PRIVACY POLICY

Last Updated: April 18, 2026

2. Scope of This Policy

This Privacy Policy applies to personal data we process:

  • when you visit our websites
  • when you create or use a Dulvarn account
  • when you connect GitHub or other third-party integrations
  • when you subscribe to paid plans or a free trial
  • when you contact us for support or business inquiries
  • when we send onboarding, service, security, administrative, or marketing communications
  • when we process repository-related data, pull request metadata, and related service data to provide the Dulvarn service

This Privacy Policy does not apply to third-party websites, platforms, or services that you access through Dulvarn or that interact with Dulvarn, including GitHub, Stripe, Cloudflare, Anthropic, Slack, Discord, Telegram, or any other third-party provider. Their own privacy notices and terms apply to their services.

3. Business Use Only

Dulvarn is intended for business and professional use only. By using the service, you represent that you are acting for business or professional purposes and that you are at least 18 years old.

We do not knowingly offer Dulvarn to children or knowingly collect children's personal data.

4. Roles: When We Are a Controller and When We Are a Processor

4.1 When we act as a controller

We act as a controller for personal data relating to:

  • website visitors
  • account registration and account administration
  • billing and subscription management
  • customer relationship management
  • support and communications
  • service analytics and product security
  • marketing preferences and newsletter subscriptions
  • legal compliance, fraud prevention, and enforcement

4.2 When we act as a processor

For certain data processed through Dulvarn on behalf of a customer, we act as a processor and the customer acts as the controller. This generally includes repository and team-related data processed through the service for the customer's own development, QA, and release workflows, such as:

  • repository metadata
  • pull request titles
  • file names
  • diff statistics
  • connected GitHub account data
  • team settings and workflow data
  • notification routing data
  • AI prompts and outputs generated from customer-submitted or customer-connected workflow data

Where we act as a processor, we process such data on the customer's documented instructions and subject to the applicable customer contract and, where applicable, a separate Data Processing Agreement.

5. Categories of Personal Data We Process

Depending on how you interact with Dulvarn, we may process the following categories of personal data:

5.1 Identity and business contact data

  • name
  • company name
  • email address
  • VAT number, if provided
  • business-related role or team information

5.2 Account and authentication data

  • login and authentication data
  • GitHub OAuth data
  • account identifiers
  • organization/workspace membership data
  • security-related login metadata

5.3 Billing and transaction data

  • payment metadata
  • plan type
  • subscription status
  • invoice and tax-related metadata
  • limited billing records received from Stripe

We do not store full payment card numbers. Payment processing is handled by Stripe.

5.4 Technical and device data

  • IP address
  • device and browser information
  • timestamps
  • session and security identifiers
  • API and infrastructure logs
  • crash and error logs

5.5 Service and repository-related data

  • repository metadata
  • pull request titles
  • file names
  • diff statistics
  • integration metadata
  • configuration and notification settings
  • AI prompts and AI-generated outputs
  • support and troubleshooting records

5.6 Communication and marketing data

  • support emails and messages
  • contact form submissions
  • newsletter preferences
  • records of consent or opt-out where applicable

5.7 Analytics data

  • privacy-respecting website and product analytics
  • aggregated usage metrics
  • operational performance data

6. Data We Do Not Intend to Collect

We do not intentionally collect:

  • special category data
  • children's data
  • audio/video recordings
  • precise geolocation data
  • direct user file uploads through the product interface, as currently designed

If you submit personal data that is not necessary for the service, you are responsible for ensuring you have a lawful basis to do so.

7. Sources of Personal Data

We collect personal data from:

  • you directly
  • your employer or organization
  • your use of our websites and service
  • GitHub and other connected integrations authorized by you or your organization
  • Stripe for subscription and billing metadata
  • infrastructure and security providers such as Cloudflare and hosting/service operators
  • support and communications channels

8. How We Use Personal Data and Our Legal Bases

Where required by applicable law, we rely on one or more of the following legal bases: performance of a contract, compliance with legal obligations, legitimate interests, and consent.

8.1 To provide and operate Dulvarn

We use personal data to:

  • create and manage accounts
  • authenticate users
  • connect GitHub and other integrations
  • analyze pull requests and repository workflows
  • generate AI-assisted outputs
  • operate release-control and automation features
  • deliver notifications and service functionality

Legal basis: performance of a contract; legitimate interests in operating and securing the service

8.2 To manage subscriptions and billing

We use personal data to:

  • process subscription purchases
  • manage renewals, cancellations, invoices, and account status
  • prevent billing abuse and fraud
  • maintain accounting and tax records

Legal basis: performance of a contract; legal obligations; legitimate interests

8.3 To provide support and service communications

We use personal data to:

  • respond to support requests
  • troubleshoot issues
  • send onboarding, operational, and security notices
  • communicate about incidents, service changes, or important account events

Legal basis: performance of a contract; legitimate interests; legal obligations where applicable

8.4 To improve, monitor, and secure the service

We use personal data to:

  • maintain logs
  • detect abuse, fraud, and unauthorized access
  • investigate incidents
  • monitor uptime and performance
  • improve the quality and reliability of the service

Legal basis: legitimate interests; legal obligations where applicable

8.5 To send marketing communications

We may use personal data to:

  • send business-related product updates
  • provide onboarding and adoption communications
  • send newsletters or promotional communications

Legal basis: legitimate interests for B2B direct marketing where allowed by law; consent where required by law

You may opt out of marketing communications at any time.

