Deploq
Sign Up

Privacy Policy

How we handle and protect your data

Last updated: March 2026

1. Introduction

Deploq ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and safeguard your information when you use our AI-powered workflow automation platform ("Service"). It also describes your rights and how to exercise them.

This policy applies to all users globally. Where applicable, we identify specific rights for users in the European Union/EEA (GDPR) and California (CCPA) in dedicated sections below. By using the Service, you acknowledge you have read and understood this Privacy Policy.

2. Data We Collect

Account Information

  • Name, email address, and profile details provided at signup
  • Authentication data (password hashes, OAuth tokens from Google or other providers)
  • Billing information (processed by Paddle; we do not store payment card details)
  • Company name and role, if provided

Workflow Data

  • Workflow descriptions you provide in natural language
  • Generated plans and deployment configurations
  • Deployment logs and agent chat transcripts
  • Configuration history for connected tools

Tool Credentials

  • API keys, OAuth tokens, and login credentials for third-party tools you connect to Deploq
  • These are encrypted using AES-256 encryption at rest
  • Credentials are never logged, stored in plaintext, or accessible to Deploq staff

Information from Third Parties

  • If you connect your account via OAuth (e.g., Google Sign-In), we receive your name, email, and profile picture from that provider
  • When you connect third-party tools, we may receive metadata about those tool accounts (e.g., account name, workspace ID) in order to configure them

Automatically Collected Data

  • Pages visited, features used, clicks, and interaction patterns
  • Device type, browser type and version, operating system, screen resolution, and time zone
  • IP address and approximate geographic location (country/city)
  • Referring URLs and session duration
  • Performance metrics, error reports, and crash data
  • Cookies and similar tracking technologies (see Section 9 and our Cookie Policy)

3. How We Use Your Data

  • Execute workflows: To configure your connected tools as instructed through the Service
  • Provide the Service: To manage your account, process payments, and deliver core platform features
  • Improve the Service: To enhance AI accuracy, recipe quality, and platform reliability using aggregated and anonymized signals
  • Analytics: To understand usage patterns, identify popular features, and improve the user experience
  • Communication: To send account notifications, product updates, security alerts, and support responses
  • Marketing: To send promotional communications about Deploq features and offers (with your consent where required by law; see Section 14)
  • Security: To detect, prevent, and investigate fraud, abuse, unauthorized access, and other harmful activity
  • Legal compliance: To comply with applicable laws, regulations, legal process, and enforceable governmental requests

4. Lawful Bases for Processing (GDPR)

If you are located in the EU/EEA, we process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you have signed up for, including executing workflows, managing your account, and processing payments.
  • Legitimate interests (Art. 6(1)(f)): Processing for analytics, fraud prevention, security, product improvement, and direct marketing to existing customers, where our interests are not overridden by your rights.
  • Consent (Art. 6(1)(a)): Processing where you have given explicit consent, such as for optional marketing communications or certain cookies. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, or court orders.

5. Data Security

  • Tool credentials are encrypted with AES-256 at rest and are never accessible to Deploq staff
  • Browser sessions used for workflow deployment are ephemeral and isolated, destroyed after each build via Browserbase
  • All data in transit is encrypted using TLS 1.3
  • Access to production systems is restricted to authorized personnel and is audited
  • We conduct periodic security reviews and vulnerability assessments

6. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and, where required by law, the relevant supervisory authority within 72 hours of becoming aware of the breach. Notifications will be sent to the email address associated with your account and will describe the nature of the breach, the data affected, and the steps we are taking to address it.

7. Third-Party Services

We use the following third-party service providers to operate the platform. Deploq is the data controller; these providers act as data processors on our behalf under appropriate data processing agreements:

  • Supabase: Database and authentication infrastructure. Data is hosted in the US. Privacy Policy
  • Paddle: Payment processing and merchant of record. Paddle processes billing data under their own privacy policy. Privacy Policy
  • Browserbase: Ephemeral browser sessions for autonomous workflow deployment. Sessions are destroyed after each build. Privacy Policy
  • PostHog: Product analytics. We use PostHog in a privacy-preserving configuration with IP anonymization. Privacy Policy
  • Sentry: Error monitoring and performance tracking. Error reports may include anonymized stack traces. Privacy Policy

We only share the minimum data necessary for each provider to perform their services. We do not sell your personal information to third parties.

8. International Data Transfers

Deploq is based in South Africa. If you access the Service from the EU/EEA, UK, or other regions with data transfer restrictions, your personal data may be transferred to and processed in countries where our infrastructure providers operate, including the United States.

For transfers of personal data from the EU/EEA to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal transfer mechanism. Our key infrastructure provider, Supabase, operates under a Data Processing Agreement that incorporates SCCs. By using the Service, you consent to such transfers to the extent consent is required by applicable law.

9. Cookies & Tracking

We use essential cookies for authentication and session management. We use PostHog for analytics, which may set additional cookies to track usage patterns. You can manage cookie preferences through your browser settings; however, disabling essential cookies may prevent the Service from functioning properly.

See our Cookie Policy for a full list of cookies we use, their purpose, and how to opt out.

10. Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. We do not currently respond to DNT signals because there is no consistent industry standard for interpreting them. We use PostHog for analytics, which collects pseudonymized usage data regardless of DNT signals. You may opt out of PostHog analytics by adjusting your cookie preferences.

11. Data Retention

  • Account data (name, email, profile): Retained while your account is active. Deleted within 30 days of account closure, except where retention is required by law.
  • Deployment logs and chat transcripts: Retained for 90 days, then automatically purged.
  • Tool credentials: Deleted immediately when you remove them or close your account.
  • Billing records: Retained for 7 years as required by applicable tax and accounting laws.
  • Analytics data: Anonymized/aggregated analytics data may be retained indefinitely for product improvement purposes.
  • Security logs: Retained for 12 months to support fraud detection and incident response.

12. Your Rights (GDPR)

If you are located in the EU/EEA, you have the following rights regarding your personal data:

  • Access (Art. 15): Request a copy of the personal data we hold about you
  • Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
  • Portability (Art. 20): Request your data in a structured, machine-readable format
  • Objection (Art. 21): Object to processing of your data for direct marketing or on grounds relating to your particular situation
  • Restriction (Art. 18): Request restriction of processing in certain circumstances
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
  • Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK, or the relevant EU national DPA)

To exercise any of these rights, contact us at privacy@deploq.ai. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

13. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your personal information to third parties, and we have not done so in the preceding 12 months.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
  • Shine the Light (Cal. Civil Code § 1798.83): California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. We do not share your personal information with third parties for their direct marketing purposes.

To submit a CCPA rights request, contact us at privacy@deploq.ai or by mail at the address in Section 16. We will respond within 45 days, with a possible 45-day extension with notice.

14. Marketing Communications

We may send you promotional emails about Deploq features, updates, and offers. Where required by law (e.g., for EU/EEA users), we will obtain your explicit consent before sending marketing emails. You may unsubscribe from marketing communications at any time by clicking the "Unsubscribe" link in any marketing email or by contacting us at privacy@deploq.ai. Unsubscribing from marketing emails will not affect transactional emails related to your account (e.g., receipts, security alerts).

15. Children's Privacy

Deploq is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe we may have collected data from a child under 18, contact us at privacy@deploq.ai.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after any changes constitutes your acceptance of the updated policy.

17. Contact Us

For privacy questions, to exercise your rights, or to contact our Data Protection Officer (DPO):

EU/EEA residents may also contact our representative or lodge a complaint with your local data protection authority.