Version 1.18 · effective 2026-07-09
ADO Pilot Privacy Policy
Last Updated: 2026-07-09
Effective Date: 2026-07-09
1. Introduction
Welcome to ADO Pilot ("we," "us," "our"). ADO Pilot provides AI-powered pull request review services for Azure DevOps ("Service"). We are committed to protecting your privacy and being transparent about how we handle your data.
This Privacy Policy explains:
- What data we collect and why
- How we process your source code
- Your rights and choices
- How we protect your information
Company Information:
- Legal Name: Glenn Technology LLC
- Address: 9039 Cross Park Dr, Ste 30268, Knoxville, Tennessee 37923, United States
- Privacy Contact: privacy@adopilot.dev
- Data Protection Officer: dpo@adopilot.dev
By using ADO Pilot, you agree to this Privacy Policy. If you don't agree, please don't use our Service.
Our Role Under Data Protection Law
Under GDPR and similar data protection laws, our role depends on the type of data:
- Account, billing, and usage data: We act as the data controller. We decide why and how this data (your account details, subscription and billing records, and aggregate usage metrics) is processed.
- Personal data in your source code and pull requests: We act as a data processor on your behalf. You (or your organization) are the data controller, and we process this data only to provide the review Service under your instructions.
For the personal data we process as your processor, our obligations are governed by a Data Processing Addendum (DPA), available on request from dpo@adopilot.dev.
2. What Data We Collect
We collect only the data necessary to provide and improve our Service.
2.1 Azure DevOps User Information
When you install and use ADO Pilot, we collect:
User Identity Data:
- Email address
- Display name
- Azure DevOps user ID
- Organization/project identifiers
Azure DevOps Metadata:
- Repository names and URLs
- Pull request metadata (PR number, title, author, creation date)
- Branch names
- Commit SHAs
Why we collect this: To authenticate users, associate reviews with the correct pull requests, and deliver review comments back to Azure DevOps.
How we receive it: We receive this identity information directly from Microsoft during authenticated interactions with our Service and our Azure DevOps extension — for example, when you sign in to our portal using your Microsoft account (via Microsoft Entra ID), or when the extension takes an action on your behalf (such as manually triggering a review) using a short-lived, delegated access token that Microsoft issues to identify you. We use this identity information to authenticate you and authorize the specific action you request; where you install the extension into an organization that hasn't yet signed up for ADO Pilot, we also use the associated sign-in email for the installation outreach described in Section 2.5.
Legal basis (GDPR): Performance of contract (we need this to provide the Service you've subscribed to).
2.2 Source Code
What we process:
- Pull request diffs (changed files and line-by-line differences)
- File contents relevant to the pull request
- Commit messages and SHAs
Code Retention: Your source code is not retained on our systems after a review. Our AI provider (Anthropic) retains API inputs for a limited period — up to approximately 30 days — to operate the service and does not use them for training (see Section 4). We'll work with qualifying Enterprise customers to arrange a Zero Data Retention (ZDR) configuration under which neither we nor our subprocessors (including our AI provider) will retain your data at rest — contact sales@adopilot.dev to discuss your requirements.
No training: We will not use your source code to train AI models.
Legal basis (GDPR): Performance of contract (processing code is essential to providing AI PR reviews).
2.3 Usage Data and Analytics
We collect aggregated usage data to improve the Service:
Service Usage:
- Number of reviews performed
- Review duration and performance metrics
- Feature usage statistics
- Error logs and diagnostic information
Technical Data:
- Browser type and version
- Operating system
- IP address (for security and analytics)
- Time zone and language preferences
What we DON'T collect: We don't sell your personal information or build advertising/behavioral profiles. Our product analytics use a privacy-protective Google Analytics 4 configuration with advertising features off (see Section 10). Separately, if you arrive from a paid ad campaign (currently: Reddit Ads) and later sign up, we send Reddit a server-side signal — a Reddit-issued click identifier plus the fact that a signup occurred — so Reddit can measure and optimize that campaign; no client-side ad script or pixel of any ad network ever runs in your browser, and no name, email, or source code is ever sent. This only happens if you haven't opted out of Advertising (see Section 10).
