Legal
Privacy Policy
Effective May 24, 2025
Patchy (“we”, “our”, “us”) operates patchydev.com and the Patchy Telegram bot. This Privacy Policy explains what data we collect, how we use it, and the choices you have.
1. Data we collect
Account data
When you connect your account, we store your Telegram user ID, GitHub username, and Vercel account identifier. We use this to link your Telegram messages to your connected services.
Credentials
OAuth tokens for GitHub and Vercel are stored encrypted at rest using AES-256. Your Anthropic API key is stored encrypted and is never logged or transmitted to any third party beyond Anthropic’s API. We do not store your API key in plain text at any point.
Usage data
We record the number of runs you initiate (for billing purposes), timestamps, and whether a session ended with /approve or /discard. We do not store the content of your messages or the code changes Patchy makes beyond what is needed to complete the current run.
Billing data
Payment information is processed by Stripe. We store only the data Stripe provides after a successful transaction (customer ID, plan, subscription status). We never see or store your full card number.
2. How we use your data
- To authenticate you and connect to GitHub and Vercel on your behalf.
- To route your Telegram messages to the correct workspace and deploy previews.
- To track your run count and calculate billing.
- To send transactional emails (e.g. billing receipts, plan changes). We do not send marketing emails without explicit opt-in.
3. Data sharing
We do not sell your data. We share data only with the third-party services required to operate Patchy:
- GitHub — to clone repositories, create branches, and submit pull requests.
- Vercel — to deploy preview environments.
- Anthropic — to process your code-change requests via your own API key.
- Stripe — to process payments.
- Telegram — as the messaging interface. We do not share your data with Telegram beyond what is required to send and receive bot messages.
Each of these providers operates under their own privacy policies. We recommend reviewing them.
4. Data retention
Run metadata is retained for 90 days for debugging and billing purposes, then deleted. Encrypted credentials are deleted immediately when you disconnect an integration or delete your account. Billing records are retained as required by law (typically 7 years).
5. Your rights
You may request deletion of your account and all associated data at any time by emailing privacy@patchydev.com. We will process deletion requests within 30 days.
If you are in the European Economic Area or United Kingdom, you have additional rights under the GDPR / UK GDPR including access, rectification, restriction, and portability. Contact us to exercise these rights.
6. Security
Credentials are encrypted at rest (AES-256) and in transit (TLS 1.2+). Each run executes in an isolated environment that is destroyed after the session ends. Access to production data is restricted to a minimal set of personnel.
7. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or via a notice in the Patchy bot. Continued use of Patchy after the effective date constitutes acceptance of the updated policy.
8. Contact
Questions or concerns? Email us at privacy@patchydev.com.