Privacy Policy
Last Updated: 01/27/2026
Autoheal ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, Autoheal AI (the "Service"), and our website.
We have designed this policy to be transparent and straightforward, aligning with industry standards for security and compliance. By accessing or using our Service, you agree to the terms of this Privacy Policy.
1. Information We Collect
We collect information necessary to provide our AI-driven Site Reliability Engineering (SRE) and production engineering services. We classify this data into the following categories:
A. Information You Provide to Us
- Account Information: When you register, we collect your first name, last name, and email address.
- Authentication Credentials: We store password hashes (using bcrypt) and authentication tokens.
- Integration Credentials: To function as an SRE co-pilot, we require access to your third-party tools (e.g., Slack, GitHub, PagerDuty). We collect OAuth tokens, API keys, and webhook secrets. Note: These are stored using strict encryption standards (AES-256) and are never stored in plain text.
- Chat & Interaction Data: We collect the content of your interactions with our AI agents, including chat history, commands, and context provided during incident investigations.
B. Information Collected Automatically & Methods of Collection
- Operational Data: We collect logs related to workflows, incident investigations, and event logs (formatted to CloudEvents standards) to track the performance and actions of the AI agents.
- Device & Usage Information: We collect IP addresses (primarily for webhook routing and security auditing), user agent information, session tokens, and timestamps of account creation or updates.
- Organizational Data: We collect multi-tenant identifiers such as Tenant IDs, Team IDs, and User Roles (e.g., Admin, Member) to enforce strict data isolation.
- Cookies and Tracking Technologies: We use session cookies and similar tracking technologies (like local storage) strictly for authentication and security purposes to keep your session active and secure. We do not use third-party advertising cookies.
C. Data We Do NOT Collect
For clarity, we do not collect or process:
- Payment or credit card information (we do not process payments within the codebase).
- Protected Health Information (PHI) or Health data.
- Social Security Numbers or government-issued IDs.
2. Lawful Basis for Processing
We process your personal information under the following lawful bases:
- Contractual Necessity: To provide the Service you subscribed to, such as authenticating users, running workflows, and executing SRE tasks.
- Legitimate Interests: To maintain the security of our platform (e.g., fraud detection, logging), improve our services (e.g., performance monitoring), and manage our customer relationships.
- Consent: Where explicitly required, such as when you authorize specific third-party integrations (e.g., connecting Slack). You may withdraw this consent at any time by disconnecting the integration.
3. How We Use Your Information
We use the data we collect strictly for the following purposes:
- Service Delivery: To authenticate users, authorize access to specific tenants, and orchestrate AI-powered incident investigations.
- Automation & Orchestration: To execute workflows via our orchestration engine and interact with your integrated monitoring tools (e.g., Datadog, Grafana, Sentry) based on your commands.
- Security & Compliance: To maintain audit logs of all actions taken by users and AI agents, monitor for suspicious activity, and enforce Role-Based Access Controls (RBAC).
- Performance Monitoring: To track workflow execution success rates and system performance (APM metrics).
- Communication: To send system alerts, incident updates, and support communications.
AI Model Training Policy: We do not use your proprietary operational data or code snippets to train our core public AI models without your explicit consent. Your data remains isolated to your context.
4. Data Sharing and Sub-Processors
We do not sell your data. We share data only with the following categories of third-party service providers (Sub-Processors) necessary to operate our infrastructure:
| Sub-Processor | Purpose | Location |
|---|---|---|
| AWS (Amazon Web Services) | Primary cloud infrastructure (Database, Compute, Storage). | US (East) |
| Anthropic | LLM provider for AI agent intelligence. | US |
Customer-Controlled Integrations
Our platform integrates with third-party services you use (e.g., Slack, Jira, PagerDuty, GitLab). Data is shared with these platforms only when you explicitly configure an integration and authorize the data flow. You retain control over these integrations and can revoke access at any time.
5. Data Retention
We adhere to strict retention policies to minimize data exposure:
- Active Account Data: Retained for as long as your account is active to provide the Service.
- Event Logs: Operational logs are retained for 90 days, after which they are automatically cleaned up via partition management.
- Backups: Database backups are retained for 30 days for disaster recovery purposes.
- Account Deletion: Upon account closure, customer data is effectively deleted from our active systems within 30 days.
6. Security Measures
We implement enterprise-grade technical and organizational measures aligned with SOC 2 criteria to protect your data:
- Encryption at Rest: All databases and secrets are encrypted using AES-256 (e.g., AWS RDS Encryption, AWS Secrets Manager with KMS).
- Encryption in Transit: All data transmitted between your client and our Service is encrypted via TLS 1.2+.
- Access Control: We utilize strict multi-tenant isolation (logical separation via Tenant IDs) and Role-Based Access Control (RBAC).
- Infrastructure Security: Our infrastructure runs in a Virtual Private Cloud (VPC) with network segmentation (private subnets), container image scanning, and DDoS protection (AWS Shield).
- Monitoring: We have security monitoring, CloudWatch alarms, and comprehensive audit logging.
7. Your Data Rights & Choices
Regardless of your location, we provide the following rights regarding your data:
- Right to Access: You may access your profile and organizational data via our API endpoints.
- Right to Rectification: You may update your user profile information or assign different user roles through the platform.
- Right to Deletion: You may request the deletion of your user account. Note that we ensure the last remaining Admin of a tenant cannot be deleted to prevent orphan accounts.
- Data Portability: You may export your data in standard formats (JSON/CSV) via our API.
- Choice and Opt-Out: You can control which third-party integrations are connected to your account. We do not send marketing communications by default; if we do in the future, we will provide an unsubscribe link.
To exercise these rights, please contact us at security@autoheal.ai.
8. Data Quality and Responsibility
We take reasonable steps to ensure the personal information we process is accurate, complete, and current. However, you are responsible for maintaining the accuracy of your own account information (e.g., email address, user roles) and ensuring that you have the appropriate authority to connect third-party integrations to our Service.
9. Monitoring and Enforcement
We regularly verify our compliance with this Privacy Policy through internal assessments and third-party audits. If you believe we are not adhering to this policy, please contact us immediately. We will investigate and attempt to resolve any complaints regarding the use and disclosure of personal information.
10. International Data Transfers
Our primary infrastructure is located in the United States (AWS us-east-1). If you are accessing our Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the U.S. By using our Service, you consent to this transfer.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.
12. Contact Us
We provide the rights described in this Privacy Policy to all users in the United States, regardless of their state of residence. For most data we process through the Service (such as your operational and incident data), we act as a service provider to our customers and handle personal information only to provide and improve the Service, in accordance with our agreements with them. We do not sell or share personal information as those terms are defined under U.S. state privacy laws (including the California Consumer Privacy Act). If you contact us about your personal information and we are processing it on behalf of a customer, we may refer your request to that customer and will support them in responding where required.
If you have questions about this Privacy Policy or our security practices, please contact us:
- Security & Privacy Inquiries: security@autoheal.ai
- General Support: support@autoheal.ai
- Mailing Address: Autoheal Inc., 119 South B St, Suite A, San Mateo, CA 94401
