Privacy Policy

1. Introduction

AI Agent Tester ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy applies to all users of AI Agent Tester, regardless of location. We comply with GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and other applicable privacy laws.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Email address, full name (optional), avatar URL (optional)
• Organization Information: Organization name, slug, member roles and invitations
• Test Data: Test cases, test steps, test configurations, test results, and execution logs
• Environment Configurations: Environment variables and secrets (encrypted)
• Integration Data: Third-party service credentials (OAuth tokens for Jira, etc.)
• Communications: Support requests, feedback, and correspondence with us

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, click patterns
• Device Information: Browser type, operating system, device identifiers
• Log Data: IP address, timestamps, error logs, API requests
• Cookies and Similar Technologies: See our Cookie Policy

2.3 Information from Third Parties

• Authentication Provider (Supabase): Authentication status and user identifiers
• Jira Integration: Issue data, project information (when you connect your Jira account)
• Email Service Provider (Resend): Email delivery status

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Provision

• Create and manage your account
• Provide AI-powered testing and automation features
• Process and execute test runs
• Store and manage your test data and configurations
• Enable team collaboration and organization management
• Integrate with third-party services (Jira, etc.)

3.2 Service Improvement

• Analyze usage patterns to improve our Service
• Develop new features and functionality
• Train and improve AI models (using anonymized data only)
• Monitor and improve system performance and reliability

3.3 Communications

• Send transactional emails (password resets, invitations, test notifications)
• Provide customer support
• Send service updates and important notices
• Send marketing communications (with your consent, opt-out available)

3.4 Security and Compliance

• Detect, prevent, and address fraud and security issues
• Enforce our Terms of Service and policies
• Comply with legal obligations and protect legal rights

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on:

• Contract Performance: Processing necessary to provide the Service you requested
• Consent: Where you have given explicit consent (e.g., marketing communications)
• Legitimate Interests: For service improvement, security, and fraud prevention
• Legal Obligations: Compliance with applicable laws and regulations

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We share data with trusted service providers who help us operate the Service:

• Supabase: Authentication, database hosting (see Supabase Privacy Policy)
• Google Cloud Platform: Infrastructure and task processing (see GCP Privacy Policy)
• Resend: Email delivery (see Resend Privacy Policy)
• OpenAI: AI-powered features (see OpenAI Privacy Policy)

5.2 Integrations You Enable

• Atlassian Jira: When you connect Jira, we share data necessary for the integration
• You control which integrations to enable and can disconnect them at any time

5.3 Organization Members

• Data you create within an organization is accessible to organization members based on their roles
• Organization owners and admins have access to all organization data

5.4 Legal Requirements

We may disclose your information if required by law or to:

• Comply with legal processes (subpoenas, court orders)
• Protect our rights, property, or safety
• Investigate fraud or security issues
• Enforce our Terms of Service

5.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and subject to a different privacy policy.

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) and Row-Level Security (RLS)
• Authentication: Email-based OTP authentication via Supabase
• Secrets Management: Environment secrets encrypted before storage
• Regular Security Audits: Ongoing security assessments and updates
• Incident Response: Procedures for detecting and responding to security incidents

For more details, see our Security Policy.

7. Data Retention

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

• Account Data: Retained while your account is active
• Test Data: Retained until you delete it or close your account
• Log Data: Typically retained for 90 days
• Backup Data: May be retained for up to 30 days in backups
• Legal Hold Data: Data subject to legal hold retained as required

After account deletion, we will delete or anonymize your data within 30 days, except where retention is required by law.

8. Your Privacy Rights

8.1 Rights for All Users

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your account and data
• Export: Download your data in a portable format
• Opt-Out: Unsubscribe from marketing communications

8.2 Additional Rights for EEA Users (GDPR)

• Data Portability: Receive your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
• Lodge Complaint: File a complaint with your local data protection authority

For users in the Netherlands, you may lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority):

8.3 Additional Rights for California Users (CCPA)

• Know: Request information about data collected, used, shared, or sold
• Delete: Request deletion of personal information
• Opt-Out: We do not sell personal information
• Non-Discrimination: We will not discriminate against you for exercising your rights

8.4 Exercising Your Rights

To exercise any of these rights, contact us at privacy@ai-agent-tester.com. We will respond within 30 days.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) for transfers outside the EEA
• Adequacy decisions by the European Commission where applicable
• Compliance with GDPR requirements for international transfers

10. Children's Privacy

Our Service is not intended for users under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

11. Do Not Track Signals

Some browsers support "Do Not Track" (DNT) signals. Our Service does not currently respond to DNT signals, as there is no industry standard for how to interpret them.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last Updated" date at the top indicates when the policy was last revised.

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

13. Contact Us

For privacy-related questions, concerns, or to exercise your rights, contact us at:

14. Additional Resources

• Terms of Service
• Cookie Policy
• Data Processing Agreement
• Security Policy