Privacy Policy

Last updated: April 7, 2026

1. Information We Collect

We collect the following categories of data in the course of providing the DeployRamp service:

Account data: your name, email address, and organization name, collected via Clerk when you create an account or sign in with Google.
Repository integration data: GitHub App installation IDs, GitLab and Bitbucket access tokens (stored encrypted), and webhook event metadata from your Git hosting provider. Webhook payloads are processed and discarded; they are not written to persistent storage.
Pull request diff content: ephemeral. We access your PR diffs to perform AI risk analysis. This content is never written to persistent storage and is deleted immediately after analysis completes.
Feature flag configuration: flag keys, rollout percentages, rollout state, and created/updated timestamps.
Flag evaluation events: flag key, variant returned, user context (traits you supply via the SDK, such as user ID or region), and timestamp—collected each time a flag is evaluated.
Error reports: error message, stack trace, user traits, the flag key and variant active at the time of the error, and timestamp—submitted via the SDK when your application reports an error.
User feedback: a 1–5 sentiment rating, flag key, and timestamp—collected when your application displays a DeployRamp feedback widget to end users.
Audit log entries: actor identity, action type, flag key, previous and new values, AI reasoning for automated rollout decisions, and timestamp.
Billing data: plan tier, subscription status, and monthly active user (MAU) count used for billing. Payment card data is handled directly by Stripe and is never stored by DeployRamp.
Infrastructure logs: IP addresses, HTTP request metadata, and browser or client user agent, collected automatically when you access the dashboard or flag evaluation API.

2. How We Use Your Information

We use the data we collect for the following purposes:

Analyze pull request diffs via LLM to identify risky code changes and recommend feature flags.
Generate feature flag wrapper code and push commits to your PR branch via the DeployRamp coding agent.
Evaluate flags in real time and distribute flag state updates to SDKs via WebSocket.
Monitor error rates and user feedback ratings to make automated rollout decisions—including pausing, resuming, or rolling back a rollout.
Generate cleanup pull requests when rollouts reach 100% and remain stable, removing flag scaffolding from your codebase.
Send Slack notifications for rollout events (started, paused, completed, rolled back).
Enforce plan limits (developer count and MAU count) for billing purposes.
Collect feedback and roadmap votes via Productboard to prioritize product development based on customer input.
Respond to support requests and communicate with you about your account.

3. Data Sharing

We do not sell your personal information. We do not share data for advertising purposes. We share data only with the following third-party providers, as necessary to operate the service:

Clerk — authentication. Clerk receives your email and name to manage sign-in and session tokens.
Stripe — billing. Stripe receives your payment method and subscription details to process payments.
GitHub, GitLab, and Bitbucket — repository integration. The service pushes commits and opens pull requests on your behalf; these actions are visible to everyone with access to your repositories.
LLM providers — PR diff content is sent to LLM APIs for risk analysis and code generation. These providers operate under zero-retention and no-training agreements: they do not store your code or use it to train their models.
Google Cloud Platform — all data is hosted on GCP infrastructure in the United States. Enterprise customers may request EU or Australia data residency.
Productboard — product feedback and roadmap management. When you submit feedback or vote on roadmap items, your name, email address, and submission are shared with Productboard so we can track and prioritize customer requests. Productboard's use of this data is governed by their privacy policy at productboard.com.
Snov.io — email marketing and outreach. We use Snov.io to communicate with prospects prior to account creation. We do not share any data belonging to existing customers with Snov.io; only prospect contact information is stored there.
Slack — rollout notifications. When you connect a Slack workspace, DeployRamp sends rollout event notifications (including flag keys, project names, and rollout status) to your designated Slack channel. Only data necessary to describe the rollout event is included in these messages.
PostHog — product analytics. We use PostHog to understand how the dashboard is used (page views, feature usage, and events such as billing interactions). Your user ID, name, and email are associated with these events to help us improve the product.
Grafana Cloud — infrastructure monitoring. We send application metrics and logs to Grafana Cloud to monitor service health and diagnose incidents. This data contains operational telemetry only; no customer source code or personal data is included.

We may also disclose data as required by law or to protect our legal rights.