9. AI Processing and Automated Decision Support

Dulvarn uses AI-assisted systems and, in some cases, third-party AI providers to generate outputs such as:

  • GO/NO-GO recommendations or status outputs
  • reasoning summaries
  • proposed or repaired automated tests
  • reports and postmortem materials

These outputs may be generated using repository-related data, pull request metadata, diffs, service context, and related inputs required to provide the service.

Important points:

  • Dulvarn is intended as a decision-support and workflow-control system, not a substitute for human judgment.
  • Dulvarn may issue automated status outputs or merge-blocking signals within configured workflows.
  • A human user remains responsible for final merge, deployment, and release decisions.
  • Dulvarn is not intended to make solely automated decisions with legal or similarly significant effects on natural persons.

10. Sharing and Disclosure

We may disclose personal data to the following categories of recipients where necessary:

  • hosting and infrastructure providers
  • payment processors
  • analytics providers
  • email delivery providers
  • AI providers
  • CDN/WAF and security providers
  • customer-authorized integrations
  • professional advisers
  • auditors
  • regulators, courts, law enforcement, or competent authorities where required by law
  • an acquirer or successor in a merger, financing, asset sale, or business reorganization

Current key service providers include:

  • Hetzner – hosting / infrastructure
  • Stripe – payments and billing
  • Cloudflare – CDN / WAF / security
  • Resend – email delivery
  • Anthropic – AI services, where used
  • self-hosted Plausible – privacy-focused analytics
  • self-hosted Ollama / local models – AI processing, where applicable

A fuller subprocessor list may be published separately and updated from time to time.

11. International Transfers

Some of our service providers are located outside the EEA/UK or may process data from outside the EEA/UK, including in the United States.

Where required, we use appropriate safeguards for cross-border transfers, such as:

  • adequacy decisions where available
  • standard contractual clauses
  • contractual, technical, and organizational safeguards appropriate to the transfer context

12. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Our current baseline retention periods are:

  • inactive account data after cancellation: up to 90 days
  • billing and tax records: 7 years
  • logs, backups, analytics, and support records: up to 12 months, unless longer retention is required for security, dispute resolution, or legal compliance
  • free trial accounts after inactivity post-trial: typically deleted after 30 days of inactivity
  • aggregated analytics: may be retained longer in anonymized or aggregated form

Where technically feasible and contractually appropriate, pull request diff content processed to generate service outputs may be processed transiently and not retained permanently.

13. Cookies and Similar Technologies

We use limited cookies and similar technologies as described in our Cookie Policy.

At a high level:

  • strictly necessary cookies may be used for authentication, security, and core service operation
  • Cloudflare may use security-related technologies
  • Stripe may place cookies or similar identifiers on checkout or billing-related pages
  • our self-hosted Plausible analytics is configured as privacy-first and cookieless

14. Your Rights

Depending on your location and the applicable law, you may have rights including:

  • access
  • rectification
  • erasure
  • restriction
  • objection
  • data portability
  • withdrawal of consent, where processing is based on consent
  • complaint to a supervisory authority

For GDPR-related requests, contact: hello@dulvarn.com

If we act only as a processor for particular customer data, we may direct you to the relevant customer controller.

15. Direct Marketing Objection

You may object to direct marketing at any time. You may also unsubscribe using the link in our marketing emails or by contacting us at hello@dulvarn.com.

16. Security

We use technical and organizational measures designed to protect personal data, including access controls, logging, daily PostgreSQL backups, infrastructure security controls, and operational safeguards appropriate to the size and nature of the service.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

17. Legal and Compliance Disclosures

We may preserve, use, and disclose personal data where necessary to:

  • comply with law
  • respond to lawful requests by authorities
  • enforce our agreements
  • protect rights, property, and safety
  • investigate fraud, abuse, or security incidents

18. Changes to This Policy

We may update this Privacy Policy from time to time. If we make a material change, we will post the updated version and update the “Last Updated” date. Where required by law, we will also provide additional notice.

19. Contact

For privacy questions or requests, contact:

Jan Duris
Email: hello@dulvarn.com

Registered address: Czech Republic
Company ID / IČO: Registration pending