Legal
Privacy Policy
Effective date: 20 April 2026
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (EU) 2016/679 (GDPR) is:
As the controller, Waterline determines the purposes and means of processing your personal data. Waterline is not yet registered as a legal entity; until such registration, Daniel Franco bears personal responsibility as controller.
2. Categories of Personal Data Collected
2.1 Account and identity data
When you create an account or authenticate via OAuth, we collect: your name, email address, profile picture URL, and OAuth access tokens issued by GitHub and/or Atlassian (Jira). We do not receive or store your GitHub or Atlassian passwords.
2.2 Integration and usage data
To provide the core functionality of the Service, we access and process the following data from third-party integrations you authorise:
- GitHub: repository names, branch names, repository files, pull request metadata (title, description, status, merge date), commit metadata (SHA, message, author, timestamp).
- Jira Cloud: issue keys, summaries, acceptance criteria, status fields, and assignee metadata for issues you have connected to your workspace.
We read your code. We store a derived summary. We never store the code itself.
To track ticket progress, Waterline reads file diff content and commit information from your connected repository and derives a natural-language functionality summary — an abstraction describing what the code does, not the code itself. That summary is stored and updated each time the relevant code changes. The underlying source code — file contents, diffs, and line-level changes — is never written to any Waterline database, file system, log, or backup.Progress answers (e.g. “3 of 4 criteria met”) are computed by matching the stored summary against your ticket's acceptance criteria.
Third-party LLM processing: Generating the functionality summary requires sending relevant portions of your code to a third-party large language model (LLM) API. Waterline currently uses OpenAI and/or Anthropic for this purpose. Code content is transmitted to these providers over encrypted connections solely to generate the summary; it is not retained by Waterline after the summary is produced. OpenAI and Anthropic do not use API inputs to train their models by default, in accordance with their respective API data usage policies.
2.3 Technical and usage data
- IP address and approximate geolocation derived therefrom
- Browser type, operating system, and device identifiers
- Pages visited, features used, and timestamps of interactions
- Error logs and performance telemetry
2.4 Communications data
If you contact us by email or other means, we retain the content of that correspondence and any personal data it contains.
3. Purposes and Legal Bases of Processing
We process your personal data only where a valid legal basis under Article 6 GDPR exists. The applicable bases are set out below.
| Purpose | Legal basis |
|---|---|
| Providing and operating the hosted Service | Art. 6(1)(b) — performance of a contract |
| User authentication and account management | Art. 6(1)(b) — performance of a contract |
| Analysing and presenting ticket progress data to your workspace | Art. 6(1)(b) — performance of a contract |
| Sending service-related communications (e.g. billing, downtime notices) | Art. 6(1)(b) — performance of a contract |
| Improving and debugging the Service through usage analytics | Art. 6(1)(f) — legitimate interests (product improvement) |
| Compliance with legal obligations (e.g. tax records) | Art. 6(1)(c) — legal obligation |
| Responding to support requests and communications | Art. 6(1)(f) — legitimate interests (customer support) |
Where we rely on legitimate interests (Art. 6(1)(f)), we have balanced those interests against your rights and freedoms and concluded that, given the nature and limited sensitivity of the data involved, our interests are not overridden.
4. Retention Periods
We retain personal data only for as long as necessary for the purposes described above or as required by applicable law.
- Account and identity data: retained for the duration of your account, plus 30 days following account deletion to allow recovery, after which it is permanently deleted.
- Integration access tokens: deleted immediately upon revocation or account deletion.
- Source code (file contents, diffs, line-level changes): never written to storage. Zero retention.
- Functionality summaries derived from your code: stored and kept current; updated automatically when the relevant code changes. Retained for the lifetime of your workspace and deleted upon account deletion.
- Commit and pull-request metadata (SHA, message, author, timestamp): discarded within 24 hours of processing; progress results derived therefrom are retained for the lifetime of your account.
- Usage and telemetry data: retained in identifiable form for 12 months, then anonymised or deleted.
- Support correspondence: retained for 3 years from the date of last contact.
- Financial records: retained for 7 years as required by Dutch tax law (Belastingdienst).
5. Recipients and Sub-processors
We share your data only with the following categories of recipients:
5.1 Infrastructure and hosting
- Vercel Inc. (United States) — application hosting and analytics. Transfer basis: Standard Contractual Clauses (Art. 46(2)(c) GDPR).
- Database hosting provider — encrypted storage of account and workspace data. Transfer basis: Standard Contractual Clauses where applicable.
5.2 Large language model providers
Deriving functionality summaries from your code requires processing by a third-party large language model API. Waterline currently uses:
- OpenAI, L.L.C. (United States) — LLM inference for summary generation. Relevant code content is transmitted to OpenAI's API over TLS and used solely to generate the summary. OpenAI does not use API inputs to train its models by default. Transfer basis: Standard Contractual Clauses (Art. 46(2)(c) GDPR).
- Anthropic, PBC (United States) — LLM inference for summary generation. Relevant code content is transmitted to Anthropic's API over TLS and used solely to generate the summary. Anthropic does not use API inputs to train its models by default. Transfer basis: Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Waterline will update this section if it adds or replaces LLM providers and will notify affected Customers in advance of any such change.
5.3 Third-party platforms you connect
When you authorise GitHub or Jira integrations, data flows between Waterline and those platforms in accordance with their own privacy policies. Waterline is a data processor with respect to data your organisation controls in those platforms.
5.4 Legal disclosure
We may disclose personal data to competent authorities when required by applicable law, court order, or to protect our legal rights, provided such disclosure is proportionate and limited to what is strictly necessary.
We do not sell personal data. We do not share personal data with advertisers or data brokers.
6. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction, including:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest
- OAuth tokens stored in encrypted form and scoped to the minimum permissions required
- Access controls limiting data access to personnel with a legitimate need
- Regular review of security practices
No method of transmission over the Internet is completely secure. In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.
7. Your Rights Under the GDPR
As a data subject under the GDPR, you have the following rights, exercisable by contacting us at hello@getwaterline.dev:
- Right of access (Art. 15): you may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): you may request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17): you may request deletion of your personal data, subject to our retention obligations.
- Right to restriction of processing (Art. 18): you may request that we restrict processing in certain circumstances.
- Right to data portability (Art. 20): you may request your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): you may object to processing based on legitimate interests; we will cease such processing unless we can demonstrate compelling legitimate grounds.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
We will respond to your request within one calendar month. We may extend this period by a further two months where requests are complex or numerous, in which case we will inform you. We will not charge a fee unless requests are manifestly unfounded or excessive.
You also have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens
9. Minors
The Service is not directed at persons under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email at least 14 days before taking effect. The updated policy will be published on this page with a revised effective date. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
11. Contact
For questions, requests, or concerns regarding this Privacy Policy or our data processing practices, contact us at: