Privacy Policy

1. Provider / Controller

The provider of the Services and the controller within the meaning of the GDPR is Qoil AI UG (haftungsbeschränkt) (see Impressum).

If you have questions about this Privacy Policy or want to exercise your rights, contact us at: [email protected].

2. Scope

This Privacy Policy applies to:

• visits to our website (landing pages, documentation, marketing pages);
• account creation and authentication;
• connecting and using integrations (e.g., GitHub/GitLab/Bitbucket and CI tools);
• use of the GitQueue web app;
• support, sales, and billing communications.

Our website may include links to third-party sites. Their privacy policies apply to their services.

3. Data Processing to Enable Use (connection and log data)

Whenever you access our Services, technical connection data is processed and transmitted to our servers (or infrastructure providers). This may include:

• IP address
• date and time of request
• referring URL
• device information (e.g., device type, operating system)
• browser type/version
• access logs (requested pages/resources, status codes)

Purpose: ensuring delivery of the Services, stability, security, abuse prevention, troubleshooting.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in secure and functional operation); where the web app is used under contract, also Art. 6(1)(b) GDPR.

We do not use connection data to directly infer your identity (unless needed for security investigation) and we do not merge it with other sources in a way that creates unnecessary profiles.

4. Data Processing upon Request (account, authentication, communications)

4.1 Registration and login

To use the GitQueue web app, you (or your organization) typically create an account and/or authenticate via an integration (e.g., OAuth with a source code hosting provider).

We may process:

• name and email address
• organization/workspace name
• user identifiers and roles (e.g., admin/member)
• authentication events (login timestamps, security signals)

Purpose: account creation, authentication, access management, security, preventing misuse.
Legal basis: Art. 6(1)(b) GDPR (contract/performance of Services) and Art. 6(1)(f) GDPR (security and abuse prevention).

4.2 Authentication via Third-Party SCM Platforms (e.g., GitHub OAuth)

If you connect GitQueue to a Third-Party SCM Platform (e.g., GitHub) we process authorization data such as:

• OAuth tokens / installation identifiers
• granted permission scopes
• webhook configuration identifiers

Required permissions (GitHub example): GitQueue typically requests repository access (read/write for code, pull requests, issues, commit statuses), organization read access, and webhook management. The exact scopes are displayed during the OAuth authorization flow and may vary by platform.

Purpose: enabling the integration and performing requested actions (e.g., reading repository metadata, managing queues, posting statuses/comments, triggering merges) within the permissions you grant.
Legal basis: Art. 6(1)(b) GDPR.

Security of tokens: tokens are stored encrypted and access is restricted on a need-to-know basis.

4.3 Support and other communications

When you contact us (e.g., email, in-app support), we process:

• contact details (name, email)
• message content and attachments
• technical context required to solve the issue (e.g., logs, workspace identifiers)

Purpose: handling requests, support, troubleshooting, customer relationship management.
Legal basis: Art. 6(1)(b) GDPR (support as part of the contract) and/or Art. 6(1)(f) GDPR (efficient support operations).

4.4 Newsletter (optional)

If you subscribe to a newsletter, we process:

• email address (and optional name/company)

Purpose: sending product updates and company news.
Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw consent at any time via the unsubscribe link or by contacting us.

5. Data Processing in the Product (service usage and repository data)

5.1 Service usage and operational data

In the course of providing the Service, we may process:

• queue settings and rules (e.g., priorities, labels, policies)
• usage events (feature usage, timestamps)
• audit logs (actions taken, by whom, when)
• error reports and performance metrics

Purpose: operating the Service, reliability, debugging, security, preventing abuse, product improvement.
Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

5.2 Repository metadata and automation artifacts

Depending on your configuration and permissions, GitQueue may process repository metadata such as:

• repository identifiers
• pull request/merge request identifiers and titles
• branch names, commit hashes, statuses/check results
• comments or status updates created by GitQueue
• users involved in PR workflows (as shown by the SCM platform)

Important: GitQueue does not store the actual source code content of your repositories. We only process metadata necessary for queue management. However, PR titles and descriptions may contain business-sensitive information and are protected with the same security measures as other customer data.

Purpose: providing merge-queue functionality and related automation you configure.
Legal basis: Art. 6(1)(b) GDPR.

5.3 Webhook data

GitQueue receives webhook notifications from connected SCM platforms when relevant events occur (e.g., PR created, status checks completed, comments added). Webhook payloads may include:

• event type and timestamp
• repository and PR identifiers
• user information (username, email as provided by the platform)
• status check results and CI information

Webhook data is processed in real-time to update queue state and trigger automated actions. Webhook payloads are not stored long-term beyond operational logging requirements.
Legal basis: Art. 6(1)(b) GDPR.

5.4 Data hosting location

Customer data is primarily hosted within the European Union (EU). Some subprocessors may process data in other jurisdictions; see Section 9 (International Data Transfers) for details on safeguards.

