Privacy Policy
Effective: 2026-05-26
This Privacy Policy describes how QAOnFire ("we", "us") collects, uses, and shares information when you install the QAOnFire GitHub App or subscribe to a paid plan ("the Service").
1. What we collect
| Category | Examples | When collected |
|---|---|---|
| GitHub installation data | installation ID, account login, account type (User/Organization), account ID | When you install the App |
| Pull request content | PR title, description, file diffs, contents of small files, your qabot.md | When a PR triggers a QA report |
| Usage records | which PRs were processed, token counts, comment IDs, error messages | Each time we run a job |
| Billing data | Stripe customer ID, subscription ID, plan, status | When you subscribe to a paid plan |
| Webhook metadata | IP address, user agent of incoming GitHub/Stripe webhooks | On each webhook delivery (transient, not stored long-term) |
We do not collect: payment card details (handled by Stripe directly), your full repository contents (only diffs and selected file contents at PR time), or any data unrelated to the PRs you submit for review.
2. How we use it
- Generate AI QA reports and post them as comments on your pull requests
- Enforce your monthly plan quota and bill you on paid plans
- Send transactional emails through Stripe (receipts, payment failures, cancellation confirmations)
- Debug failures and improve the Service
We do not sell your data, use it for advertising, or train any AI model on it.
3. Third-party processors
We send certain data to the following sub-processors to operate the Service:
| Processor | What it processes | Where |
|---|---|---|
| Anthropic (Claude API) | PR content, qabot.md, system prompts (the data needed to generate the QA report) | USA |
| Stripe | Subscription payment processing | USA / global |
| Railway | Compute, database, Redis (where all Service data is stored at rest) | Europe / USA depending on region |
| GitHub | Webhook delivery, PR comment posting (necessary to integrate with your repos) | USA |
| Cloudflare | DNS for our domain | Global |
Anthropic's API terms state that data submitted via API is not used to train their models. See their Commercial Terms.
4. Data retention
- PR content sent to Anthropic: not stored by us after the QA report is generated; subject to Anthropic's own retention (typically 30 days for abuse monitoring).
- Usage records (
pr_runstable): retained indefinitely for analytics, billing reconciliation, and quota enforcement. - Installation records: retained until you uninstall the GitHub App, then retained for 90 days for accounting purposes.
- Stripe data: retained per Stripe's policy for tax and compliance reasons (typically 7 years).
5. Your rights
Depending on your jurisdiction (e.g., under GDPR if you are in the EU, or under CCPA if you are in California), you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Export your data in a portable format
- Object to processing or restrict it
- Lodge a complaint with a data protection authority
To exercise any of these rights, email hello@qaonfire.dev. We'll respond within 30 days. Note that deleting your installation data will terminate the Service for your account.
6. Security
We follow standard practices to protect your data:
- HTTPS-only access to all Service endpoints (HSTS-preloaded
.devTLD) - HMAC signature verification on all incoming webhooks (GitHub and Stripe)
- Encrypted database connections (TLS to Postgres and Redis)
- Secrets stored as environment variables, never in source code or logs
- Production access limited to the founders
No system is perfectly secure. If you discover a vulnerability, please report it to hello@qaonfire.dev.
7. Children
QAOnFire is not directed at children under 16. We do not knowingly collect data from anyone under 16.
8. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via email to active subscribers or by a notice in QAOnFire output. The "Effective" date at the top of this page reflects the latest version.
9. Contact
Questions about this policy or your data: hello@qaonfire.dev