Privacy Policy
How PreFlight collects, uses, and protects your data and credentials.
Privacy Policy
Effective: July 1, 2026
This Privacy Policy explains how PreFlight ("we", "us", "our") collects, uses, and protects your information when you use our platform at getpreflight.dev (the "Service").
Data we collect
We collect and store:
- Account information: email address, display name, and authentication identifiers provided through our identity provider (Clerk).
- Workspace data: project names, integration configurations, monitoring preferences, team membership, and billing details.
- Check results: pass/fail statuses, response times, safe error codes, timestamps, and readiness scores generated by our scanning engine.
- Encrypted credentials: API keys and secrets you provide for integration checks (see Credential handling below).
- Usage data: feature interactions, page views, and session metadata collected to improve the product.
We do not collect your source code, customer data, row-level database contents, or personal information of your end users.
Credential handling
When you save an API key or secret to PreFlight:
- The value is encrypted using AES-256 envelope encryption before being written to our database.
- After save, the full value is never returned to the browser or included in any API response, report, or export.
- Account API keys (used for CI and automation) are shown once at creation, then stored as hashed values with short prefixes for identification only.
- Keys are scoped to individual projects. Rotating a key in one project does not affect others.
We use encrypted credentials solely to probe the health status of your integrations. We never read, modify, or process your customer data through those credentials.
Infrastructure and sub-processors
PreFlight relies on third-party infrastructure providers for authentication, database hosting, application hosting, transactional email, payment processing, and error monitoring. We select providers with strong security practices and appropriate certifications. A current list of sub-processors is available upon request.
Retention
- Check results and monitoring history: retained for the duration specified by your plan (free plans: 7 days; paid plans: up to 30 days) unless you delete them earlier.
- Account and workspace records: retained for the life of your account. When you delete your account, associated data is removed within 30 days, except where retention is required for billing dispute resolution or fraud prevention.
- Encrypted credentials: deleted immediately when you remove an integration or delete a project.
Your rights
You may:
- Export your check history and project data at any time via the dashboard.
- Delete individual projects, integrations, or your entire account from Settings.
- Request a complete data export or deletion by contacting us at the address below.
For users in the EU/EEA, you have additional rights under GDPR including the right to access, rectification, erasure, data portability, and to object to processing. Contact us to exercise these rights.
Security measures
- All data in transit is encrypted with TLS 1.2+.
- All data at rest is encrypted.
- Provider secrets are never logged, never included in error reports, and never rendered client-side after initial save.
- Access to customer data is restricted to authenticated, authorized workspace members using row-level security.
- We conduct regular security reviews and maintain an incident response process.
Cookies and tracking
PreFlight uses essential cookies for authentication and session management. We use privacy-focused analytics (no cross-site tracking, no advertising cookies). You can disable non-essential cookies through your browser settings.
Changes to this policy
We will update this page with a new effective date when material changes are made. For significant changes, we will also notify active workspace owners through the product.
Contact
Questions about this policy or your data? Reach us at privacy@getpreflight.dev.