6. Payments (Paddle as Merchant of Record)

Payments are processed by our authorized reseller and Merchant of Record, Paddle.com Market Ltd and/or its affiliates ("Paddle"). As Merchant of Record, Paddle is the seller for your transaction and handles billing, tax calculation/collection/remittance, invoices, and receipts.

We typically receive only limited billing status information from Paddle (e.g., subscription status, plan, payment state) needed to provide the Service. Sensitive payment card details are handled directly by Paddle and are not accessible to us.

Paddle may share buyer data with payment providers and fraud monitoring services as part of their payment processing and security measures. For details on how Paddle processes your data, please refer to Paddle's privacy policy.

Merchant of Record: Paddle.com Market Ltd
Paddle privacy / GDPR info: https://www.paddle.com/legal/privacy

Legal basis: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(c) GDPR (legal obligations such as tax/accounting).

7. Cookies and Similar Technologies

We use cookies and similar technologies (e.g., local storage, scripts) to provide and secure the Services.

7.1 Categories

Strictly necessary cookies

Required for login/session management, security, load balancing, and core functionality.
Legal basis: Art. 6(1)(b) GDPR (where needed for the Service) and Art. 6(1)(f) GDPR (secure operation).

Functional cookies

Remember preferences (e.g., UI settings).
Legal basis: Art. 6(1)(f) GDPR, and where required, Art. 6(1)(a) GDPR (consent).

Analytics / marketing cookies (optional)

Used to understand usage or measure marketing effectiveness.
Legal basis: Art. 6(1)(a) GDPR (consent) where required (especially EU/EEA/UK).

7.2 Consent management

Where legally required, we display a cookie banner. You can accept/reject non-essential cookies and withdraw consent at any time with effect for the future via "Cookie Settings" in the footer (if provided): https://www.gitqueue.com/#cookie-settings.

You can also manage cookies in your browser. Disabling essential cookies may limit functionality.

8. Subprocessors and Disclosure

8.1 Subprocessors

To provide the Services, we may use subprocessors (hosting, monitoring, email delivery, support tools, payment providers). We:

• restrict access to what is necessary;
• enter into data processing agreements (Art. 28 GDPR) where required — see our Data Processing Agreement;
• remain responsible for subprocessors as required by law.

You can request a list of our current subprocessors or notification of subprocessor changes by contacting [email protected].

8.2 Disclosure to third parties

We do not sell personal data.

We may disclose personal data:

• if required by law, authority request, or court order;
• to protect the security and integrity of the Services;
• in connection with a corporate transaction (e.g., acquisition), subject to appropriate safeguards.

9. International Data Transfers

We may transfer personal data to countries outside the EU/EEA (e.g., if we use US-based providers). Where required, we implement appropriate safeguards, such as:

• EU Standard Contractual Clauses (SCCs) (Art. 46 GDPR), and/or
• reliance on an adequacy decision where applicable.

10. Storage Duration (Retention)

We store personal data only as long as necessary for the purposes described above, including:

• for the duration of the customer relationship;
• as needed for security (e.g., audit logs) and troubleshooting;
• as required by legal retention obligations (e.g., accounting/tax laws).

After termination, we delete or anonymize personal data within a reasonable period unless:

• legal obligations require retention, or
• limited retention is needed for backups/security logs (which are deleted according to our backup cycles).

11. Security

We protect personal data using technical and organizational measures (e.g., access controls, encryption where appropriate, monitoring, least-privilege policies).

For questions about our security practices, contact [email protected].

In case of a personal data breach, we will comply with GDPR notification obligations.

12. Your Rights (GDPR)

Where GDPR applies, you have the right to:

• access (Art. 15)
• rectification (Art. 16)
• erasure (Art. 17)
• restriction (Art. 18)
• data portability (Art. 20)
• objection (Art. 21)
• withdraw consent at any time (Art. 7(3)) where processing is based on consent

To exercise rights, contact [email protected]. We may request verification of identity. We generally respond within one month (Art. 12(3) GDPR), subject to lawful extensions.

Supervisory authority

You can lodge a complaint with a supervisory authority. In Germany, this is typically the data protection authority responsible for the federal state of our registered seat (or another competent authority under GDPR).

13. Right to Object (Art. 21 GDPR)

Where we process personal data based on legitimate interests (Art. 6(1)(f) GDPR), you may object at any time for reasons arising from your particular situation. If you object, we will stop processing unless we demonstrate compelling legitimate grounds or processing is required for legal claims.

You may also object to direct marketing at any time.

14. Changes to this Privacy Policy

We may update this Privacy Policy as needed. The current version is always available on our website and will show the "Last Updated" date. Material changes may be communicated via email or in-product notice.

15. Contact and Impressum

Privacy contact: [email protected]
Impressum: Impressum.