wedevit
Get Started

Privacy Policy

Last updated: April 2026

1. Data Controller

The data controller for personal data collected through the TicksyAI service is:

WeDevIt
France
Email: [email protected]

Processing is governed by the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and French Law No. 78-17 of 6 January 1978 (Loi Informatique et Libertés).

2. Data We Collect

  • Account data: name, email address, hashed password (bcrypt), registration date.
  • Authentication data: TOTP secret (AES-256 encrypted), login history (IP, timestamp).
  • Integration credentials: Jira, GitHub, GitLab API tokens — encrypted at rest (AES-256), never shared with third parties.
  • Usage data: agent run history (ticket key, status, duration, result), AI token consumption.
  • Billing data: Stripe customer ID, subscription reference. No card data is stored on our servers.
  • Technical data: IP addresses (rate limiting), anonymised error logs (deleted after 30 days).

We do not collect special category data as defined in Article 9 GDPR.

3. Legal Bases and Purposes

PurposeLegal basis
Providing the service (AI agents, runs)Contract performance (Art. 6.1.b GDPR)
Account authentication and securityContract + legitimate interest (Art. 6.1.b & f)
Billing and subscription managementLegal obligation + contract (Art. 6.1.b & c)
Transactional emails (run notifications)Contract performance (Art. 6.1.b)
Service improvement, aggregated analyticsLegitimate interest (Art. 6.1.f)
Technical log retentionLegal obligation (Art. 6.1.c)

4. Sub-processors and Transfers

  • Anthropic (Claude API) — AI processing of tickets. Data: ticket content + repository file tree.
  • Stripe — online payments. Data: billing information. PCI-DSS compliant.
  • Resend — transactional email delivery. Data: recipient email, notification content.
  • OVHcloud VPS (France) — server infrastructure. Data hosted in France.

Data transfers outside the EU occur only with Anthropic (USA), based on Standard Contractual Clauses (SCCs) approved by the European Commission.

5. Retention Periods

  • Account data: duration of account + 30 days after deletion.
  • Agent run history: 90 rolling days.
  • Billing data: 10 years (accounting obligation).
  • Technical logs: 30 days.
  • Encrypted integration tokens: deleted immediately upon revocation or account deletion.

6. Security

  • Encryption in transit: TLS 1.2+ on all endpoints.
  • Encryption at rest: AES-256 for integration tokens and 2FA secrets.
  • Strong authentication: mandatory TOTP 2FA for all accounts.
  • Passwords hashed with bcrypt (cost ≥ 12).
  • Rate limiting and brute-force protection on all auth endpoints.

7. Your Rights (GDPR)

Under Articles 15–22 GDPR, you have the following rights:

  • Right of access (Art. 15): obtain a copy of your personal data.
  • Right to rectification (Art. 16): correct inaccurate data from Settings.
  • Right to erasure (Art. 17): delete your account and all data from Settings.
  • Right to restriction (Art. 18): suspend processing of your data.
  • Right to portability (Art. 20): export your data in a structured format.
  • Right to object (Art. 21): object to processing based on legitimate interest.

To exercise these rights, contact [email protected]. We will respond within one month (Art. 12 GDPR).

You may also lodge a complaint with the CNIL (French Data Protection Authority): cnil.fr.

8. Cookies

TicksyAI uses only strictly necessary cookies:

  • Authentication session (__Secure-next-auth.session-token): HTTP-only, SameSite=Lax, 24h TTL.
  • Language preference (locale): SameSite=Lax, 1 year TTL.

No advertising or third-party tracking cookies are used. No consent banner is required for these technical cookies.

9. Changes

Any material changes to this policy will be notified by email to registered users at least 15 days before taking effect.

10. Contact

Email: [email protected]

CNIL: cnil.fr/en/complaints