) |
| -------------------------------------------------------- | ---------------------------------------------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
| Azure DevOps user info (email, name, org ID) | Authentication, service delivery | Performance of contract | Active account: indefinite; Deleted: within 30 days | Microsoft Azure |
| Source code (PR diffs) | AI code review | Performance of contract | Deleted immediately; ≤7 days in every case as a safeguard; Anthropic retains up to ~30 days | Anthropic only |
| Review results (comments, findings, summaries) | Provide review history | Performance of contract | Until you delete them or your account | Microsoft Azure |
| Usage analytics | Service improvement, billing | Legitimate interest | Aggregate: indefinite; Customer-specific: within 30 days post-deletion | Microsoft Azure |
| Technical/security data (IP address, browser) | Security monitoring, fraud/abuse prevention | Legitimate interest | Within 30 days post-deletion | Microsoft Azure |
| Pre-signup prefill data (sign-in email, org identifiers) | Pre-fill the signup form for a not-yet-registered installer/user | Legitimate interest | Up to 30 days, then auto-deleted | Microsoft Azure |
| Ad click identifier (Reddit rdt_cid) | Ad campaign measurement/optimization | Consent (EEA/UK/CH); legitimate interest with opt-out (elsewhere) | ~30 days (cookie); life of the subscription (Stripe metadata) | Reddit, Inc. |
| Billing records | Payment processing, tax compliance | Legal obligation | 7 years | Stripe, Inc. |
| Communications | Support, marketing | Consent (marketing), Legitimate interest (support) | Until opt-out or account deletion | Twilio (SendGrid); Atlassian (Jira Service Management) |
End of Privacy Policy
<!-- INTERNAL NOTES — stripped from rendered output by the Markdoc loader's HTML comment pre-processor. Keep these in source so authors don't lose track of the launch checklist; they will not appear on the public site. **TODO before launch (still open — business owner / counsel):** 1. Replace `[YOUR BUSINESS ENTITY NAME]` with the actual legal name 2. Replace `[YOUR REGISTERED ADDRESS]` / `[City]` / `[ZIP]` with the actual Tennessee address 3. Replace `2026-06-10` (Last Updated + Effective Date) at publish time 4. Provision the referenced @adopilot.dev mailboxes (privacy, dpo, security, sales) 5. Confirm Stripe, Inc. as the payment processor (Section 5.4) before enabling direct billing 6. **Get legal review from a licensed attorney in Tennessee before publishing** **Done in the 2026-07-09 accuracy-audit follow-up fix (v1.17 → v1.18):** - Section 2.1's "How we receive it" paragraph still called the installation-outreach email "the one-time outreach described in Section 2.5" — a leftover from before the v1.16 → v1.17 pass reworded Section 2.5 itself to describe a capped-frequency (resent at most once every 30 days), not one-time, resend. Dropped "one-time" here too so the cross-reference no longer contradicts the section it points to. **Done in the 2026-07-09 accuracy-audit fix pass (v1.16 → v1.17):** - Section 2.5's "Installation outreach" bullet (and the mirrored Section 3.3 bullet + the Section 2.5 legal-basis sentence) overclaimed the "getting started" email as a strict, absolute one-shot ("single," "single one-time," "we will not email that address again for this purpose regardless"). `install-notify.ts`'s dedup window is a 30-day per-org rate limiter, not a permanent once-ever suppression — a still-unregistered org gets re-nudged roughly monthly until it signs up or unsubscribes. Reworded to describe the actual capped-frequency, resend-until-unsubscribe-or-signup behavior. - Section 8.3's "Correct your data" and "Delete your account" bullets claimed a self-service "account settings" affordance for editing your name/other account info and for deleting your account. Neither exists — the account settings page only supports an email change; deletion is a support-request-triggered, operator-run script (`tools/gdpr/delete-tenant-data.ps1`). Narrowed both bullets to what's actually self-service (the email change) versus what requires contacting support. - Added Atlassian (Jira Service Management) to the Article 30 appendix's "Communications" row recipients — support-request name/email/subject/description are sent to JSM (`jsm-client.ts`), which Section 5.5 already names as a subprocessor but the appendix table had omitted. **Done in the 2026-07-09 ship-review consistency fix (v1.15 → v1.16):** - Section 10.1's "What we DON'T use" bullets ("No cross-site tracking" / "No behavioral profiling for marketing") were left unqualified by the v1.15 Reddit CAPI pass below, contradicting the same pass's own Section 8.2/10.2 disclosure that we share a bare ad-click-to-signup signal with Reddit for cross-context behavioral advertising. Qualified both bullets to reference that single carved-out exception instead of reading as absolute — caught by the PR's own user-facing-doc-impact review before