Legal basis (GDPR): Legitimate interest (improving service quality and security).
2.4 Billing and Payment Information
If you subscribe to a paid plan:
Billing Data:
- Subscription tier and status
- Usage-based billing metrics
- Invoice history
Payment Information:
- For Azure Marketplace purchases: Microsoft handles payment processing. We only receive confirmation of your subscription status.
- For direct billing: Payment processing is handled by third-party payment processors. We never store credit card numbers directly.
Legal basis (GDPR): Performance of contract and legal obligation (tax and accounting compliance).
2.5 Communications Data
If you contact us or opt in to marketing:
- Public support form submissions — if you submit a request at app.adopilot.dev/support (no account required), we collect your name, email address, subject, category, and the description you provide. We also collect your IP address and browser user-agent to operate the Cloudflare Turnstile bot-detection widget that protects the form. This data is used solely to respond to your inquiry.
- Email correspondence with support
- Feedback and survey responses
- Marketing communication preferences
- Installation outreach — if you install the extension into an Azure DevOps organization that has not yet signed up for ADO Pilot, we use the sign-in email address associated with that installation to send a "getting started" email explaining how to complete setup, resent at most once every 30 days for as long as the organization remains unregistered. You can unsubscribe at any time via the link in that email, after which we will not email that address again for this purpose.
- Pre-signup convenience data — if you install the extension, or select a "Sign up" action inside the extension (in the Settings page or the pull-request action menu), before your organization has an ADO Pilot account, we briefly store the Azure DevOps sign-in email address and organization identifier associated with that action so we can pre-fill the signup form for you when you follow the link. This data is held in a short-lived store, is automatically deleted after 30 days regardless of whether you ever sign up, and is used only to make signing up faster — never to create an account on your behalf or to contact you beyond the installation-outreach email described above.
Legal basis (GDPR): Legitimate interest (for support communications, including the public form; for the installation outreach email above — our interest in helping an installer complete setup, balanced against the narrow, capped-frequency, easily-declined nature of the email; and for the pre-signup convenience data above — our interest in reducing signup friction, balanced against the short 30-day retention and the fact that the data is never used to contact you) and consent (for marketing).
3. How We Use Your Data
We use your data only for the following purposes:
3.1 To Provide the Service
- Authenticate users and organizations
- Fetch pull request data from Azure DevOps
- Perform AI-powered code reviews
- Post review comments and status checks back to Azure DevOps
- Manage subscriptions and billing
3.2 To Improve the Service
- Analyze aggregate usage patterns to identify bugs and performance issues
- Develop new features based on how customers use the Service
- Create anonymized benchmarks (e.g., "average review time across all customers")
Note: We never share customer-specific data or use individual customer data for marketing. All research and benchmarking uses anonymized, aggregate data only.
3.3 To Communicate With You
- Send transactional emails (review completed, errors, subscription changes, and account-security notices such as email-change alerts, sign-in links, and two-factor-authentication changes)
- Provide customer support
- Send product updates and feature announcements (you can opt out)
- If you install the extension before creating an account, send a "getting started" email to the installation's sign-in email address, resent at most once every 30 days while the organization stays unregistered (you can opt out via the link in that email)
- Respond to legal requests or enforce our Terms of Service
3.4 For Security and Compliance
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations (tax laws, data breach notifications, court orders)
- Enforce our Terms of Service
We will NEVER:
- Sell your data to third parties
- Use your source code to train AI models
- Share your code with anyone except our AI provider for the sole purpose of performing reviews
- Build advertising or behavioral profiles from your data, or use your product usage, account, or source-code data for advertising
One narrow exception: if you convert from a paid ad campaign and haven't opted out of Advertising, we send the ad network (currently: Reddit Ads) a bare "this ad click led to a signup" signal — see Section 2.3 and Section 5.5. No source code, name, or email is ever included, and no client-side ad script ever runs in your browser.
