Privacy Policy

Our privacy policy and how we use your data

Effective date: June 2, 2026

This Privacy Policy explains how Delego processes personal data when you visit getdelego.app, create an account, connect Linear, pair a local runner, or otherwise use the Delego service.

Delego is a Linear-to-local-agent runner. The public web application acts as a relay between Linear and a runner CLI that you operate on your own machine. The local runner can invoke customer-controlled tools such as Codex or Claude Code under your own accounts and configuration.

Controller

The controller of your personal data is Marcin Ziętek conducting business under the name Ziętech, a sole proprietorship registered in Poland.

Address
Prymasa Stefana Wyszyńskiego 10/17, 62-800 Kalisz, Poland
NIP
6182037436
REGON
362028699
Privacy contact
hello@getdelego.app

We have not appointed a Data Protection Officer. Please use the privacy contact above for all privacy-related requests.

Who may use Delego

Delego is intended for users who are at least 18 years old. It is currently offered for personal accounts. Business and team accounts may be introduced later; if that happens, this Policy will be updated before those features are made available.

Data we process

Depending on how you use Delego, we process the following data:

  • Account and authentication data: email address, account name, authentication provider identifiers, session data, password authentication handled by Supabase, one-time password verification data, multi-factor authentication data if enabled, account settings, profile data, language and theme preferences.
  • Linear integration data: Linear organization identifiers and names, Linear OAuth app configuration, encrypted Linear client secrets, encrypted webhook secrets, encrypted access and refresh tokens, granted scopes, token health metadata, Linear issue identifiers, titles, URLs, project names, labels, prompt context, Agent Session identifiers, user replies, and Agent Session activity data required to create and update delegated jobs.
  • Runner and job data: runner display name, runner version, supported executors, heartbeat status, active job identifier, pairing token hashes, runner bearer credential hashes, job state, repository slug, execution preferences, model and reasoning settings, progress events, job attempts, runner summaries, local branch names, local worktree paths, commit metadata, pull request metadata, stdout or stderr tails, assistant responses, pending questions, and operational communication logs.
  • GitHub-related data: repository owner/name slugs, branch names, commit metadata, pull request URLs, pull request numbers, and pull request titles. Delego does not store your GitHub OAuth token for the local runner flow; pushes and pull requests are performed by the runner using your local git and GitHub CLI configuration.
  • Website and device data: IP address, request URL, browser and device information, approximate location derived from network data, referrer, timestamps, log entries, security events, errors, performance telemetry, and similar technical data generated when you use the website and APIs.
  • Analytics and product data: page views, product events such as sign-in and feature usage, user identifiers, email address as an analytics trait when you sign in, session replay data, and feature flag evaluation data. In production, PostHog is configured in the EU region for product analytics, session replay, and feature flags. Browser-side PostHog analytics, replay, and feature flags start after you accept required technologies in the Delego cookie banner.
  • Error monitoring data: errors, stack traces, request path, request method, headers, performance traces, session replay data, user identifier, and email address. In production, Sentry is configured for error monitoring, performance monitoring, and session replay. Browser-side Sentry monitoring and replay storage start after you accept required technologies in the Delego cookie banner. Server-side error monitoring may run where necessary to operate, secure, and troubleshoot Delego.
  • Email delivery data: email address, delivery metadata, and email content needed to send transactional emails, such as account verification, password reset, one-time codes, and account deletion messages. Production transactional email is sent using ZeptoMail.

Delego is not designed for special category data, government ID numbers, payment card numbers, health data, or other highly sensitive data. Please do not include that type of data in Linear issues, prompts, job context, repository names, runner output, or support messages unless it is strictly necessary and lawful for your use case.

Customer-controlled AI tools

When you configure the local runner to use Codex, Claude Code, or another executor, the runner can send Linear issue content, prompts, repository context, and execution instructions to those tools from your own machine under your own provider account and configuration. In that situation, you decide which provider to use, which model to use, and what data the runner submits to that provider.

We treat those AI providers as customer-controlled tools for the runner flow. You should review the privacy terms, retention settings, and data-use settings of OpenAI, Anthropic, and any other executor provider you configure.

Purposes and legal bases

PurposeLegal basisExamples
Providing the serviceArticle 6(1)(b) GDPR - contract or steps before contractAccount creation, sign-in, Linear connection, runner pairing, job dispatch, job history, and dashboard features.
Securing and operating the serviceArticle 6(1)(f) GDPR - legitimate interestsServer logs, fraud and abuse prevention, authentication security, webhook signature checks, access control, debugging, and incident response.
Product analytics, session replay, and feature flagsArticle 6(1)(f) GDPR - legitimate interests for product improvement and service reliability; acceptance or consent where cookie/ePrivacy rules require storage technologiesPostHog page views, product events, feature flag evaluation, and replay diagnostics after banner acceptance.
Error and performance monitoringArticle 6(1)(f) GDPR - legitimate interests for server-side operations, security, and diagnostics; acceptance or consent where cookie/ePrivacy rules require browser-side replay or storage technologiesSentry errors, traces, request context, user identifiers, and browser replay diagnostics after banner acceptance.
Transactional communicationArticle 6(1)(b) GDPR and Article 6(1)(f) GDPREmail verification, password reset, one-time login codes, security notices, account deletion confirmation, and service messages.
Legal compliance and claimsArticle 6(1)(c) GDPR and Article 6(1)(f) GDPRResponding to data subject requests, keeping evidence of requests, enforcing terms, and defending legal claims.