merge. **Done in the 2026-07-09 Reddit CAPI conversion pass (v1.14 → v1.15):** - Added the Reddit Ads server-side Conversions API (CAPI) integration: a NEW "Advertising" consent category, independent of and parallel to the existing "Analytics" category, region-aware the same way (EEA/UK/CH opt-in, elsewhere opt-out), honored by GPC. Deliberately CAPI-only — no client-side Reddit pixel/script/tag of any kind is ever loaded in the browser; the ad click identifier (`rdt_cid`) is captured by our own first-party code reading it off the landing-page URL (the same category of thing as existing UTM/gclid capture), stored in our own first-party cookie, and sent server-side to Reddit only at the moment of an actual signup, from the same Stripe webhook that already sends the GA4 purchase conversion. - Rewrote Sections 2.3 and 3's blanket "no third-party advertising/no behavioral tracking" claims, which were literally true before this pass and would have become false in substance (not because a pixel loads, but because a signal is now shared with an ad network for campaign optimization) — carved out the narrow, consented exception instead of leaving the false blanket claim in place. - Added a Reddit, Inc. bullet to Section 5.5, an Advertising subsection to 10.1/10.2, and an Article 30 Appendix row. - Section 8.2 (CCPA): replaced the "not applicable" sale/share framing with a real "Do Not Sell or Share" mechanism — treating the ad-conversion signal as CCPA/CPRA "sharing" for cross-context behavioral advertising, opt-out-able via the same "Your Privacy Choices" control used for analytics. - **Counsel must review this pass** (see the AUTHORING-NOTE inline at Section 2.3) — in particular the CCPA "sharing" characterization and whether the EEA/UK/CH consent basis for Advertising needs to differ from Analytics' — before `REDDIT_CAPI_ACCESS_TOKEN` is configured in production (see `reviewer-iac/Pulumi.prod.yaml`; unset today, so the integration is currently inert regardless of this doc). **Done in the 2026-07-08 extension client-side telemetry pass (v1.13 → v1.14):** - Broadened Section 5.5's "Service telemetry" bullet and Section 10.1's Application Insights sentence, both of which previously scoped Azure Application Insights as "server-side operational telemetry" only. The Azure DevOps marketplace extension (a browser surface running inside the customer's own ADO tenant) now also reports best-effort client-side error/diagnostic telemetry and request timing to the same Application Insights subprocessor — see `reviewer-web/ado-integration/src/shared/telemetry.ts`. Never includes credentials, tokens, or source code; explicitly does not set cookies (`disableCookiesUsage`), so it's called out as ungated by the cookie-consent apparatus in Section 10. Reconciled `subprocessors.md`'s Microsoft Corporation entry to match. **Done in the 2026-07-08 support-URL correction pass (v1.12 → v1.13):** - Fixed the public support form's URL in Sections 2.5 and 5.5 from bare `adopilot.dev/support` to `app.adopilot.dev/support`. That route doesn't exist on the public marketing site (`reviewer-web/public-website`) — the form is `reviewer-web/onboarding-wizard/src/app/support/page.tsx`, a top-level route served on the `app.adopilot.dev` host alongside the dashboard and deliberately excluded from the portal's auth middleware matcher so it stays reachable without signing in. Same fix applied to `docs/user-facing/trust/support-and-contact.md` and the ADO Marketplace extension manifest/assets in the same pass. - Rebased onto main after the "signup-prefill disclosure" pass below independently landed its own v1.11 → v1.12 bump; renumbered this pass to v1.12 → v1.13 to avoid a version collision — no content conflict between the two passes. **Done in the 2026-07-08 signup-prefill disclosure pass (v1.11 → v1.12):** - Added a "Pre-signup convenience data" bullet to Section 2.5 disclosing the new signup-prefill flow: installing the extension or clicking a "Sign up" action (Settings page or PR action menu) before the org has an ADO Pilot account briefly stores the ADO sign-in email + org identifier in a 30-day-TTL Cosmos store (`installPrefills`) to pre-fill the signup form. - Added a new Section 7.7 ("Pre-Signup Prefill Data") and a corresponding row to the Article 30 processing-activities table in the Appendix, both cross-referencing 2.5. - Extended the Section 2.5 "Legal basis (GDPR)" sentence and the shared authoring-note comment to cover this new capture surface alongside the existing installation-outreach disclosure. Like that paragraph, this language is engineering-drafted and has **not yet been reviewed by counsel**. **Done in the 2026-07-08 single-reviewer follow-up pass (v1.10 → v1.11):** - Fixed a self-contradiction an adversarial review caught in the v1.10 pass below: Section 2.1's new sentence claimed Microsoft-sourced identity is used "only to authenticate you and authorize the specific action requested," but Section 2.5 already discloses