· legal
Privacy policy
last updated July 10, 2026
HandOffAgent (“we”, “us”) provides AI-powered client support gateways grounded in your source code. This policy explains what we collect, why, and the choices you have. The short version: your code stays yours, we sell nothing to anyone, and we collect only what the product needs to work.
Information we collect
- Account data — your name, email address and password hash (or your GitHub identity when you sign in with GitHub), managed by our authentication provider, Supabase.
- Repository content — when you connect a repository we read its files to build a searchable index. Code is segmented and stored as vector embeddings plus short text excerpts inside your private workspace. We never use your code to train AI models.
- Client conversations— questions asked through your share links and the AI's answers are stored so you can review transcripts and we can enforce your usage limits. Your clients don't create accounts; an anonymous session identifier keeps conversations together.
- Billing data — payments are processed by Dodo Payments, our merchant of record. We never see or store your card number. We keep your subscription status, plan and billing cycle dates.
- Usage data — message counts and basic diagnostics used for quota enforcement, abuse prevention and improving the product.
How we use it
- To index your repositories and generate grounded answers for your clients.
- To enforce plan limits, daily caps and the controls you configure per project.
- To bill your subscription and send transactional email (receipts, account notices).
- To keep the service secure and diagnose failures.
AI processing
Questions and the relevant retrieved code snippets are sent to Google's Gemini API to generate answers and embeddings. This processing is transient — Google's API terms for paid use prohibit using your data to train their models. You control what the AI may reveal: raw source quoting, file-path citations and answer technicality are all per-project settings, and you can exclude any path from indexing.
Sharing
We share data only with the processors that run the product: Supabase (database & auth), Vercel (hosting), Google (AI processing) and Dodo Payments (billing). We do not sell personal data, ever. We may disclose information if required by law.
Retention & deletion
Repository indexes are deleted when you remove a project. Conversations are retained while the project exists so transcripts remain available. Delete your account and we remove your workspace data within 30 days, except records we must keep for tax or accounting.
Security
All traffic is encrypted in transit (TLS). Data is stored with row-level security so each workspace can only ever read its own rows. GitHub tokens are encrypted at rest. Share links use unguessable tokens that you can expire, rotate or pause at any time.
Your rights
You can access, correct, export or delete your personal data by writing to us. If you are in the EEA/UK, you additionally have rights under GDPR including complaint to a supervisory authority.
Contact
Questions about this policy: shahnawaz@zolarys.com or via the contact page.