Delego does not currently process payments. If paid plans are introduced later, we expect to use Stripe and will update this Privacy Policy before billing goes live.

When we are a processor

For account management, product analytics, security, and service administration, we act as a controller. If you use Delego to process personal data of other people in Linear issues, prompts, repositories, runner output, or job metadata, you are responsible for having a lawful basis for that processing. In that context, we may process that content as your processor or service provider to operate the Delego relay according to your instructions.

If you need a data processing agreement for business use, contact us at hello@getdelego.app.

Recipients and subprocessors

We share personal data only where necessary to provide, secure, monitor, and improve Delego, or where required by law. Current and expected recipients include:

  • Vercel - hosting, serverless functions, deployments, request logs, and infrastructure operations.
  • Supabase - authentication, Postgres database, row-level security, realtime delivery, and related backend services.
  • Linear - OAuth installation, webhooks, GraphQL API calls, Agent Session updates, and issue workflow updates.
  • PostHog - EU-hosted product analytics, session replay, and feature flags.
  • Sentry - error monitoring, performance monitoring, and session replay.
  • ZeptoMail - transactional email delivery.
  • GitHub - repository and pull request metadata when you configure repository mappings and the local runner publishes branches or pull requests through your local git and GitHub CLI setup.
  • OpenAI and Anthropic - only as customer-controlled AI tool providers when you configure your local runner to use Codex, Claude Code, or related tools.
  • Stripe - future payment processing if paid billing is introduced.
  • Professional advisers, courts, public authorities, or other recipients where necessary for legal compliance or claims.

International transfers

We are based in Poland and use providers that may process data in the European Economic Area, the United States, the United Kingdom, or other countries where they operate. PostHog is configured for EU hosting. Other providers may involve international transfers.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as adequacy decisions, the EU-U.S. Data Privacy Framework where applicable, Standard Contractual Clauses, and supplementary technical and organisational measures required by GDPR.

Cookies and similar technologies

We use cookies, local storage, and similar technologies for authentication, security, preferences, analytics, session replay, and feature flags. Browser-side analytics and replay technologies are activated after you accept the required technologies in the Delego cookie banner. Production server-side monitoring remains enabled where needed to operate, secure, and troubleshoot the service.

Details are available in our Cookie Policy.

Retention

We keep personal data only as long as needed for the purposes described above, unless a longer period is required to comply with law, resolve disputes, prevent abuse, or enforce agreements.

  • Account data is kept while your account exists. If you delete your account, we delete account-scoped active database records without undue delay, unless retention is required by law or for legitimate claims.
  • Linear OAuth state tokens and runner pairing tokens are short-lived and single-use. Runner bearer credentials are stored only as hashes in the relay.
  • Jobs, job events, communication logs, runner metadata, Linear installation records, repository mappings, and related metadata are retained while your account is active so the dashboard can show job history and operational status. You may request deletion at any time.
  • Server, security, analytics, and monitoring data are retained according to the settings available in Vercel, Supabase, PostHog, Sentry, and other providers. We configure retention to be no longer than necessary for operations, security, diagnostics, and product improvement.
  • Backups and provider logs may persist for a limited period after deletion from active systems and are overwritten according to provider retention schedules.

Because Delego is designed for quick deletion, you can contact us to request immediate deletion of your account-scoped Delego data from active systems.

Security

We use technical and organisational measures designed to protect personal data, including HTTPS/TLS, Supabase authentication, row-level security, explicit tenant scoping, encrypted storage of Linear OAuth tokens and Linear app secrets, hashed runner credentials, short-lived pairing tokens, access controls, secure environment-variable handling, logging, monitoring, and least privilege access where practical.

No online service can guarantee absolute security. You are responsible for protecting access to your email account, Linear workspace, local runner machine, GitHub CLI credentials, Codex or Claude credentials, and any other customer-controlled tools used by the runner.

Your rights

Subject to GDPR conditions and limitations, you may have the right to request access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, and withdrawal of consent where processing is based on consent.

To exercise your rights, email hello@getdelego.app. We may need to verify your identity before responding. We will respond without undue delay and generally within one month, unless GDPR permits an extension due to complexity or number of requests.

You also have the right to lodge a complaint with the President of the Personal Data Protection Office in Poland (UODO) or another competent supervisory authority.

Automated decision-making

We do not use personal data to make decisions that produce legal effects concerning you or similarly significantly affect you based solely on automated processing. Product analytics and feature flags may be used to understand usage and configure product experiences, but they are not used for legally significant automated decisions.

Changes

We may update this Privacy Policy when Delego changes, when our providers change, or when legal requirements change. Material changes will be communicated in the application or by email where appropriate.