privacy policy

Your data is yours. Here is how we handle it.

Effective date: March 28, 2026

This policy describes what data Incidentary collects, how we use it, how long we keep it, and your rights. We process telemetry metadata from your instrumented services to assemble causal incident artifacts. We do not need your business data to do it.

For Paddle's own data practices, see .

Who We Are

Incidentary is a SaaS platform for incident response ("we", "us", "our"). This policy applies to data collected through the Incidentary cloud platform, website, and SDKs.

We are the data controller for personal data processed through your use of the platform and website. For telemetry metadata transmitted by your SDKs, we act as the data processor on your behalf (you are the controller). Contact: privacy@incidentary.com.

For billing and payment processing, Paddle.com acts as our Merchant of Record and independently controls the payment data it collects under their own privacy policy. Paddle.com Market Limited is based in the United Kingdom; Paddle.com, Inc. is based in the United States.

Data We Collect

  • Email address (for authentication and communication)
  • Name and workspace name (for identification)
  • Billing information is collected and processed by Paddle; we do not store payment card details
  • Span timing and duration
  • Service identifiers (service name, operation name)
  • Causal relationships (trace ID, span ID, parent span ID)
  • Error status codes
  • HTTP method, status code, and URL path pattern (not query parameters or full URLs)
  • Request or response bodies
  • Database query results or payloads
  • Environment variables
  • HTTP headers (beyond standard trace context)
  • Secrets, tokens, or credentials
  • Personally identifiable information (unless you instrument it into span attributes, which we advise against)
  • Feature usage patterns (which pages and features you use in the Incidentary dashboard)
  • Causal event consumption metrics
  • Error rates and performance metrics for service improvement

Legal Basis for Processing

Under the General Data Protection Regulation (GDPR) and equivalent laws, we process personal data on the following legal bases:

  • Contract performance (GDPR Article 6(1)(b)): processing your account data and telemetry metadata is necessary to provide the service you have contracted for — assembling causal artifacts, detecting anomalies, rendering service maps, and delivering notifications.
  • Legitimate interest (GDPR Article 6(1)(f)): we process usage data and anonymized aggregate patterns to improve the service, monitor security, and debug issues. We have assessed that these interests do not override your rights. You may object to processing based on legitimate interest at any time.
  • Legal obligation (GDPR Article 6(1)(c)): we retain billing records and certain account data as required by tax, accounting, and regulatory requirements.
  • Consent (GDPR Article 6(1)(a)): where we send marketing communications or use non-essential cookies, we do so only with your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.

How We Use Your Data

We use your data for the following purposes:

  • To provide the service: assemble causal artifacts, detect anomalies, render service maps, generate shared trace links
  • To operate the service: monitor health, debug issues, enforce plan limits, process billing
  • To communicate: send incident notifications, billing notifications, and service announcements
  • To improve the service: aggregate anonymized usage patterns to guide product development
  • We do not use your data for advertising, sell your data to third parties, or train machine learning models on your telemetry data

Data Storage and Retention

  • Telemetry metadata is stored in accordance with your plan's retention window: Free: 14 days, Pro: 30 days, Team: 90 days, Enterprise: custom.
  • When retention expires, data is permanently deleted — not archived, not moved to cold storage.
  • Account data is retained for the duration of your account. Upon account deletion, account data is removed within 30 days.
  • Billing records are retained as required by applicable tax and accounting law (typically 7 years), managed by Paddle.
  • All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

Data Sharing

We share data only in these circumstances:

  • Paddle: payment processing and billing as Merchant of Record.
  • Infrastructure providers: hosting and data storage, under data processing agreements.
  • Shared trace links: when you generate a shared trace link, the causal chain and service topology are accessible to anyone with the URL. Shared links do not contain environment variables, secrets, headers, or payload content. You control when and what to share.
  • Legal compliance: we may disclose data if required by law, court order, or to protect our rights.
  • Sub-processors: a current list of our sub-processors, including their purposes and geographic locations, is available upon request at privacy@incidentary.com. We will provide at least 30 days' notice before engaging new sub-processors.
  • We do not sell data. We do not share data with advertisers. We do not share personal information for cross-context behavioral advertising.

