Privacy Policy

InariWatch ("we", "our", or "us") is operated by Jesus Bernal, based in Mexico. This policy explains what data we collect when you use InariWatch at inariwatch.com and app.inariwatch.com, how we use it, and your rights regarding it.

InariWatch follows an open-core model. The user-facing components — the Capture SDK, MCP init tool, VS Code extension, and GitHub Action — are released under the MIT License and publicly auditable. The hosted web application is proprietary.

Account data: your name and email address when you register, and OAuth profile info (name, email, avatar) if you sign in with GitHub, Google, or GitLab.

Authentication data: hashed passwords, 2FA secrets (encrypted), session tokens, and password reset tokens. Session cookies (next-auth.session-token) are set with a 30-day expiry and are required for the app to function.

Integration data: webhook payloads and API responses from services you connect (GitHub, Vercel, Sentry, Datadog, Expo, and others). This may include stack traces, deployment logs, and error messages from your systems. All integration credentials are stored encrypted.

AI API keys (optional): all AI features work without your own key — we use our platform API key (OpenAI) to power them. If you optionally provide your own key under Settings (Anthropic, OpenAI, Groq, Grok, DeepSeek, Google Gemini), it is stored encrypted and used only to make requests on your behalf. We never share keys or use them for any other purpose.

Billing data: if you subscribe to InariWatch Pro, payment is processed by Stripe. We store your Stripe customer ID, subscription status, and plan tier — we never see or store your payment card details.

Notification data: configuration for your notification channels (email, Telegram, Slack, browser push). Webhook endpoints and secrets are stored encrypted.

Email interaction data: alert notification emails include an open-tracking pixel and click-tracking links so we can show you whether notifications were received. This data is stored in your account and visible to you in the app.

Audit logs: we log certain account actions (login, settings changes) along with IP addresses for security purposes.

AI interaction logs: to diagnose issues and improve the quality of our AI analysis, we log prompts sent to AI models and their responses in our own database. Known sensitive patterns (emails, API keys, JWTs, credit card numbers, Bearer tokens) are automatically redacted before storage. These logs are stored exclusively within our own infrastructure — they are never shared with third-party AI observability services such as Helicone, LangSmith, or similar. Retention: up to 30 days. Access is restricted to administrative staff.

Blog newsletter: if you subscribe to the blog newsletter, we store your email. You can unsubscribe at any time via the link in any email.

• To provide and operate the InariWatch service.
• To send transactional emails (password reset, workspace invites, alert notifications).
• To process subscription payments and manage billing.
• To send blog updates if you opted in.
• To debug errors and improve reliability.
• To detect and prevent abuse (rate limiting, audit logs).

We do not sell your data. We do not use your data for advertising. We have no behavioral tracking on our website — only privacy-friendly, cookieless analytics (see Section 4).

• Neon — PostgreSQL database hosting. All your data is stored here.
• Vercel — application hosting and edge functions.
• Resend — transactional email delivery.
• Stripe — subscription billing for InariWatch Pro. Card details are handled exclusively by Stripe; we never see or store them.
• Upstash — Redis caching for rate limiting, AI response caching, and deduplication. No personal data is stored — only counters, fingerprints, and cached AI analysis text.
• AI providers — AI features use our platform OpenAI key by default. If you provide your own key, requests are sent to that provider instead (Anthropic, OpenAI, Groq, xAI/Grok, DeepSeek, Google Gemini). Alert data (error messages, stack traces) is sent to the AI provider for analysis. We store AI responses only as shown in the app (e.g., alert diagnosis, postmortems). We do not route AI calls through any third-party observability proxy — our own internal logging (see "AI interaction logs" in Section 2) keeps this data within our systems.
• GitHub / Google / GitLab — optional OAuth sign-in. We only store the provider account ID, email, and name returned by the provider.
• Plausible Analytics — privacy-friendly, cookieless analytics. No personal data is collected. See plausible.io/privacy.
• Telegram / Slack — if you configure these as notification channels, alert data is sent to your Telegram bot or Slack webhook.

We use one session cookie (next-auth.session-token) to keep you logged in. It expires after 30 days. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

We retain your account and alert data for as long as your account is active. If you delete your account, your data is deleted within 30 days. You can request deletion at any time by emailing info@jesusbr.com.

AI interaction logs (prompts and responses — see Section 2) are retained for up to 30 days and then automatically deleted.

We use HTTPS for all connections, bcrypt for password hashing, encrypted storage for API keys and integration secrets, HMAC signature verification on all incoming webhooks, and rate limiting on all authentication endpoints. If you discover a vulnerability, please report it to info@jesusbr.com.

The open-source components of InariWatch — the Capture SDK, MCP init tool, VS Code extension, and GitHub Action — are released under the MIT License. If you deploy those components yourself, you are responsible for the data they handle in your own environment. This policy applies only to the hosted service at inariwatch.com.

You have the right to access, correct, export, or delete your personal data at any time. To exercise these rights, contact us at info@jesusbr.com or delete your account directly from Settings.

For EU/EEA residents (GDPR): we process your data based on contractual necessity (providing the Service) and legitimate interest (security, abuse prevention). You have the right to data portability, the right to restrict processing, and the right to lodge a complaint with your local supervisory authority. We do not make automated decisions that produce legal effects concerning you — AI features generate suggestions, not binding actions.

For California residents (CCPA): we do not sell your personal information. You have the right to know what data we collect, request deletion, and opt out of any future sale of personal information. To exercise these rights, email info@jesusbr.com.

Your data may be processed in different countries depending on which services are involved: the United States (Vercel, Neon, OpenAI, Stripe, Resend, Upstash), Germany (Hetzner), and other locations where our third-party providers operate. By using the Service, you consent to these transfers. We rely on each provider's own data protection measures and, where applicable, Standard Contractual Clauses.

We may update this policy occasionally. We will notify registered users by email of any material changes. Continued use of the service after changes constitutes acceptance.

Questions? Email us at info@jesusbr.com.