QualityPilot

Privacy Policy

Last updated: April 19, 2026

What data we collect

  • GitHub OAuth identity — your GitHub login, email address, and avatar URL. Collected when you sign in via GitHub OAuth.
  • Test failure data sent by reporters — test names, error messages, file paths, commit SHAs, and durations. Submitted by our open-source reporters (@qlens/jest-reporter, @qlens/playwright-reporter, @qlens/pytest-plugin) running in your CI.
  • Source code (auto-fix only) — when you explicitly request an auto-fix, we read the failing test file and the corresponding production file at the time of the failure. Read on-demand from GitHub, never indexed, never stored after the fix attempt completes.
  • Stripe customer data — handled by Stripe under their PCI-DSS compliance. We never see card numbers; we store only your Stripe customer ID and subscription status.

What we do with it

  • Reporter data is stored in Supabase (Postgres, encrypted at rest) and surfaced in your dashboard to power flakiness detection, trends, and the auto-fix queue.
  • Source code for auto-fixis sent to OpenAI (gpt-4o-mini) in a single API call to generate the fix. Per OpenAI's API terms, OpenAI does not train models on API data. After the fix attempt completes, the source code is discarded from our memory — only the proposed diff and the metadata are retained.
  • Email is sent only for opt-in channels (weekly digest, reactivation nudges, celebration moments). Per-channel toggles are available in your dashboard preferences.

Retention

  • Test runs: 90 days, then deleted.
  • Auto-fix proposals: retained indefinitely so you can refer back to fixes you have already shipped (or rejected).
  • User account: retained until you delete it.

What we don't do

  • We do not sell your data to anyone, ever.
  • We do not run ad targeting or build advertising profiles.
  • We do not share user profiles with third parties.
  • We do not train machine-learning models on your code, your test data, or your failure messages.

Subprocessors

  • Vercel — application hosting and edge network
  • Supabase — Postgres database (test runs, user accounts, subscriptions)
  • OpenAI — gpt-4o-mini API for auto-fix generation
  • Stripe — payment processing
  • Resend — transactional email
  • Cloudflare — DNS and CDN

GDPR / CCPA

  • Right to access: email support@qlens.dev and we will respond within 30 days with a copy of your data.
  • Right to delete: self-serve from your dashboard, or by emailing support@qlens.dev. Both routes are honored.
  • Data Processing Addendum (DPA): available on request for paid plans.

Cookies

  • NextAuth session cookie — required for sign-in. HttpOnly, SameSite, secure.
  • Optional referral cookie (qp_ref) — host-only, 30-day expiry, used to attribute referral signups to the right account.

Contact

Privacy questions: support@qlens.dev