that the same delegated token's identity is also used for the one-time installation-outreach email (`install-notify.ts` → `maybeSendInstallerEmail()`). Dropped "only" and added an explicit cross-reference to Section 2.5. - Softened the single-sign-on example in Sections 2.1 and 5.3 from the specific "Sign in with Microsoft" feature name to generic "sign in to our portal using your Microsoft account" — the reviewer flagged that the named SSO feature is gated behind a `customer-sso` App Config flag whose production state couldn't be confirmed from static code; the generic phrasing holds true regardless of that flag's state. **Done in the 2026-07-08 identity-data-source clarification pass (v1.9 → v1.10):** - Added a "How we receive it" note to Section 2.1 naming Microsoft as the direct source of user identity data during two authenticated-interaction paths that were previously only described in the abstract ("authenticate users"): single sign-on ("Sign in with Microsoft" / Microsoft Entra ID) and the Azure DevOps extension's delegated-access-token mechanism (used e.g. to authorize a manually-triggered review, per `review-trigger.ts`). - Broadened Section 5.3's "Data flow" sentence to cross-reference the new 2.1 note, so it no longer reads as though "your organization's authorized credentials" (the automated webhook flow) is the only way we receive ADO identity data — the per-user SSO/extension-token path is now named too. - Like the Section 2.5 installation-outreach paragraph added in the 2026-07-06 pass below, this new language is an engineering draft describing real shipped behavior and has **not yet been reviewed by counsel** — flagged inline. **Done in the 2026-07-06 issue #445 follow-up pass (v1.7 → v1.8):** - Removed the Section 13.1 "Current version: This policy is version 1.2, last updated 2026-06-13" self-reference sentence — it duplicated the "Last Updated"/"Effective Date" lines at the top of the doc and had gone stale across two subsequent version bumps (v1.4, then v1.6/v1.7) without anyone updating it. Rather than re-syncing a third hardcoded copy of the version number, dropped the sentence; the frontmatter + top-of-doc fields remain the single source of truth. - Section 5.5's Anthropic Privacy Policy link changed from `anthropic.com/privacy` to `anthropic.com/legal/privacy`, matching `docs/user-facing/trust/data-handling.md` and the URL Anthropic's own site currently resolves to (`/privacy` redirects there). **Done in the 2026-07-06 ZDR reframe + version catch-up pass (v1.6 → v1.7):** - Bumped `version`/`effectiveDate` frontmatter and the Last Updated/Effective Date lines — v1.6 (2026-06-29) was stamped on the *previous* substantive edit; PR #995 (2026-07-05, merged 2026-07-06) then changed the Section 5.5 Cloudflare Turnstile entry (added the dual processor/independent-controller disclosure + a link to Cloudflare's own privacy policy) without bumping the version. This pass catches that up alongside its own changes, so v1.7 covers both. - ZDR wording (Sections 2.2, 4.1, 5.1) reworded off the 2026-06-09 pass's "ZDR as an Enterprise add-on... contact sales" framing, through an intermediate "not yet available; contact sales to be notified when it launches" draft, to the current: "We'll work with qualifying Enterprise customers to arrange a Zero Data Retention (ZDR) configuration under which neither we nor our subprocessors (including our AI provider) will retain your data at rest." Business reasoning: avoid both overclaiming ZDR as a live, self-serve toggle (issue #8 — it isn't; no tenant flag, no orchestrator routing, Batch API isn't ZDR-eligible) and undermarketing it as a stalled "not yet available" promise, when it's realistically deliverable within a single Enterprise sales cycle for the right customer. Also broadened the guaranteed scope from "our AI provider" alone to "neither we nor our subprocessors" (Section 2.2 previously only named a "zero-data-retention agreement" contact path with no scope statement at all — brought in line with Sections 4.1/5.1's wording for consistency). - Mirrors the equivalent Terms of Service change (Section 7.2, same day, ToS v1.2 → v1.3) and the same phrasing now used on the public pricing page ("contact sales" line items for both ZDR and the GDPR DPA). **Done in the 2026-06-20 GA4 analytics pass:** - Shipped Google Analytics 4 on the public website + onboarding wizard (Consent Mode v2; "Your Privacy Choices" control + GPC honored; no ad pixels). Rewrote Sections 2.3, 5.5, 8.2 (CCPA opt-out), 10.1, 10.2, and Do-Not-Track to describe the GA4 cookies, the choice control, and ACTIVE GPC honoring (was: "server-side telemetry only, no analytics cookies, GPC requires no action"). The server-side `purchase` conversion (Measurement Protocol) is gated on analytics consent. - **Region-aware update (EEA opt-in):** the consent posture is now region-scoped via Consent Mode `region` defaults — EEA/UK/Switzerland visitors are **opt-IN** (analytics denied by default; `_ga` set only after consent), while the US (and elsewhere) stays opt-OUT. Sections 10.1, 10.2, and the Section 5.5 processor entry now state the region-conditional behavior. **Counsel must review this region-aware analytics disclosure (in particular the EEA/UK consent basis) before `GA_MEASUREMENT_ID` is enabled in production.** **Done in the 2026-06-09 reform pass (kept consistent with the Terms of Service):** - Retention rewritten to the truth (Sections 2.2, 4.1, 5.1, 6.1, 7.1, Appendix): no raw-code retention on our systems; Anthropic ~29–30 day API retention; review results kept in-account; ZDR as an Enterprise add-on. Removed all "zero retention" overclaims. - Anthropic entity corrected to "Anthropic, PBC" (Section 5.1). - Dropped "industry-standard" (Section 6.2) and added a NIST-informed security-program sentence (matches ToS Section 16.3). - Minimum age set to 16 (Section 12) to match ToS Section 3.2. - Subprocessor list made "available on request" (Section 5.5); payment processor named (Stripe, Inc.). - Domain unified to adopilot.dev; URL placeholders resolved or softened to "on request". **Done in the 2026-06-09 Privacy Policy full pass (truthful to current reality):** - Cookies & Tracking (Section 10): only a strictly-necessary session cookie today; analytics is server-side telemetry (no analytics cookies), with a forward-looking allowance for optional analytics cookies. Added a Global Privacy Control (GPC) commitment; scoped Do-Not-Track to any future tracking (C12). - Data-subject rights (Section 8): export is JSON (not "JSON or CSV"), request-based via dpo@ (not self-service); deletion described as account/organization-scoped with processor-assist for individual requests (C16). - Added Section 7.6 (Review Results and History) + a backup-retention window in Section 7.2 (C7). - Sub-processors (Section 5.5 + Appendix): named SendGrid (Twilio) affirmatively, removed unused vendors (Mailgun/Zendesk/Intercom), kept Azure Application Insights (server-side); corrected the Article 30 recipients (user info → Azure only, billing → Stripe, comms → Twilio/SendGrid; added a Review-results row). **Done in the 2026-06-09 review-remediation pass (post-adversarial-review fixes; kept consistent with the Terms of Service):** - Added an "Our Role Under Data Protection Law" subsection (controller for account/billing/usage; processor for source-code PII) — mirrored in ToS Section 16.2. - CCPA (Section 8.2): added the Right to Correct (Cal. Civ. Code § 1798.106). - Breach (Section 11.1) reframed by controller/processor role; the "confirm within 24h" detection SLA softened to effort-based; Tennessee statute (Section 11.2) re-cited correctly (§ 47-18-2107 is the breach-notification statute within the TN Identity Theft Deterrence Act / Consumer Protection Act, not the criminal "Personal and Commercial Computer Act"). - GPC (Sections 8.2 / 10.2) softened to conditional/forward-true (we honor it if we ever sell or share); decoupled GPC from the future-DNT sentence. - Compliance (Section 15.2) reframed from "certifications" to design-alignment (no third-party certs; rely on Azure). - Enterprise/ZDR contact unified to sales@adopilot.dev (matches the ToS). - Appendix: added a Technical/security-data (IP) row to the Article 30 table. - Retention (Section 7.2) softened to "within 30 days of a deletion request" (the deletion path is an operator-run script; one container — stripe-deadletter — is not org-queryable, tracked as a code follow-up). - Breach-law (Section 11.2) lead-in de-hedged ("key" → "applicable") with a catch-all for all other applicable laws, per external-review adjudication (2026-06-09). **Compliance / product backlog (the PP describes today's reality; build these to strengthen the promises):** - Self-service + CSV data export (today: operator-run JSON via tools/gdpr/). - Automated per-individual GDPR deletion (today: org-scoped operator script; GDPR Art. 17 per-data-subject automation — escalate to counsel/product). - Automatic cascade-delete of reviews/findings on account deletion (today: manual operator script; the Section 7.2 "within 30 days" promise depends on operators running it). - ~~GPC / DNT signal handling in code — required if/when client-side analytics ships~~ — DONE (2026-06-20): the client applies GPC + the stored opt-out before any tag fires, and the server-side `purchase` is gated on consent. - Breach-detection control (compendium C17) backing the Section 11 72-hour notification process. **Separate next pass — Data Processing Addendum (data-processing-addendum.md):** remove the rendering "## Internal Notes" heading (C2), add SendGrid (C8), fix the Module 3 SCC annex (C9), Anthropic PBC + retention + domain. **Optional enhancements:** - Add FAQ section for common privacy questions - Create visual diagram of data flow (especially useful for enterprise customers) - Translate into other languages for international customers - Create summary "Privacy at a Glance" page for quick reference -->