4. How We Handle Your Source Code
Your source code is your most sensitive asset. Here's exactly how we handle it:
4.1 How We Handle Source Code
We do not retain your raw source code on our systems after a review. Here is the full picture, including our AI provider:
Fetch: When a PR is created/updated in Azure DevOps, our Service receives a webhook notification and fetches the PR diff from Azure DevOps using your organization's credentials.
Process: The code diff is sent to Anthropic's Claude API for AI-powered analysis. Anthropic retains API inputs and outputs for a limited period — up to approximately 29 days for the Message Batches API and up to approximately 30 days for the synchronous Messages API — to operate and secure the API, after which they are deleted. Anthropic does not use your code to train its models.
Delete: Once the review is complete and posted back to Azure DevOps, the code diff is purged from our systems. We do not cache code, store it "for performance," or retain it "for troubleshooting." If we need to re-review a PR, we fetch it fresh from Azure DevOps.
Processing duration on our systems: Code exists in our systems for only the time required to perform the review (typically seconds to minutes).
Review results: The review comments, findings, and summaries we generate (which are derived from, but are not, your source code) are stored in your account so you can view your review history. They remain until you delete them or your account (see Section 7).
Zero Data Retention (Enterprise): We'll work with qualifying Enterprise customers to arrange a Zero Data Retention (ZDR) configuration under which neither we nor our subprocessors (including our AI provider) will retain your data at rest. Contact sales@adopilot.dev to discuss your requirements.
4.2 Security Measures for Code in Transit
While your code is being processed:
- Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS)
- Encryption at rest: If code touches disk (unlikely due to streaming), it's encrypted using Azure-managed keys
- Memory isolation: Code processing happens in isolated, ephemeral compute environments
- No logging: Source code is never written to application logs
4.3 No AI Model Training
We do not, and will not, use your private source code to train AI models. This applies to:
- Our own potential future models
- Anthropic's models (Anthropic has contractual commitments to not train on customer data)
- Any third-party AI providers we may use
Note: If you make a repository public, Anthropic or other AI providers may include public code in their general training datasets (like GitHub Copilot does). This Privacy Policy applies only to private code processed through ADO Pilot.
5. Third-Party Service Providers (Subprocessors)
We share data with the following third-party service providers who help us deliver the Service:
5.1 Anthropic, PBC (AI Provider)
What they do: Provide the AI models (Claude) that power our code reviews.
What data we share: Pull request diffs and file contents necessary for code review.
Data retention by Anthropic:
- Limited retention: Anthropic retains API inputs and outputs for a limited period — up to approximately 29 days for the Message Batches API and up to approximately 30 days for the synchronous Messages API — to operate and secure the API, after which they are deleted. See Anthropic's Commercial Terms.
- No training: Anthropic does not use your data to train their AI models.
- Zero Data Retention: We'll work with qualifying Enterprise customers to arrange a Zero Data Retention (ZDR) configuration under which neither we nor our subprocessors (including Anthropic) will retain your data at rest. Contact sales@adopilot.dev to discuss your requirements.
Data location: Anthropic processes data in the United States. For EU customers, data transfer is protected by Standard Contractual Clauses (SCCs) as required by GDPR.
Learn more:
5.2 Microsoft Azure (Infrastructure Provider)
What they do: Provide cloud infrastructure (compute, storage, networking) for ADO Pilot.
What data they process:
- All data described in this Privacy Policy is hosted on Microsoft Azure
- Azure provides infrastructure security, encryption, and compliance certifications
Data location: United States (may expand to other regions in the future).
Security: Azure provides SOC 2 Type II, ISO 27001, and other security certifications. See Azure Trust Center.
5.3 Microsoft Azure DevOps
What they do: Provide the Azure DevOps platform where your code is hosted.
Data flow: We fetch code from Azure DevOps using your organization's authorized credentials and post review comments back to Azure DevOps. We do not send your code to Microsoft (it's already there). Separately, when you sign in to our portal using your Microsoft account or take an action through the browser extension (such as manually triggering a review), Microsoft also provides us your identity information via a sign-in credential or delegated access token — see Section 2.1 for how we use it.
