BlameTrailA shorter privacy policy.
We handle a lot of sensitive operational data on behalf of our customers. This page says exactly what we collect, why, how long we keep it, and the handful of cases where we share it. No dark patterns. No marketing tracking. No selling — not now, not ever.
01Who we are
BlameTrail, Inc. is a Delaware C-corp headquartered in Brooklyn, New York. We build observability and on-call tooling for software teams. When you sign up for an account, install our GitHub App, or talk to sales, you're interacting with us.
02What we collect
We collect three buckets of data, each for a clearly-scoped purpose:
| Category | Examples | Why |
|---|---|---|
| Account data | Name, work email, company, password hash, team membership | You can sign in, we can bill you, we can route pages. |
| Operational data | Monitor configs, incidents, deploy events, commit metadata, postmortems, Slack thread excerpts | The product literally does not function without this. It's the case file. |
| Telemetry | Page views, API call latency, error traces (aggregated), session IDs | We use this to debug our own product. We don't ad-track. |
03What we do not collect
- Source code contents. We read diffs, file paths, and commit messages of the repos you authorize. We do not clone or retain source outside the suspect-scoring window.
- Customer-of-customer PII.If your application handles user data, we don't want to see it. Our intake pipelines scrub for obvious PII patterns.
- Third-party ad cookies. None.
04How long we keep it
Short version: as short as possible without breaking the product. Long version below.
| Data | Default retention | Configurable |
|---|---|---|
| Account data | Lifetime of account + 30 days after deletion | No |
| Incidents & postmortems | Indefinite (the case file) | Yes — bulk delete in Settings |
| Deploy & commit metadata | 24 months | Yes — 30d / 90d / 12m / 24m |
| Audit log | 12 months | Yes — up to 7 years on Enterprise |
| Voice recordings (DTMF ack) | 90 days | Yes — 0 / 30d / 90d |
| Telemetry / product analytics | 13 months | Workspace-level opt-out |
05Who we share with
Subprocessors only — never marketers, never brokers. Our current subprocessor list (AWS, Stripe, Twilio, WorkOS, OpenAI, Resend) is available on request — email [email protected].
We share with subprocessors only to operate the service. We do not share for advertising or profiling.
We disclose data in response to a lawful, specific, and narrowly-scoped legal process.
06Your rights
- Access. Export everything we have on you.
- Correction. Inline in the product.
- Deletion. One button, 30-day tombstone, then hard delete.
- Portability. JSON export, open format.
- Objection / restriction. Tell us. We'll comply.
07Where data lives
Primary processing in us-east-1 (N. Virginia). EU customers can opt into eu-central-1 (Frankfurt).
08Cookies
- Essential. Session, CSRF, locale.
- Functional. Theme preference, recent pages.
- Analytics. First-party only. Respects
Do-Not-Track/Sec-GPC.
09Security incident notification
In the unlikely event of a security incident affecting your data, we'll notify you within 72 hours of confirmed impact.
10Updates to this policy
We'll email account owners 30 days before any material change.
BlameTrail, Inc. · USA