Privacy Policy

7seven (“7seven,” “we,” “us”) is a voice-first bug triage service operated from Canada. This Privacy Policy explains what personal information we collect when you use 7seven.dev and the 7seven web application (the “Service”), how we use it, who we share it with, and the choices and rights you have.

The Service is offered to users in the United States and Canada. If you access it from elsewhere, you do so on your own initiative and are responsible for compliance with your local laws. Some additional rights may not be available outside these regions.

For questions, requests, or complaints, contact legal@7seven.dev. For account deletion requests, see Section 10.

Information you provide

• Account information. When you sign in with Google, we receive your name, email address, profile picture, and Google account identifier.
• Voice recordings. The audio files you record in the app, including their duration and format metadata.
• Transcripts and AI outputs. Machine-generated transcripts of your recordings, AI-generated ticket summaries, suggested reproduction steps, severity, tags, and suggested files or fixes.
• Tickets and comments. Tickets you create or import, comments you post, file attachments you upload, and ticket activity.
• Workspace data.Workspace names, member lists, roles (admin or member), invitations you send (including the invitee’s email address), and activity logs reflecting actions taken in the workspace.
• Integration data. When you connect GitHub, we store the App installation identifier and a snapshot of repository metadata (file paths and manifest excerpts such as package.json and README.md). When you connect Linear, we store an encrypted OAuth token and any issues you import or create through the integration. When you connect Jira, we store an encrypted OAuth token, your Atlassian site identifier and URL, and the data you choose to import — issues (imported as tickets), their comments, file attachments, and limited information about the Jira users associated with that content (account identifier, display name, email address, and avatar URL) so we can attribute imported work to the right person. We request read-only access to Jira and do not write back to your Jira instance. We do not read, store, or transmit your source code.
• Billing information. If you upgrade to a paid plan, we receive your subscription status, plan tier, seat count, and a Lemon Squeezy customer identifier. Card numbers and payment details are handled directly by Lemon Squeezy and are never seen or stored by 7seven.
• Communications. Messages you send to legal@7seven.dev, delete@7seven.dev, or other support addresses.

Information collected automatically

• Technical data.IP address, browser type and version, device type, operating system, referring URL, and approximate location derived from IP — collected by our hosting and security providers (Vercel, Cloudflare).
• Product analytics.Page views, feature usage events (for example, when you hit a plan limit), and a pseudonymous user identifier — collected by PostHog. See Section 9.
• Error and performance data. Crash logs, error stack traces, and request metadata — collected by Sentry. We apply automated PII scrubbing before events leave our infrastructure.
• Cookies and similar technologies. See Section 9.

We use personal information to:

• provide, operate, and maintain the Service;
• run AI features (transcription, ticket summarization, repo-aware suggestions) — see Section 4;
• authenticate you, secure your account, and protect against abuse, fraud, and security incidents (including via Cloudflare Turnstile);
• send transactional messages (invitations, ticket assignments, billing notices, security alerts);
• process payments and manage subscriptions;
• respond to your support requests and exercise of rights under this policy;
• measure feature usage and improve the Service using aggregated or de-identified data;
• send marketing communications, but only where you have given express opt-in consent (see Section 11); and
• comply with legal obligations and enforce our Terms of Service.

Where Canadian law applies, we rely on your consent — express for sensitive purposes such as marketing, implied for purposes a reasonable person would expect (such as operating the account you created). Where U.S. state law applies, we process data for the business and commercial purposes listed above.

Voice recordings are transcribed by Groq (Whisper large-v3) and summarized into structured tickets by Google Gemini. If you connect a GitHub repository, file paths and manifest excerpts (not source code) are included in the AI prompt to make suggestions repo-aware.

7seven does not train its own AI models on your content on any plan. AI outputs are suggestions for human review — you can always edit, override, or discard them. AI processing does not produce decisions that have legal or similarly significant effects on you.

Service providers (sub-processors)

We use the following service providers to operate the Service. Each is bound by contract to handle personal information only on our instructions and consistent with this policy. Most are located in the United States, which means your information will be transferred and stored outside Canada (see Section 6).

We will give at least 30 days’ notice on this page before adding or replacing a sub-processor that materially changes how personal information is handled. Significant infrastructure providers (for example, our database or hosting platform) will not be changed without prior notice.