5.4 Payment Processors (if applicable)
If we offer direct billing (separate from Azure Marketplace):
- Payment processor: Stripe, Inc.
- What they process: Payment information (credit card, billing address)
- Data retention: Governed by the payment processor's privacy policy
Note: We never store credit card numbers directly.
5.5 Other Service Providers
We currently use the following additional service providers:
- Transactional email: Twilio Inc. (SendGrid) — delivers account and notification emails (recipient email address and message content).
- Service telemetry: Microsoft Azure Application Insights — operational telemetry from our servers and, on a best-effort basis, from the Azure DevOps browser extension (error/diagnostic messages and request timing; never your credentials, tokens, or source code).
- Product analytics: Google LLC (Google Analytics 4) — first-party usage analytics on our websites (a pseudonymous client identifier and page/event data). Configured with advertising features and Google Signals off; no personal information (such as name or email) is sent to Google. In the EEA, the UK, and Switzerland we set analytics cookies only with your prior consent (opt-in); elsewhere you can opt out at any time. Use "Your Privacy Choices" (Section 10) or a Global Privacy Control signal.
- Ad conversion measurement: Reddit, Inc. — if you arrive at our site from a Reddit ad and later sign up, we send Reddit a server-side signup-conversion signal: a Reddit-issued click identifier and the fact that a signup occurred. No client-side Reddit script, pixel, or cookie is ever loaded in your browser, and no name, email, or source code is sent to Reddit. Sent only when you haven't opted out of Advertising. In the EEA, the UK, and Switzerland this is off unless you opt in; elsewhere you can opt out at any time via "Your Privacy Choices" (Section 10) or a Global Privacy Control signal.
- Customer support ticketing: Atlassian, Inc. (Jira Service Management) — routes and stores support ticket content (requester name, email address, subject, and description) for support-request tracking and response. Atlassian does not receive your source code or pull-request data. (The request category you select is retained only in our own records, not sent to Atlassian.)
- Bot and abuse protection: Cloudflare, Inc. (Turnstile) — performs a bot-detection check on requests submitted via the public support form at app.adopilot.dev/support, using your IP address and browser characteristics. Cloudflare does not receive your account data or source code. Cloudflare processes these signals as our processor to run the check, but its own Turnstile Privacy Policy (linked above) states it also acts as an independent controller of the same signals to improve Turnstile's bot detection across its network — a use that is Cloudflare's own, not one we direct.
We will update this list if we add further providers. Subprocessor list: A complete and current list of subprocessors is available on request from dpo@adopilot.dev. We will notify customers 30 days before adding new subprocessors that process customer code. The Atlassian and Cloudflare entries above process support-requester contact data only — not customer source code — so the customer-code notification commitment does not apply to them.
6. Data Storage and Security
6.1 Where We Store Data
Primary data location: United States (Microsoft Azure US regions)
Source code: Not retained on our systems after a review (see Section 4)
Other data (accounts, billing, analytics): Stored in Azure US regions with encryption at rest.
Future expansion: We may offer data residency options (EU, Asia-Pacific) in the future. If you have specific data residency requirements, contact us at privacy@adopilot.dev.
6.2 Security Measures
We implement appropriate technical and organizational security measures to protect your data:
Technical measures:
- Encryption at rest: All data encrypted using AES-256 via Azure Storage Service Encryption
- Encryption in transit: TLS 1.2+ for all network communication
- Access control: Role-based access control (RBAC) and Azure AD managed identities
- Secret management: All credentials and API keys stored in Azure Key Vault
- Network isolation: Services run in isolated virtual networks with minimal internet exposure
Organizational measures:
- Least privilege: Employees have access only to data necessary for their role
- Security training: All team members receive security awareness training
- Incident response plan: We have procedures to detect, respond to, and recover from security incidents
We maintain a written information security program informed by recognized frameworks such as the NIST Privacy Framework.
