Privacy & Security

Effective Date: September 24, 2025 — OAuth 2.0, data usage, retention, and user rights

Raya is an automation and integrations platform. We process data only to perform the tasks you explicitly request and to operate and secure the platform.

1. Information We Collect

We follow the principle of data minimization and collect only the information necessary to provide requested services.

  • Account information (via OAuth): third-party user ID, display name, email address (if provided), and other basic profile attributes supplied by the provider.
  • Authorization tokens: access tokens and, where applicable, refresh tokens issued by OAuth providers. We never collect your passwords.
  • Service data: project items, issues, repositories, files, and metadata required to execute your commands or to display results in the UI.
  • Technical and diagnostic data: IP address, device and browser information, API request logs, timestamps, and telemetry used for debugging, security, and performance.

2. How We Use Information

Collected data is used exclusively to provide and secure the platform and the integrations you enable:

  • Authentication & Authorization: to verify your identity and request scopes/consents via OAuth 2.0 providers.
  • Task execution: to read, create, update, or delete resources on external services strictly according to your explicit commands (for example, creating a Jira issue, committing to GitHub, or uploading a file to Google Drive).
  • Session and state management: to maintain continuity across sessions (e.g., cached user preferences and active integrations).
  • Security & abuse prevention: to detect unauthorized access, mitigate abuse, and ensure the platform’s integrity.

We do not use your data for advertising, profiling for third parties, or selling personal information.

3. Data Sharing

We do not sell, rent, or trade your personal data. Data sharing is limited to the following circumstances:

  • API calls to connected services: information is exchanged between Raya and the APIs of services you connect (e.g., Atlassian, Google, GitHub, WakaTime) solely to perform your requested actions.
  • Service providers: trusted infrastructure and processing providers (hosting, logging, monitoring). Such providers act as data processors under contract and are required to maintain confidentiality and security.
  • Legal obligations: disclosure if required by law, regulation, or valid legal process (for example, to respond to a court order or government request).
  • Business transfers: in the event of a merger, acquisition, or sale of assets, user data may be transferred; we will require the successor to honor the terms of this Privacy Policy.

4. OAuth 2.0 Connections — What Happens When You Connect

When you connect an external service to Raya via OAuth 2.0, the following flow occurs:

  1. Redirect to provider: you are redirected to the provider’s secure authorization page (e.g., Google, Atlassian, GitHub), where you review requested scopes and consent to access.
  2. Granting scopes: you explicitly approve the requested permissions (scopes). Raya only requests scopes necessary for the requested features and clearly displays them during authorization.
  3. Token issuance: the provider issues an access token (and optionally a refresh token) and returns it to Raya. Raya stores tokens encrypted and uses them to make API calls on your behalf.
  4. Scoped, on-demand access: Raya performs actions only within the granted scopes and only in response to your commands or app functionality you explicitly enabled.
  5. Revocation: you can revoke Raya’s access at any time from your provider’s account settings. Revocation immediately prevents Raya from calling the provider’s APIs on your behalf.

Important: Raya never requests or stores your provider password. For security, we recommend using the provider’s recommended practices (2FA, strong passwords).

5. Data Retention

We retain data only as long as necessary to provide the service, comply with legal obligations, or as you request:

  • Tokens: stored while your connection is active; refresh tokens are stored only when required and encrypted at rest.
  • Service data: we do not permanently mirror or archive third-party service data (for example, full copies of Jira issues or Google Drive files) unless explicitly required for features you enabled (e.g., caching for offline use). Temporary caches and results are deleted as soon as they are no longer needed.
  • Logs and telemetry: operational logs and diagnostic data are retained for security and debugging; typical retention is up to 30 days unless otherwise required by law or security investigations.

You may request export or deletion of your data (see Section 8).

6. Security

We apply industry-standard safeguards to protect your information:

  • Encryption: all network traffic uses HTTPS/TLS. Sensitive tokens and keys are encrypted at rest.
  • Access controls: least-privilege access patterns for services and internal components; role-based access for engineers and automated systems.
  • Monitoring & detection: continuous monitoring for suspicious activity, rate-limiting, and anomaly detection.
  • Secure development: regular code reviews, dependency scanning, and security testing.

While we strive to protect your data, no service is completely immune to risk. If a security incident affects your data, we will notify affected users and authorities as required by law.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of personal data we hold about you.
  • Correction: request corrections to inaccurate or incomplete data.
  • Deletion: request removal of your data and account (subject to legal or contractual retention obligations).
  • Portability: request export of certain data in a machine-readable format.
  • Objection & Restriction: object to certain processing or request restricted processing where applicable.

To exercise these rights, contact us at support@uzdevid.com. We will verify identity before fulfilling sensitive requests.

8. Deleting Your Data & Revoking Access

You can disconnect Raya from any connected service at any time via that provider’s account or security settings. Revoking access immediately prevents further API calls from Raya.

To delete your Raya account and associated data:

  • Contact support@uzdevid.com with the subject line Account Deletion Request.
  • Specify the email or provider ID associated with the account to help us locate it.
  • We will confirm your request, verify your identity, and proceed with deletion according to our retention rules. Deletion may take up to 30 days to complete and some logs or records required for legal compliance may be retained for a limited period.

9. Changes to This Policy

We may update this Privacy Policy to reflect changes in the law, features, or practices. When we make material changes, we will post the revised policy with a new effective date and, where appropriate, notify users via the platform or email.

10. Contact

If you have questions, requests, or concerns about this Privacy Policy or our data practices, contact:

Email: support@uzdevid.com
Privacy page: https://uzdevid.com/privacy
Address: UzDevid (if you wish, insert company address here)

Last updated: September 24, 2025.