Tenant Isolation

Every workspace operates in strict isolation. Data, credentials, and configuration are separated at every layer of the stack. No cross-tenant data access is possible through the application.

SDKs and Your Infrastructure

The Incidentary SDKs run inside your infrastructure. Only telemetry metadata leaves your network — the data described in section 2.

The SDKs are open source under Apache 2.0. You can audit exactly what data is collected and transmitted. You control SDK configuration, including which services are instrumented and what attributes are captured.

Cookies and Tracking

  • We use session cookies for authentication (strictly necessary, no consent required).
  • We use privacy-friendly analytics for aggregate traffic analysis (no personal data, no cross-site tracking).
  • We do not use advertising cookies, tracking pixels, or fingerprinting.
  • We do not participate in cross-site tracking or real-time bidding.

Your Rights

You may exercise the following rights regarding your data:

  • Access (GDPR Article 15): request a copy of the personal data we hold about you, including the purposes of processing and categories of recipients.
  • Correction (GDPR Article 16): update or correct inaccurate personal data at any time through the dashboard or by contacting us.
  • Deletion (GDPR Article 17): request deletion of your account and all associated data. We will comply unless we have a legal obligation to retain certain data.
  • Data portability (GDPR Article 20): receive your data in a structured, commonly used, machine-readable format. You may request an export of your telemetry data within the retention window.
  • Restriction (GDPR Article 18): request that we restrict processing of your data in certain circumstances, such as when you contest accuracy or object to processing.
  • Objection (GDPR Article 21): object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds. Objection to core service processing may require discontinuing the service.
  • Withdraw consent: where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Automated decision-making (GDPR Article 22): we do not make automated decisions that produce legal effects or similarly significant effects on you. Anomaly detection and pattern analysis are assistive tools — all operational decisions are made by your team.
  • Supervisory authority: if you are in the European Economic Area, you have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.
  • For billing data managed by Paddle, contact Paddle directly or reach us and we will coordinate.
  • To exercise any of these rights, contact privacy@incidentary.com. We will respond within 30 days (or within the timeframe required by applicable law).

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") provides you with additional rights regarding your personal information.

  • Categories of personal information we collect: identifiers (name, email), internet or electronic network activity (feature usage patterns, log data), and commercial information (plan type, billing history via Paddle).
  • We collect personal information for the business purposes described in the "How We Use Your Data" section above.
  • We do not "sell" personal information as defined by the CCPA/CPRA.
  • We do not "share" personal information for cross-context behavioral advertising.
  • Right to know: you may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to delete: you may request deletion of personal information we have collected from you, subject to certain exceptions (legal obligations, security, completing transactions).
  • Right to correct: you may request correction of inaccurate personal information.
  • Right to non-discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights.
  • To exercise these rights, contact privacy@incidentary.com. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

International Data Transfers

The service infrastructure is hosted by cloud providers whose data centers may be located in the United States, the European Union, or other regions. Your data may be transferred to and processed in jurisdictions outside your own.

  • For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-U.S. Data Privacy Framework.
  • We implement supplementary technical measures (encryption at rest and in transit, access controls, tenant isolation) to protect transferred data regardless of where it is processed.
  • You may request information about the specific locations where your data is processed by contacting privacy@incidentary.com.

Children

Incidentary is a B2B service for engineering teams. We do not knowingly collect data from individuals under 16. If you believe a child has provided data to us, contact privacy@incidentary.com and we will delete it.

Data Processing Agreements

For customers who require a Data Processing Agreement (DPA) for GDPR, CCPA/CPRA, or other regulatory compliance:

  • We will execute a DPA that documents our obligations as a data processor for the telemetry metadata you transmit to the service.
  • The DPA covers the subject matter, duration, nature, and purpose of processing; the types of personal data; and the categories of data subjects.
  • Our DPA incorporates Standard Contractual Clauses where required for international data transfers.
  • Contact legal@incidentary.com to request a DPA. Enterprise customers receive a DPA as part of their service agreement.

Changes to This Policy

We may update this policy. Material changes will be communicated via email or in-product notification at least 30 days before taking effect. The effective date at the top of this page indicates the last revision. Continued use after changes take effect constitutes acceptance.

contact

Questions about your privacy?

See also our Terms of Service.