Limitations: No security is perfect. While we take reasonable precautions, we cannot guarantee absolute security. You use the Service at your own risk.
6.3 Security Certifications
Current status (MVP): Relying on Azure's security certifications and best practices.
Penetration testing: We plan to conduct annual third-party security audits.
Enterprise customers: If you require specific certifications, contact us to discuss timing and requirements.
7. Data Retention and Deletion
7.1 Source Code
As described in Section 4, we do not retain your raw source code on our systems after a review. Our AI provider retains API inputs for a limited period (up to approximately 30 days) and does not train on them. Review comments, findings, and summaries we generate are stored in your account until you delete them or your account.
7.2 User Account Data
While your account is active: We retain your account data (email, name, organization ID, subscription info) indefinitely to provide continuous service.
After account deletion: We delete your account data from our active systems within 30 days of a deletion request, except as noted below. Residual copies may persist in encrypted backups for up to a further 30 days before they are fully erased.
7.3 Billing Records
Retention period: 7 years from the end of the fiscal year in which the transaction occurred.
Why: Required for tax compliance (IRS), accounting audits, and dispute resolution.
What's retained: Invoice data, subscription history, payment records. No source code or review content.
7.4 Usage Analytics
Aggregate data: Anonymized usage statistics (e.g., "total reviews performed this month") are retained indefinitely for business analytics.
Customer-specific data: Deleted within 30 days of account deletion.
7.5 Legal Holds
If we receive a valid legal request (court order, subpoena), we may be required to retain data beyond normal retention periods. We will notify you if legally permitted.
7.6 Review Results and History
The review comments, findings, and summaries the Service generates (which are derived from, but are not, your source code) are stored in your account so you can view your review history. They are retained until you delete them or your account, at which point they are removed on the schedule in Section 7.2. While your account is active, these review results are not subject to a fixed expiry.
7.7 Pre-Signup Prefill Data
As described in Section 2.5 ("Pre-signup convenience data"), if you install the extension or click a "Sign up" action before your organization has an account, we briefly store your sign-in email and organization identifiers to pre-fill the signup form. This data is automatically deleted after 30 days, whether or not you complete signup — there is no separate deletion request needed, and no residual backup copy (this store is never backed up).
8. Your Rights and Choices
Depending on your location, you may have specific rights regarding your personal data.
8.1 GDPR Rights (European Economic Area, UK, Switzerland)
If you're in the EU/EEA, UK, or Switzerland, you have the following rights:
Right to access: Request a copy of all personal data we hold about you.
Right to rectification: Correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): Request deletion of your data (subject to legal retention requirements like billing records).
Right to restriction of processing: Ask us to stop processing your data in certain circumstances.
Right to data portability: Receive your data in a machine-readable format (JSON) and transfer it to another service.
Right to object: Object to processing based on legitimate interests (e.g., marketing).
Right to withdraw consent: Withdraw consent for processing that requires it (e.g., marketing emails).
Right to lodge a complaint: File a complaint with your local data protection authority.
How to exercise rights: Email us at dpo@adopilot.dev. We will respond within 30 days (or 60 days for complex requests, with explanation).
8.2 CCPA Rights (California Residents)
If you're a California resident, you have the following rights:
Right to know: Request disclosure of what personal information we collect, use, disclose, and sell.
Right to delete: Request deletion of your personal data (subject to exceptions).
Right to correct: Request that we correct inaccurate personal information we maintain about you. We will use commercially reasonable efforts to correct it as directed, taking into account the nature of the information and the purposes of processing.
Right to opt-out of sale or sharing: We do NOT sell personal information. We do share a limited signal with an advertising network (currently Reddit Ads) for cross-context behavioral advertising — see Section 5.5 — but only when you haven't opted out. You can opt out of this sharing at any time via the "Your Privacy Choices" control's Advertising toggle (Section 10.2), and we honor Global Privacy Control (GPC) signals by disabling both Advertising and Analytics.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
How to exercise rights: Email us at privacy@adopilot.dev. We will respond within 45 days.