Integrations you choose to connect

When you connect a third-party service (currently GitHub, Linear, or Jira), data flows according to the scopes you grant — in both directions for GitHub and Linear, and read-only for Jira (we import from Jira but do not write back). Those services have their own privacy policies, which apply to data on their platforms. Disconnect an integration at any time in Workspace Settings; disconnecting deletes the stored access token for that integration.

Other workspace members

Anything you contribute to a workspace — voice notes, transcripts, tickets, comments, attachments — is visible to other members of that workspace. Activity logs may show your name and the actions you took.

Legal, safety, and corporate transactions

We may disclose information when we believe in good faith that doing so is necessary to (a) comply with a valid legal process or government request, (b) enforce our Terms of Service, (c) protect the rights, property, or safety of 7seven, our users, or the public, or (d) detect, prevent, or address fraud or security issues. Where legally permitted, we will notify you before disclosing your information in response to legal process.

If 7seven is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred to the successor entity, subject to the commitments in this policy. We will notify you of any such change.

What we never do

• We do not sell your personal information for money or other valuable consideration.
• We do not share your personal information for cross-context behavioral advertising.
• We do not use your data to serve third-party advertising.
• We do not share data between unrelated workspaces.
• We do not access the contents of your voice notes, transcripts, tickets, or comments except as required to operate the Service, respond to a support request you initiate, or comply with law.

7seven is operated from Canada, and most of our service providers are based in the United States. By using the Service, you understand and acknowledge that your personal information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

For Canadian users, this means your information may be subject to U.S. legal processes, including law-enforcement access requests that may differ from those in Canada. Where we transfer personal information to a service provider outside Canada, we use contractual safeguards consistent with PIPEDA and Quebec Law 25 to require comparable protection.

Audio recordings are automatically deleted based on your plan:

• Individual — 7 days
• Startup — 90 days
• Business — 365 days

Transcripts, tickets, comments, attachments, and AI outputs are retained until you or a workspace admin deletes them, or until the workspace is deleted. Deleted workspaces are soft-deleted and recoverable for a limited period before being permanently removed.

Account information is retained while your account is active. When you delete your account, we remove or de-identify your personal information within a reasonable period, except where we need to retain it to comply with legal obligations, resolve disputes, enforce agreements, or maintain security.

Encrypted, off-site backups are kept by our infrastructure providers for their standard backup-retention windows. Information removed from production systems may persist in backups for a limited additional period before expiring.

Analytics events (PostHog) and error events (Sentry) are retained in accordance with each provider’s default retention. Audit logs and security records may be retained longer where necessary to investigate suspected abuse.

• All connections between your device and the Service use TLS encryption in transit.
• OAuth tokens for connected integrations (GitHub, Linear, Jira) are encrypted at rest using application-managed keys.
• Workspace data is protected by row-level security policies that restrict access to authenticated members of the workspace.
• Sign-in is gated by Cloudflare Turnstile to deter automated account creation.
• Service-role credentials and webhook secrets are stored in hosted secret managers and rotated as part of operational hygiene.

We do not currently offer two-factor authentication on 7seven sign-in — sign-in is delegated to your Google account, where you can enable two-factor authentication directly. We are not currently SOC 2 or ISO 27001 certified.

No system can be guaranteed completely secure. If we become aware of a personal-information breach that creates a real risk of significant harm, we will notify affected users without undue delay and notify the relevant supervisory authority within the timeframe required by applicable law (generally 72 hours under Quebec Law 25 and PIPEDA where reporting thresholds are met).

We use a small number of cookies and browser-storage mechanisms.

Strictly necessary

• Session cookie— set by Supabase Auth to keep you signed in.
• Turnstile pass cookie— set after you complete the Cloudflare Turnstile challenge so we don’t prompt you again on every action.

Analytics

• PostHog— uses local storage to record page views, feature events, and a pseudonymous identifier so we can understand how the product is used and improve it.

We do not use third-party advertising cookies or tracking pixels. You can clear or block cookies and local storage through your browser settings; doing so may affect sign-in and other essential features.

