Prod Buddy
Prod Buddy

Privacy Policy

Last updated: May 12, 2026

1. Overview

Prod Buddy (“we,” “us”) is operated by Hova Labs and runs an autonomous on-call product that ingests errors from your monitoring tools, diagnoses them using AI, opens pull requests with proposed fixes in your repositories, and notifies responders by SMS and email. This policy explains what data we collect, why we collect it, where it goes, and how you can control it.

2. Data we collect

Account data. Email, name, avatar (from OAuth provider where applicable), organization name, role (owner / admin / responder / viewer), and authentication metadata managed through Supabase Auth. Passwords are hashed by Supabase and never visible to us.

Team data. Team-member phone numbers, notification preferences (SMS on/off), free-form scheduling notes you add about teammates (e.g. recurring unavailability, observance windows), on-call rotation memberships, and group memberships.

Customer error data. Error titles, stack traces, file paths and line numbers, environment tags, error counts, and any linked tickets or pull requests. This data is provided by you via webhooks from your error monitoring tools (Sentry, Bugsnag, Rollbar, Datadog) and is treated as your confidential data.

Connected-system credentials. When you connect a repository or error provider, we store the access tokens needed to operate on your behalf — Sentry REST API auth tokens, GitHub OAuth provider tokens, ticket-provider credentials, and webhook signing secrets. Provider secrets are stored encrypted at rest in our integration-credentials store and are never returned in plaintext through the UI.

Messaging consent record. When you sign up, the exact text you agreed to, a consent version identifier, the timestamp, your IP address, and your user agent are stored on your user record as durable proof of consent (required for SMS / 10DLC compliance under TCPA and Twilio policy).

Usage & billing metadata. Incident counts, AI token consumption, SMS segment counts, active-project counts, and resolution times. Used to operate the service and to generate Stripe invoices.

Audit log. Significant actions taken in the app (role changes, project creation, integration changes, member removals) are recorded with the actor and timestamp for compliance and incident review.

Captcha verification. At signup we use Cloudflare Turnstile to deter automated abuse. Turnstile receives a short-lived token from your browser to verify you're human; we do not store the token after verification.

Optional product analytics. Pageviews and product interactions via PostHog, and error session replays via Sentry. Both are off by default and only run with your explicit, separately-managed consent. See our Cookie Policy for details and to change your preferences.

3. How we use data

  • Run the on-call pipeline — diagnose errors, propose fixes, open and update pull requests, route notifications to the right responder.
  • Send transactional SMS and email about incidents, on-call assignments, and billing.
  • Meter and bill for usage (AI tokens, SMS segments, active projects) via Stripe.
  • Detect abuse, prevent fraud, and maintain reliability of the service.
  • Respond to your support requests and operate the customer relationship.
  • Comply with legal obligations, including SMS-consent record-keeping requirements.

4. Legal bases

Where applicable (e.g. for users in the EU/UK), we rely on the following bases under GDPR / UK GDPR:

  • Contract — to provide the Service you signed up for.
  • Legitimate interests — to keep the Service secure, prevent abuse, and improve reliability.
  • Consent — for optional product analytics, session replay, and SMS notifications.
  • Legal obligation — to retain billing records and SMS consent proof.

5. Subprocessors

We share data only with subprocessors required to operate the Service:

  • Supabase — Postgres database, authentication, and storage.
  • Vercel — application hosting and edge delivery.
  • Anthropic — AI inference for diagnoses and proposed fixes. We send the minimum context needed (relevant stack trace and source snippets) and do not authorize Anthropic to use your data for model training.
  • Twilio — SMS delivery.
  • Stripe — billing and payment processing.
  • GitHub — pull-request creation and repository access via OAuth / GitHub App.
  • Cloudflare Turnstile — captcha at signup.
  • PostHog — product analytics (opt-in only).
  • Sentry — error monitoring and session replay for the Prod Buddy app itself (replay is opt-in only).
  • Your chosen error / ticket providers — Sentry, Bugsnag, Rollbar, Datadog, Linear, GitHub Issues, etc., as you connect them.

6. International transfers

Our subprocessors operate primarily in the United States. If you access the Service from outside the US, your data will be transferred to and processed there. Where required, our subprocessors rely on Standard Contractual Clauses or equivalent transfer mechanisms.

7. Security

We follow standard practices to protect your data, including encryption in transit (TLS), encryption at rest for sensitive credentials in our integration-credentials store, row-level security on all customer-data tables in Postgres, HMAC signature verification on incoming webhooks, role-based access controls, and audit logging of sensitive actions. No system is perfectly secure — if we become aware of a breach affecting you, we will notify you without undue delay.

8. Retention & deletion

Account, team, and incident data is retained while your organization is active. On organization deletion we soft-delete for 30 days (to allow accidental-deletion recovery) and then purge. Billing records and SMS-consent records are retained for the longer of the regulatory minimum or seven years. You can request an export or immediate deletion of personal data from your account settings or by emailing us.

9. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, delete, or restrict processing of your personal data, and to withdraw consent for anything we process on the basis of consent (analytics, SMS notifications). To exercise any of these rights, email prodbuddyai@gmail.com. We will respond within the timeframes required by applicable law.

For SMS specifically: reply STOP to any message to opt out of further messages from that sender. Opting out of incident alerts will degrade the on-call value of the Service for your team.

10. Children's privacy

The Service is not directed to children. You must be at least 18 years old to create an account. We do not knowingly collect personal data from anyone under 18; if we learn we have, we will delete it.

11. Changes

We may update this policy from time to time. Material changes will be announced via email to organization owners and posted here with an updated “Last updated” date.

12. Contact

Questions about this policy or how we handle your data? Email us at prodbuddyai@gmail.com. See also our Terms of Service and Cookie Policy.