Verification: We may ask for additional information to verify your identity before processing requests.
8.3 Rights for All Users (Regardless of Location)
Even if you're not covered by GDPR or CCPA, we offer these rights to all users:
Access your data: Request a copy of your account data and usage history.
Correct your data: Update your sign-in email via your account settings; to correct your name or other account information, contact support.
Delete your account: You can delete your account at any time by contacting support. We will delete your data within 30 days (except billing records retained for 7 years).
Opt out of marketing: Unsubscribe from marketing emails via the link in any email or by contacting privacy@adopilot.dev.
Export your data: Email dpo@adopilot.dev to request an export of your account data, review history, and usage data. We will provide it in a machine-readable format (JSON). Exports are prepared by our team rather than through a self-service download.
Scope and how we handle requests: ADO Pilot is a business-to-business service. Account deletion removes your organization's data from our active systems (see Section 7). For a request about a specific individual's personal data within an organization, we act on the organization's behalf as a data processor — email dpo@adopilot.dev and we will action it. Data-subject requests are handled by our team rather than through a self-service interface.
9. International Data Transfers
ADO Pilot is based in the United States, and your data is primarily stored in US data centers (Microsoft Azure).
9.1 Transfers Outside Your Country
If you're located outside the United States, your data will be transferred to and processed in the United States.
For EU/EEA users:
- Legal mechanism: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers to the United States.
- Anthropic data transfers: When we send your code to Anthropic (US-based), this transfer is also protected by SCCs included in our agreement with Anthropic.
- Adequacy: While the EU-US Data Privacy Framework is in place, we use SCCs as an additional safeguard.
For UK users:
- Legal mechanism: UK International Data Transfer Agreement (IDTA) or SCCs approved by the UK Information Commissioner's Office (ICO).
For other regions: We use appropriate safeguards consistent with local data protection laws.
9.2 Your Consent
By using ADO Pilot, you consent to the transfer of your data to the United States and processing as described in this Privacy Policy.
If you do not consent, please do not use the Service. In the future, we may offer data residency options (EU hosting, for example) to address this concern.
10. Cookies and Tracking Technologies
10.1 What We Use
Strictly necessary cookies: We use a session cookie to authenticate users and maintain login state. This is required for the Service to function.
Analytics: We use Google Analytics 4 (GA4) to understand how our public websites are used (for example, which pages and features are visited) so we can improve them. GA4 sets first-party analytics cookies (such as _ga and _ga_*) in your browser and assigns a pseudonymous identifier. We also collect operational telemetry via Azure Application Insights — from our servers, and, on a best-effort basis, from the Azure DevOps browser extension (see Section 5.5) — using neither cookies nor local storage in the extension, so this collection is not gated by the cookie-consent choices below. Our GA4 configuration is privacy-protective: advertising features and Google Signals are turned off, IP addresses are not stored by GA4, and we never send personal information (such as your name or email) to Google. Analytics is region-aware (see Section 10.2): in the European Economic Area (EEA), the United Kingdom, and Switzerland it is off by default and runs only if you opt in; elsewhere (including the United States) it is on by default and you can opt out at any time. We honor Global Privacy Control in every region.
Advertising: If you arrive at our site by clicking a paid ad (currently: Reddit Ads) and later sign up, we capture the ad network's click identifier from the destination URL using our own first-party code — no ad network's script or pixel ever loads in your browser — and store it in a first-party cookie of ours so it survives until you convert. If and when you sign up, we send that click identifier and the fact of the signup to the ad network as a server-side conversion signal, so it can measure and optimize the campaign. Advertising is region-aware, the same as analytics: off by default in the EEA, the UK, and Switzerland unless you opt in; on by default elsewhere, with an opt-out available at any time.
What we DON'T use:
- No third-party advertising script or pixel ever runs in your browser
- No cross-site tracking of your browsing beyond the single ad-click-to-signup conversion signal described above (and in Section 8.2)
- No behavioral profiling for marketing beyond that same bare conversion signal
10.2 Your Choices
Cookie management: You can block cookies in your browser settings. Note that blocking strictly necessary cookies will prevent you from using the Service.
