Privacy Policy

Last updated: January 28, 2026

1. Introduction

This Privacy Policy describes how Dev Forward LLC ("Company," "we," "us," or "our") collects, uses, and shares information when you use CostOps (the "Service"), our CI/CD cost intelligence platform.

We are committed to protecting your privacy and handling your data transparently. Please read this policy carefully to understand our practices regarding your information.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address: Required for account creation and communication
  • Name: As provided through GitHub OAuth or account registration
  • GitHub username: When you authenticate via GitHub OAuth
  • Profile information: Avatar URL and other public profile data from GitHub

2.2 GitHub Organization and Repository Data

When you install our GitHub App, we access and store:

  • Organization metadata: Organization name, ID, and billing information
  • Repository metadata: Repository names, IDs, visibility status, and creation dates
  • Workflow information: Workflow names, file paths, and configuration
  • Workflow run data: Run IDs, status, timing, triggering events, and actor information
  • Job data: Job names, runner types, duration, and billable time

What we do NOT access:

  • Source code or repository contents
  • Secrets, environment variables, or credentials
  • Pull request content or code review comments
  • Issue content or discussions
  • Any data beyond Actions metadata and repository information

2.3 Webhook Data

We receive real-time webhook events from GitHub when workflow runs complete. This data includes:

  • Workflow run completion events
  • Job status updates
  • Installation and repository access changes

2.4 Usage and Analytics Data

We automatically collect:

  • Device information: Browser type, operating system, device type
  • Log data: IP address, access times, pages viewed, referring URLs
  • Usage patterns: Features used, interactions within the Service

We use Google Analytics (with IP anonymization enabled) and Statsig to understand how users interact with our Service. These tools collect page views, click interactions, scroll depth, and performance metrics.

2.5 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. We receive and store only: last four digits of your card, card brand, expiration date, and billing address for invoice purposes.

3. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Calculate CI/CD costs, generate analytics, and display dashboards
  • Send notifications: Cost alerts, threshold warnings, and service updates
  • Improve the Service: Analyze usage patterns, fix bugs, and develop new features
  • Process payments: Bill for subscriptions and manage your account
  • Communicate: Respond to inquiries, provide support, and send important updates
  • Ensure security: Detect and prevent fraud, abuse, and security incidents
  • Comply with law: Meet legal obligations and respond to lawful requests

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data based on:

  • Contract performance: Processing necessary to provide the Service you requested
  • Legitimate interests: Improving our Service, preventing fraud, and ensuring security
  • Consent: Where you have given explicit consent (e.g., marketing communications)
  • Legal obligations: Processing required by applicable law

5. How We Share Information

We do not sell your personal information. We share information only in these circumstances:

5.1 Service Providers

We use trusted third-party services to operate our business:

Provider Purpose Data Shared
GitHub Authentication, Actions data OAuth tokens, webhook events
Stripe Payment processing Billing information, payment details
Digital Ocean Cloud hosting All Service data (encrypted at rest)
Google Analytics Usage analytics Anonymized usage data
Statsig Product analytics, feature experimentation Usage data, page views, click interactions

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.2 Within Your Organization

Data from your GitHub organization may be visible to other members of your CostOps account based on the access permissions you configure. Organization administrators can view aggregate data across all connected repositories.

5.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of our users or others.

5.4 Business Transfers

If Dev Forward LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and any choices you may have.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service:

  • Account data: Retained until you delete your account
  • GitHub Actions data: Retained for your subscription period plus 90 days, or as required for your plan's historical data access
  • Usage logs: Retained for 12 months
  • Payment records: Retained for 7 years for tax and legal compliance

When you delete your account, we delete or anonymize your data within 30 days, except where retention is required by law.

7. Your Rights

7.1 All Users

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your account and associated data
  • Export your data in a portable format
  • Revoke GitHub App access at any time

7.2 California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to know: Request disclosure of personal information collected, used, and shared
  • Right to delete: Request deletion of your personal information
  • Right to non-discrimination: We will not discriminate against you for exercising your rights
  • Right to opt-out: We do not sell personal information

To exercise these rights, contact us at privacy@costops.dev.

7.3 EEA, UK, and Swiss Residents (GDPR)

If you are in the EEA, UK, or Switzerland, you have additional rights:

  • Right to access: Obtain a copy of your personal data
  • Right to rectification: Correct inaccurate personal data
  • Right to erasure: Request deletion of your personal data
  • Right to restrict processing: Limit how we use your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent

You also have the right to lodge a complaint with your local data protection authority.

8. Security

We implement appropriate technical and organizational measures to protect your information:

  • Encryption in transit (TLS 1.2+) and at rest
  • Secure authentication with session management
  • Regular security assessments and monitoring
  • Access controls limiting employee access to user data
  • Incident response procedures

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of becoming aware of the breach (as required by GDPR)
  • Notify California residents in the most expedient time possible (as required by California law)
  • Provide information about the nature of the breach and steps you can take to protect yourself
  • Report to relevant supervisory authorities as required by law

10. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers are located. If you are located outside the United States, your information will be transferred to and stored in a jurisdiction that may have different data protection laws.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms.

11. Children's Privacy

The Service is not directed to children under 16 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at privacy@costops.dev, and we will take steps to delete such information.

12. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through our Service. In particular, your use of GitHub is governed by GitHub's Privacy Statement.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you via email or through the Service
  • Provide at least 30 days' notice before changes take effect for material changes

Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, please contact us:

Dev Forward LLC

Privacy inquiries: privacy@costops.dev

General inquiries: info@costops.dev

For GDPR-related inquiries, you may also contact your local data protection authority.