1. Introduction
Northset (“we,” “us,” or “our”) builds software that helps engineering managers spot sprint execution drift by analyzing signals from GitHub, Jira, and Slack. This Privacy Policy explains what data we collect, how we use it, and the rights you have over it.
For workspace data pulled from your connected tools, Northset acts as a data processor. Our customers, meaning the organizations that subscribe to Northset, are the data controllers. We process workspace data only on their instructions, under the terms of our customer agreement and Data Processing Agreement.
2. Information We Collect
Workspace Data
When an administrator connects Northset to your tools via OAuth, we ingest:
- GitHub: repository names, pull request metadata (author, assigned reviewers, open/close timestamps, PR size), and review activity.
- Jira: sprint configuration (name, start date, end date, duration), committed ticket snapshots (ticket key, summary, story points, assignee, status, blocked-by links), and mid-sprint additions.
- Slack: channel metadata needed to route alerts to the selected channel.
Usage Data
Server logs and error logs needed to operate the service.
3. How We Use Your Information
- Delivering the Northset service and surfacing alerts.
- Improving the service.
- Security monitoring and abuse prevention.
- Customer support and account communication.
4. Data Sharing
We share data only with subprocessors needed to run the service:
- Render: cloud hosting and PostgreSQL database.
We do not sell personal information. We do not share data with advertisers and do not run advertising on the product.
5. Data Retention
We retain workspace data for the duration of your active subscription plus 90 days after cancellation, after which it is permanently deleted from production systems. Customers may request earlier deletion at any time; verified requests are honored within 30 days.
6. Security
- Encryption in transit via HTTPS/TLS.
- Encryption at rest using AES-256-GCM for all stored OAuth tokens.
- Per-organization credential isolation: no cross-tenant data access.
- OAuth secrets stored as environment variables, never in source code or logs.
7. International Transfers
Northset is hosted on Render's infrastructure in the United States. Customers outside the US should be aware that their data will be processed and stored in the US.
8. Your Rights
Subject to applicable law, you have the following rights over your personal data:
- GDPR: access, deletion, portability, restriction, rectification, and objection.
- CCPA/CPRA: the right to know, delete, and opt out of the sale or sharing of personal information. Northset does not sell personal information.
To exercise any of these rights, email casey@northset.xyz. If you are an end user of a Northset customer, please contact that customer first; we will assist them in responding.
9. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days notice by email and in-product before the changes take effect.
10. Contact
Questions, requests, or concerns about this policy can be directed to:
Northset