Your choices ("Your Privacy Choices"): We offer two independent categories — Analytics and Advertising — each on or off by default depending on your region. In the EEA, the UK, and Switzerland, both are off until you opt in. Everywhere else (including the United States), both are on by default and you can opt out of either independently. Use the "Your Privacy Choices" control — in the footer of our marketing site, and in the corner of the onboarding app — to change your choice for either category. It opens a preference center where you can enable or disable each one; your choice is remembered on your browser and applies across our adopilot.dev sites.
Global Privacy Control (GPC): We honor the Global Privacy Control signal. If your browser or extension sends a GPC signal, we automatically disable both Analytics and Advertising for that browser — you don't need to do anything else.
Sale or sharing: We do not sell your personal information. We do share a limited advertising-conversion signal as described above when you haven't opted out — see Section 8.2 for how to exercise your CCPA/CPRA right to opt out of that sharing. We use Google Analytics only as a service provider/processor for our own first-party analytics, configured with advertising features off.
Do Not Track: Browsers vary in how they send Do Not Track (DNT), and there is no industry-standard response, so we do not rely on DNT. Instead, we honor the Global Privacy Control (GPC) signal and provide the "Your Privacy Choices" control to disable analytics and advertising cookies (see Section 10.2).
11. Data Breach Notification
11.1 Our Commitment
We take data security seriously. In the event of a data breach that affects your personal data, we will respond as follows. Our specific notification obligations depend on our role for the affected data (see "Our Role Under Data Protection Law" above):
Investigation:
- Internal detection: Upon becoming aware of a suspected breach, we will promptly investigate and work to confirm the nature and scope of the incident without undue delay.
Notification:
- Where we are the data controller (account and billing data): Where the breach affects data for which we are the controller, and notification is required, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by GDPR Article 33(1). We will notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
- Where we are a data processor (source code and pull request data): Where the breach affects personal data that we process on a customer's behalf, we will notify the affected customer (the controller) without undue delay after becoming aware of it, so that the customer can meet its own notification obligations. As your processor we do not notify supervisory authorities or your users directly on your behalf unless agreed in our Data Processing Addendum.
- Customer notification (general): We will notify affected customers without undue delay after becoming aware of a confirmed breach affecting their data.
What we'll tell you:
- Nature of the breach (what data was affected)
- Likely consequences
- Measures we've taken to address the breach
- Recommended actions for you to take (e.g., change passwords)
11.2 Legal Compliance
We comply with the data breach notification laws applicable to our Service, including:
- Tennessee: Tennessee's data breach notification statute (Tenn. Code Ann. § 47-18-2107), part of the Tennessee Identity Theft Deterrence Act within the Tennessee Consumer Protection Act. We notify affected Tennessee residents no later than 45 days after discovery of a breach (subject to legitimate law-enforcement delay). Notification is not triggered by the unauthorized acquisition of encrypted information unless the encryption key or process is also acquired.
- GDPR: 72-hour notification to supervisory authority and affected individuals
- CCPA: Notice to California Attorney General if 500+ CA residents affected
- Other applicable laws: We also comply with all other data breach notification laws that apply to us, including other U.S. state laws.
11.3 Your Responsibility
If you suspect unauthorized access to your account, immediately:
- Change your Azure DevOps credentials
- Revoke ADO Pilot's access in Azure DevOps settings
- Contact us at security@adopilot.dev
12. Children's Privacy
ADO Pilot is a B2B service not directed at minors. You must be at least 16 years old to use the Service (see Terms of Service, Section 3.2). We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us with personal information, contact privacy@adopilot.dev and we will delete it.
13. Changes to This Privacy Policy
13.1 How We Update
We may update this Privacy Policy from time to time to reflect:
- Changes to the Service or features
- New legal requirements
- Feedback from customers
- Changes in our data practices
13.2 Notice of Changes
Material changes: If we make material changes that significantly affect your rights or how we use data, we will:
- Email you at your registered email address at least 30 days before the changes take effect
- Display a prominent notice in the ADO Pilot web app
- Update the "Last Updated" date at the top of this policy
Non-material changes: For minor updates (typos, clarifications, adding examples), we will update the policy without advance notice.
13.3 Your Acceptance
By continuing to use ADO Pilot after changes take effect, you accept the updated Privacy Policy. If you don't agree with the changes, you must stop using the Service and delete your account.
Version history: We maintain a version history of this Privacy Policy; prior versions are available on request.
14. Contact Us
14.1 Privacy Questions
For questions, concerns, or requests related to this Privacy Policy:
Email: privacy@adopilot.dev
Data Protection Officer: dpo@adopilot.dev
Mail: Glenn Technology LLC 9039 Cross Park Dr, Ste 30268 Knoxville, Tennessee 37923 United States
14.2 GDPR Representative (EU)
If we process significant amounts of EU data in the future, we may appoint an EU representative as required by GDPR Article 27. Contact details will be provided here.
14.3 Response Time
We aim to respond to all privacy inquiries within:
- GDPR requests: 30 days (or 60 days for complex requests)
- CCPA requests: 45 days
15. Legal and Compliance
15.1 Governing Law
This Privacy Policy is governed by the laws of the State of Tennessee and the United States, without regard to conflict of law principles.
Jurisdiction: Any disputes relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in Tennessee.
15.2 Compliance
We design our practices to align with applicable data protection laws, including:
- Tennessee state data protection laws
- FTC Act (unfair and deceptive practices)
- GDPR (for EU users, where it applies)
- CCPA (for California residents, where applicable)
We hold no third-party certifications at this time and rely on Microsoft Azure's certifications for the underlying infrastructure (see Section 5.2).
15.3 Regulatory Authorities
For EU users: You have the right to lodge a complaint with your local data protection authority. Find your authority at https://edpb.europa.eu/about-edpb/board/members_en.
For California users: California Privacy Protection Agency (CPPA) - https://cppa.ca.gov/
For Tennessee users: Tennessee does not have a dedicated data protection authority. Contact us directly or file a complaint with the Tennessee Attorney General's Office.
Appendix: Data Processing Summary (GDPR Article 30)
For EU customers, here's a summary of our data processing activities:
| Data Category | Purpose | Legal Basis | Retention | Recipient(s) |
|---|---|---|---|---|
| Azure DevOps user info (email, name, org ID) | Authentication, service delivery | Performance of contract | Active account: indefinite; Deleted: within 30 days | Microsoft Azure |
| Source code (PR diffs) | AI code review | Performance of contract | Not retained on our systems; Anthropic retains up to ~30 days | Anthropic only |
| Review results (comments, findings, summaries) | Provide review history | Performance of contract | Until you delete them or your account | Microsoft Azure |
| Usage analytics | Service improvement, billing | Legitimate interest | Aggregate: indefinite; Customer-specific: within 30 days post-deletion | Microsoft Azure |
| Technical/security data (IP address, browser) | Security monitoring, fraud/abuse prevention | Legitimate interest | Within 30 days post-deletion | Microsoft Azure |
| Pre-signup prefill data (sign-in email, org identifiers) | Pre-fill the signup form for a not-yet-registered installer/user | Legitimate interest | Up to 30 days, then auto-deleted | Microsoft Azure |
Ad click identifier (Reddit rdt_cid) | Ad campaign measurement/optimization | Consent (EEA/UK/CH); legitimate interest with opt-out (elsewhere) | ~30 days (cookie); life of the subscription (Stripe metadata) | Reddit, Inc. |
| Billing records | Payment processing, tax compliance | Legal obligation | 7 years | Stripe, Inc. |
| Communications | Support, marketing | Consent (marketing), Legitimate interest (support) | Until opt-out or account deletion | Twilio (SendGrid); Atlassian (Jira Service Management) |
End of Privacy Policy