Privacy Policy

1. Overview

FailPack is a developer tool for capturing local failure context, syncing selected reports to FailPack Cloud, and running controlled bug and security analysis. This Privacy Policy explains what data we collect, why we collect it, and how users can control it.

FailPack is designed to be local-first. The CLI can generate reports on your machine. Cloud features are used when you sign in, sync a project, upload reports, invite team members, use billing, or run cloud-backed analysis.

2. Data we collect

• Account data: name, email address, OAuth provider identifiers, password hash when email/password login is used, 2FA enrollment state, trusted-device metadata, and session/device records.
• Workspace data: workspace name, member roles, invitations, plan, subscription status, usage counters, project names, project identifiers, and access-control records.
• Report metadata: report title, command metadata, timestamps, status, version, project identifier, file manifest, hashes, sizes, redaction flags, retention dates, and audit events.
• Report artifacts: logs, redacted command output, git status/diff, environment summaries, prompts, context files, bundles, or source snapshots that you explicitly upload or sync.
• Usage and security data: API requests, authentication events, IP-derived security signals, rate-limit events, CLI device login events, agent run metadata, token usage, and error logs.
• Billing data: plan, subscription identifiers, checkout state, invoices, and payment status handled through our payment provider. We do not store full card numbers.

3. OAuth data

When you sign in with Google or GitHub, FailPack receives the basic profile information required to authenticate you, such as your email address, provider account identifier, and profile name when available.

OAuth data is used to create or sign in to your FailPack account, link providers that share the same verified email address, protect sessions, and help you access the correct workspace. FailPack does not request broad repository access through website OAuth sign-in.

4. How we use data

• Provide authentication, session management, 2FA, trusted-device handling, and CLI device login.
• Create, sync, display, retain, and delete cloud reports and artifacts according to workspace plan limits.
• Enforce workspace membership, project access, billing entitlements, upload limits, and agent usage budgets.
• Process payments, invoices, plan changes, and subscription status.
• Detect abuse, protect accounts, investigate security events, and maintain audit logs.
• Improve product reliability through aggregated operational metrics and support diagnostics.

5. Local-first reports and cloud artifacts

FailPack reports are generated locally first. Data is uploaded to FailPack Cloud only when you use cloud sync, cloud upload, agent/cloud analysis, or another feature that clearly requires cloud storage.

Cloud artifacts are stored privately. Object keys are not intended to expose repository names or local file paths. The dashboard accesses artifacts through authenticated backend endpoints that check account, workspace, and project permissions before returning data.

6. Secret handling

FailPack includes redaction logic intended to remove common tokens, keys, credentials, and sensitive environment values before reports are saved or uploaded. You remain responsible for reviewing generated reports and deciding what to upload or share.

If you believe sensitive data was uploaded accidentally, delete the report from the dashboard or contact [email protected] for assistance.

7. Retention

Report and artifact retention depends on your plan, workspace settings, and feature usage. Free plans may have short retention windows. Paid plans may retain report history for longer periods.

Audit logs, security logs, billing records, and records required for legal, tax, abuse-prevention, or dispute purposes may be retained for longer where necessary.

8. Sharing and public links

Private reports require authentication and workspace access. Shared report links are accessible only when a report has been intentionally shared and the recipient has the correct share token.

Do not publish share links that contain information you do not want others to see. You can revoke sharing or delete reports from the dashboard where supported.

9. Service providers

We use service providers to operate FailPack, including hosting, database, private object storage, payment processing, OAuth authentication, email or support systems, logging, and AI infrastructure. These providers process data only to help us provide the service.

A current list of subprocessors is available at /legal/subprocessors.

10. Security

FailPack uses authentication, workspace membership checks, role-based access control, private storage, signed upload flows, rate limiting, session rotation, and optional 2FA to protect user data.

No system is perfectly secure. Report security issues to [email protected]. More detail is available at /legal/security.

11. Your rights and choices

• Access and update account information from your dashboard where available.
• Delete reports, cloud projects, or workspace data where product controls support deletion.
• Request account deletion or data export by contacting [email protected].
• Disconnect OAuth providers where available, provided your account still has a valid sign-in method.
• Manage cookies and browser storage through your browser settings.

12. International processing

FailPack may process and store data in countries where we or our service providers operate. By using FailPack, you understand that data may be processed outside your country of residence subject to appropriate provider controls and contractual protections.

13. Children

FailPack is not intended for children under 13, and we do not knowingly collect personal information from children. If you believe a child provided personal information to FailPack, contact [email protected].

14. Changes

We may update this policy as FailPack changes. Material changes will be posted on this page with a new effective date. Continued use of FailPack after a change means the updated policy applies.

15. Contact

For privacy requests, deletion requests, or questions, contact [email protected]. For security reports, contact [email protected].