4. Data Security

We implement the following security measures to protect your data:

All data in transit is encrypted using TLS 1.2 or higher.
Data at rest is encrypted with AES-256 on Google Cloud SQL.
API keys are stored as secure one-way hashes; plaintext is never stored by DeployRamp after initial display.
GitLab and Bitbucket access tokens are stored encrypted at rest.
Pull request diff content is never written to persistent storage—it is processed in memory and discarded immediately after analysis.
Coding agent operations run in isolated sandboxed workers. Each worker handles a single operation and is torn down immediately after completion.
Access to production databases is restricted to authenticated application services and authorized personnel.

No method of transmission over the Internet is 100% secure. While we take these precautions, we cannot guarantee absolute security.

5. Data Retention and Deletion

We retain different categories of data for different periods:

Telemetry and operational data (error reports, flag evaluations, flag feedback ratings, audit logs, and Slack notification records) is automatically and permanently deleted after 90 days.
Pull request diff content is never retained: it is deleted immediately after AI analysis completes.
Webhook event payloads from GitHub, GitLab, or Bitbucket are processed and discarded; they are not stored beyond the processing window.
Core account data (organization details, project configuration, feature flag definitions, and API key hashes) is retained for as long as your account is active.
Project deletion: when you delete a project, all associated data (error reports, evaluations, feedback, audit logs, API keys) is permanently deleted immediately.
Account termination: upon account termination, your remaining data is permanently deleted.

You may request deletion of your account and all associated data at any time by emailing privacy@deployramp.com. We will fulfill deletion requests within 30 days. Some data may be retained for a limited period where required by law or for legitimate business purposes such as fraud prevention.

6. Google API Services User Data

DeployRamp’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data Accessed

When you choose to sign in with Google, we access your Google account profile information including your name, email address, and profile picture via Google OAuth 2.0. We request only the minimum scopes necessary for authentication ( openid, email, profile).

Data Usage

Google user data is used solely to authenticate you and populate your DeployRamp account profile (display name and email address). We do not use Google user data for advertising, profiling, or any purpose unrelated to operating your DeployRamp account.

Data Sharing

We do not share Google user data with third parties except as necessary to operate the service (e.g., our authentication provider Clerk (clerk.com), which processes sign-in on our behalf under their own privacy policy). We do not sell Google user data. We do not allow third parties to use Google user data for their own purposes.

Data Storage and Protection

Google user data (name and email) is stored in our database hosted on Google Cloud Platform, encrypted at rest and in transit using TLS 1.2+. Access is restricted to authenticated application services and authorized personnel only.

Data Retention and Deletion

Google user data is retained for as long as your account is active. You may request deletion of your account and all associated Google user data at any time by emailing privacy@deployramp.com. Deletion requests are fulfilled within 30 days.

7. Cookies

We use cookies and similar technologies for the following purposes:

Authentication and session management: Clerk uses cookies to maintain your logged-in session on the DeployRamp dashboard.
Security: cookies are used to prevent cross-site request forgery (CSRF) attacks.
Analytics: we may use first-party analytics cookies to understand how users navigate the dashboard in aggregate. We do not use cookies for individual tracking or advertising.

You can control cookie settings through your browser preferences. Disabling cookies will prevent you from logging into the DeployRamp dashboard.

8. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data. Residents of the European Economic Area and the United Kingdom have specific rights under the GDPR and UK GDPR, including the right to object to or restrict certain processing. California residents have rights under the CCPA, including the right to know what personal data we collect and to request deletion.

To exercise any of these rights, please contact us at privacy@deployramp.com. We will respond within 30 days. Some rights may be limited where data has already been automatically deleted under our retention schedule, or where retention is required by law.

With respect to end-user data you send to DeployRamp via the SDK (flag evaluation events, error reports, user traits), DeployRamp acts as a data processor on your behalf. You, as our customer, are the data controller and are responsible for ensuring you have a legal basis to collect and transmit that data to DeployRamp.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the “Last updated” date, and sending an email notification to your account's primary email address. Continued use of the service after a material change takes effect constitutes your acceptance of the updated policy.

10. Contact Us

For general privacy questions or to exercise your data rights, please contact us at privacy@deployramp.com. For formal legal inquiries, you may also contact us at legal@deployramp.com.