Privacy Policy
Last updated: February 28, 2026
This Privacy Policy explains how OctoWatch ("we", "us", or "our") collects, uses, stores, and protects information when you use our platform ("Service"). We are committed to protecting your privacy and handling your data with transparency.
1. Information We Collect
1.1 Account Information
When you register for the Service, we collect:
- Username and email address
- Hashed password (we never store plaintext passwords)
- Two-factor authentication configuration
- Organization membership and role assignments
1.2 Usage Data
We automatically collect information about your interactions with the Service, including:
- IP addresses and approximate geolocation
- Browser type and operating system
- Pages visited, features used, and actions taken
- Timestamps of access and session duration
1.3 Audit Logs
For security and compliance, we log security-sensitive actions such as login attempts, account changes, watchlist modifications, and API key usage. These logs include user ID, IP address, action type, and timestamp.
1.4 GitHub Data
The Service processes publicly available data from GitHub, including user profiles, follower/following relationships, repository metadata, and commit information. This data is sourced from GitHub's public API and public-facing pages. We do not access private repositories or non-public GitHub data.
2. How We Use Your Information
We use collected information for the following purposes:
| Purpose | Data Used |
|---|---|
| Providing the Service | Account info, GitHub data |
| Authentication & security | Credentials, 2FA config, IP addresses |
| Audit & compliance | Audit logs, usage data |
| Service improvement | Aggregated usage data |
| Customer support | Account info, usage data |
| Legal compliance | All data as required by law |
3. Data Storage and Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encrypted database storage
- Role-based access controls with organization-level isolation
- Regular security reviews and monitoring
- Scoped API keys with configurable permissions and expiry
Your data is stored in secure infrastructure. Each organization's data is logically separated through our multi-tenant architecture, ensuring that one organization cannot access another's data.
4. Data Sharing
We do not sell your personal information. We may share data only in the following circumstances:
- Within your organization: Team members with appropriate roles can view shared watchlists, investigation data, and audit logs within your organization's scope.
- Service providers: We may use third-party providers for infrastructure hosting and email delivery. These providers are contractually bound to protect your data.
- Legal requirements: We may disclose data when required by law, regulation, legal process, or enforceable governmental request.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: Retained until account deletion is requested
- Audit logs: Retained for a minimum of 12 months for compliance purposes
- Cached GitHub data: Refreshed periodically and may be purged when no longer associated with active investigations
- Usage analytics: Aggregated data may be retained indefinitely; individual records are purged after 24 months
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data, subject to legal retention requirements
- Portability: Request your data in a structured, machine-readable format
- Objection: Object to certain processing of your personal data
- Restriction: Request restriction of processing in certain circumstances
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
7. Cookies and Tracking
The Service uses essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies. Session cookies are deleted when you close your browser or when your session expires.
8. International Data Transfers
If you access the Service from outside the jurisdiction where our servers are located, your data may be transferred across international borders. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.
9. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete that information.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. We encourage you to review this policy periodically.
11. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: