Privacy Policy

Engineering Analytics Platform · Last updated June 30, 2026

This Privacy Policy describes how the Engineering Analytics Platform (“the platform,” “we,” or “us”) collects, uses, stores, and shares information when you register, sign in, and use the service. The platform is a multi-tenant cloud application that helps engineering organizations analyze software development activity from connected source-control providers.

Your organization’s administrator configures connections, imports, and platform settings. If you access the platform through an employer or customer organization, that organization’s policies may also apply.

What the platform is — and is not

The platform is designed for engineering visibility, team collaboration analytics, repository ownership, pull request process health, executive reporting, and AI-assisted analysis grounded in your imported analytics.

It is not intended as employee surveillance, individual productivity scoring, time tracking, or raw Git statistics for performance management. Organization administrators can map developers to teams, vendor teams, or ignore lists — including automated bot detection — so reporting reflects intentional engineering analytics rather than every identity in source control.

Information we collect

Account and membership information

When you register or sign in, we store information needed to identify your account and scope access to organizations you belong to, including:

  • Display name and email address
  • Authentication provider type (for example, Microsoft Entra ID / Azure AD)
  • External user and tenant identifiers from your identity provider
  • Organization memberships and role (Administrator or Viewer)
  • Last sign-in time and last selected organization

Registration and sign-in use provider-based authentication. Azure AD / Microsoft Entra ID is the initial supported provider; your organization supplies its own app registration and tenant configuration, which is stored per organization rather than in shared application settings.

Organization and platform configuration

For each organization, administrators may configure:

  • Organization name and slug
  • Encrypted authentication provider settings (tenant ID, client ID, and protected client secret)
  • Encrypted Azure DevOps connection credentials (organization slug and personal access token)
  • Selected projects and repositories to monitor
  • Optional settings such as line count import and AI assistant policy (named developer questions, developer comparisons, and analytics context window in days)

Personal access tokens and client secrets are encrypted at rest using ASP.NET Data Protection before being stored in the application database.

Engineering activity imported from source control

When an organization connects Azure DevOps and runs a code import, boards & flow import, or incremental synchronization, the platform copies selected engineering activity into the platform for reporting. Dashboards and analytics read from this imported data rather than repeatedly querying your provider during normal use.

Imported data may include:

  • Commits: SHA, message, author name and email, timestamps, repository, optional line and file change statistics, and file paths when line count import is enabled
  • Pull requests: title, status, branches, timestamps, reviewers, review votes, and comments (including comment text and optional file paths)
  • Developer identities discovered from commits and pull requests: display names, email addresses, and provider identity references
  • Administrator-defined mappings: team assignments with effective dates, vendor classifications, and ignored or bot-classified identities
  • Import and synchronization job metadata (status, counts, and timing)

Line count import is disabled by default. When enabled by an administrator, the platform uses Azure DevOps diff APIs to fetch per-commit line statistics, which increases the volume of engineering metadata stored and processed.

AI assistant data

When the AI assistant is configured and used, we store:

  • Conversation sessions tied to your user account and organization
  • Your questions and assistant responses
  • Token usage, model name, estimated cost, and monthly credit consumption per organization

Each AI request includes a JSON analytics context built from your organization’s imported analytics for a configurable number of days (default 90, adjustable by administrators between 7 and 365). By default, this context uses aggregate metrics. Named individual developer metrics and developer comparisons are included only when explicitly enabled by an organization administrator.

When OpenAI is configured, your question, conversation history, system instructions, and analytics context are sent to the OpenAI API to generate a response. OpenAI’s handling of that data is governed by OpenAI’s terms and policies.

Microsoft Graph directory lookup (administrators only)

Administrators may test an organization’s Azure AD connection by listing directory users through Microsoft Graph. This requires a one-time administrator sign-in with delegated User.ReadBasic.All permission. The platform requests display name, email, and user principal name for up to 25 users and displays them in the administration UI. Graph access tokens are held in server memory only until they expire and are not written to the database.

Technical and operational data

When Application Insights is configured, the platform may collect standard web telemetry such as request performance, dependencies, and exceptions to operate and diagnose the service. Server logs may record operational events related to imports, synchronization, and authentication.

How we use information

We use collected information to:

  • Authenticate users and enforce organization-scoped roles
  • Connect to Azure DevOps, import history, and keep your analytics current through scheduled or manual sync
  • Power dashboards, mapping workflows, and administration tools
  • Provide AI-assisted analysis grounded in imported analytics
  • Enforce monthly AI credit limits configured for the deployment
  • Maintain connection health, job status, and platform reliability

All tenant-owned data is scoped to the organization selected in your session. Users may belong to multiple organizations and choose which organization context is active.

Cookies and session storage

The platform uses essential cookies to operate:

  • Authentication cookie (EngineeringAnalytics.Auth) — keeps you signed in with sliding expiration
  • Organization cookie (EngineeringAnalytics.OrganizationId) — remembers your selected organization for up to 30 days; HttpOnly and SameSite=Lax
  • Dashboard filter cookie (EngineeringAnalytics.DashboardFilter) — persists date range, repository, and team filter selections per organization while you browse dashboards

These cookies are used for functionality, not advertising.

How we share information

We do not sell personal information. We share data only as needed to provide the service:

  • Microsoft Entra ID / Azure AD — for registration, sign-in, and optional Graph directory verification initiated by administrators
  • Azure DevOps — to validate connections, discover projects and repositories, import historical activity, and run incremental synchronization using credentials supplied by your organization
  • OpenAI — when configured, to process AI assistant requests as described above
  • Microsoft Azure — the platform is designed to run on Azure services including App Service, SQL Server, Blob Storage, Key Vault, and Application Insights in deployed environments

Within your organization, Administrators can configure the platform, run imports, map developers, and adjust AI policy. Viewers can access dashboards and the AI assistant but cannot change platform configuration.

Data security

We protect sensitive credentials by encrypting Azure DevOps personal access tokens and authentication provider secrets before database storage. Deployed environments are intended to resolve additional secrets from Azure Key Vault. Access to organization data requires authentication and an active membership in the selected organization.

No security measure is perfect. Administrators should use least-privilege personal access tokens, rotate credentials periodically, and limit which repositories are monitored to what the organization needs for analytics.

Data retention

Imported engineering activity is retained by the platform as the source of truth for reporting until deleted by operational processes defined by the platform operator or your organization. AI conversation history remains until you delete a conversation or it is removed through administrative action. Account and membership records persist while your account and organization relationships remain active.

Your choices

  • Organization context — switch organizations from the footer selector when you belong to more than one
  • AI conversations — delete individual conversations from the AI assistant
  • Administrator controls — organization administrators choose which repositories to import, whether line counts are fetched, how developers are mapped or ignored, and how the AI assistant may use named developer data

Questions about data collected on behalf of your employer or customer should be directed to your organization administrator first.

Children

The platform is a business-to-business engineering analytics service and is not directed at children under 16.

Changes to this policy

We may update this Privacy Policy as the platform evolves — for example, when new providers, dashboards, or AI capabilities are added. The “Last updated” date at the top of this page will change when we do. Continued use of the platform after an update constitutes acceptance of the revised policy.

Contact

For privacy questions about a deployment you manage, contact your platform operator or organization administrator. For product feedback about Engineering Analytics Platform, reach out through your organization’s normal support channel.