We honor the Global Privacy Control (GPC) signal as a valid opt-out of any “sale” or “sharing” under U.S. state law, and we treat browser Do-Not-Track signals as a request to limit non-essential analytics. Where required by law in your province or state, we will present a consent banner before setting non-essential cookies.

Subject to applicable law and reasonable verification of your identity, you have the following rights:

• Access. Request a copy of the personal information we hold about you.
• Correction. Update inaccurate or incomplete information. You can update much of your profile directly in the app.
• Deletion. Delete voice notes, tickets, and comments in the app. Workspace owners can delete a workspace from Workspace Settings. To request full deletion of your 7seven account, email delete@7seven.dev.
• Withdraw consent. Withdraw consent at any time, for example by disconnecting an integration or unsubscribing from marketing emails. Withdrawal does not affect processing already carried out.
• Object or restrict. Object to or ask us to restrict certain processing of your information.
• Complain. Lodge a complaint with a supervisory authority (see Section 16).

California residents (CCPA / CPRA)

If you are a California resident, you have the rights to know, delete, correct, and limit the use of sensitive personal information, plus the right not to be discriminated against for exercising any of these rights. Section 2 describes the categories of personal information we collect; Sections 3 and 5 describe the purposes and the categories of recipients. We do not sell or share personal information for cross-context behavioral advertising and have not done so in the preceding 12 months.

Canadian residents (PIPEDA & Quebec Law 25)

If you are in Canada, you have the right to access and correct your personal information, withdraw consent, and challenge our compliance with PIPEDA. If you are in Quebec, you additionally have the right to data portability for information you provided to us, information about cross-border transfers (see Section 6), and to be informed about the use of automated decision-making (see Section 4 — AI outputs are suggestions, not automated decisions with legal effects). Our privacy contact for these purposes is legal@7seven.dev.

How to exercise your rights

Email legal@7seven.dev from the email address associated with your account, or from another address with information that allows us to verify your identity. We respond to verified requests within 30 days, and may extend this by up to an additional 15 days for complex requests with notice to you. There is no charge for reasonable requests; we may decline or charge for clearly unfounded or repetitive requests as permitted by law.

If you make a request about content in a workspace you do not own (for example, comments you posted in another team’s workspace), we may direct you to the workspace owner, who is the controller of that content.

We send you transactional messages necessary to operate your account — for example, workspace invitations, ticket assignments, billing notices, and security alerts. These are sent based on your use of the Service and are not promotional.

We send marketing communications (product announcements, newsletters) only with your express, opt-in consent. This complies with Canada’s Anti-Spam Legislation (CASL) and applicable U.S. law. Every marketing message includes a one-click unsubscribe link, and you may withdraw consent at any time without affecting the rest of the Service.

7seven is built around shared workspaces. For information you contribute to a workspace, the workspace owner is the controller of that information — they decide who is invited, who is removed, and what is deleted. We process workspace content on their behalf.

For information about your individual account — your name, email address, sign-in records, and the workspaces you belong to — 7seven is the controller.

If you are removed from a workspace or leave it, the contributions you made (voice notes, tickets, comments) remain in the workspace and continue to be controlled by the workspace owner. You may ask the workspace owner to delete your contributions, or contact us if the workspace owner does not respond.

7seven is not directed to and is not intended for children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact legal@7seven.dev and we will promptly delete it.

The Service uses AI to transcribe your voice notes and generate ticket summaries, suggested files, and suggested fixes (see Section 4). These outputs are designed as drafts for human review. They are not used to make decisions that produce legal effects or similarly significant effects on you, and you can edit, override, or discard any AI output at any time.

We may update this policy from time to time. When we do, we will post the new version here, update the effective date, and — for changes that materially affect your rights — provide advance notice of at least 30 days by email or in-app notice before the changes take effect. Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.

For questions, requests, or to exercise any right under this policy:

• General privacy contact: legal@7seven.dev
• Account deletion requests: delete@7seven.dev

If you are not satisfied with our response, you may lodge a complaint with a supervisory authority:

• Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca).
• Quebec:Commission d’accès à l’information du Québec (cai.gouv.qc.ca).
• California: California Privacy Protection Agency (cppa.ca.gov) or California Attorney General.
• Other U.S. states: your state attorney general.