Privacy Policy

Dagron is a software-capitalization tool. Our customers are engineering organizations who connect us to their planning tools (Jira, Linear), source-control systems (GitHub), and HR systems (Workday, ADP, Gusto, BambooHR, Rippling) so we can produce audit-ready financial reports about software-development cost classification.

Throughout this document, “Dagron”, “we”, and “us” refer to the company. The “Service” means the Dagron web application, APIs, and integrations.

Account data. When you sign up, we collect your name, email address, profile picture (if available from your SSO provider), and the organization you create or join. We use this to authenticate you and route you to your workspace.

Integration data.When you connect Jira, GitHub, Linear, or an HRIS provider, we read project metadata (Epics, Initiatives, Issues), pull-request and commit metadata (titles, authors, merge dates, file counts — not source code), contributor identities (names, email addresses, employment type), and compensation data (salary, employment dates) where HRIS is connected. We store the minimum necessary to produce capitalization reports.

Usage data. Standard server logs (IP address, browser, request paths, timestamps) for security, debugging, and rate-limiting. Retained 30 days unless required for an investigation.

What we do NOT collect. We do not read source code, file contents, or PR diffs. We do not collect customer financial records beyond compensation metadata supplied via HRIS. We do not record audio or video.

We use the data above to: (a) authenticate you and provide the Service, (b) cluster your work into capitalization candidates, (c) calculate capitalizable hours and costs, (d) generate audit-ready reports, (e) send transactional emails (sign-in links, invitations, billing notices), and (f) improve the Service.

We do not train AI models on customer data. When we use AI services (Anthropic, OpenAI) to summarize project clusters or generate classification reasoning, we send only project-level metadata. Customer data is never used as training input by any provider we work with, and our contracts with these providers prohibit such use.

We rely on a small set of vetted subprocessors to operate the Service. Adding a new subprocessor requires security review and an updated DPA. Current list:

• Vercel— application hosting (US regions)
• Neon— Postgres database (US regions, encrypted at rest)
• Anthropic— AI classification reasoning (no training)
• OpenAI— text embeddings for project clustering (no training)
• Vanta— security automation & SOC 2 monitoring
• Resend— transactional email delivery

We'll provide 30-day notice before adding or replacing subprocessors. Subscribe to the Trust page or watch this list.

We do not sell, rent, or trade personal data. We share data only with: (a) our subprocessors above, under data-processing agreements; (b) law-enforcement when compelled by valid legal process; (c) a successor entity in the event of a merger or acquisition (you'll get notice + the option to delete).

Account and integration data are retained while your account is active. After account deletion, we delete your data within 30 days, except where retention is required by law (typically tax, accounting, or audit obligations — up to 7 years in some jurisdictions).

You can export your data at any time via the in-app CSV export. For a complete data export including raw integration metadata, email hello@example.com.

Depending on your jurisdiction (GDPR for EU/UK, CCPA for California, similar regimes elsewhere), you have rights to access, correct, delete, or port your personal data. To exercise any of these, email hello@example.com from the address associated with your account. We respond within 30 days.

EU/UK users: our lawful basis is contract performance (Art. 6(1) (b) GDPR) for delivering the Service, and legitimate interest (Art. 6(1)(f)) for security logs and product improvement. A DPA is available on request.

All customer data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Integration credentials are encrypted with a separate envelope key. We isolate customer organizations at the database query layer. Our security program is described at our Trust page.

Report a security concern to security@example.com. We respond within one business day.

We use a small number of strictly-necessary cookies for authentication (Auth.js session token), CSRF protection, and tenant routing. We do not use advertising or analytics cookies on the Service itself. The marketing site uses no cookies.

We'll post material changes here at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

Questions? Email hello@example.com.