Privacy
Privacy notice
How Cadylo currently handles account, workspace and integration data during the public beta—and which operational decisions still need to be completed.
Last updated July 15, 2026
Compliance baseline
This page documents the current product implementation. It is not a GDPR certification or legal opinion. The operator must complete the missing identity, lawful-basis, vendor-transfer and retention details before treating it as a final production notice.
Scope and privacy roles
This notice covers the Cadylo website, product workspace and related support communications. Cadylo determines how account administration, service security and its own operations are handled. For workspace content submitted by an organization, that organization may determine the purposes of processing while Cadylo operates the service on its instructions.
That controller/processor split must be confirmed in the applicable customer documents before commercial production use. The operator’s complete legal identity and registered address are not stated here because they have not been supplied; they must be published before launch rather than guessed.
Data we handle
Cadylo may handle the following categories when you use the service:
- Account data: email address, display name, optional avatar, account timestamps and authentication session information.
- Workspace administration: memberships, roles, invitations, teams and access assignments.
- Content you and your workspace provide: issues, comments, projects, updates, triage requests, attachments and saved views.
- Product preferences and activity: notification and view preferences, subscriptions, API-token metadata, security events and bounded delivery logs.
- Integration data: information supplied through enabled GitHub, GitLab, Slack or Sentry connections, plus data sent to customer-configured outbound webhooks.
Do not place special-category or otherwise unnecessary personal data in free-text fields or attachments. Workspace administrators control what their teams submit to the product.
Purposes and lawful bases
Data is used to create and secure accounts, provide collaborative product-management features, deliver opted-in notifications, operate integrations, answer support and privacy requests, prevent abuse and meet applicable legal obligations.
Before production use, the operator must validate and publish the final lawful-basis mapping for each purpose. The intended mapping is contract or pre-contractual steps for the service a user requests, legitimate interests for proportionate security and service reliability, legal obligation where a law requires processing, and consent only for a genuinely optional feature that requires it. Cadylo does not currently use visitor advertising or analytics trackers.
Service providers and integrations
Current technical recipients can include:
- Supabase for database, authentication, file storage and realtime capabilities;
- the configured application-hosting provider for the Node.js service and request delivery; the production provider’s legal identity has not yet been recorded in this notice and must be added before launch;
- Resend when an account enables email notifications;
- customer-selected GitHub, GitLab, Slack, Sentry and outbound-webhook destinations when those integrations are enabled.
Cadylo does not claim EU-only hosting or data residency. Processing locations, subprocessors and any international-transfer safeguards depend on the deployed accounts and current vendor terms and must be reviewed before production use. Workspace administrators should enable only integrations they have assessed and should treat outbound webhook destinations as recipients of the selected event data.
Retention and deletion
Current code applies several bounded periods: authentication cookies have a 30-day maximum age, inbound webhook replay identifiers are kept for 7 days, outbound webhook event and delivery records for 30 days, and unfinished upload reservations become eligible for cleanup after 1 hour. Personal API tokens have a maximum one-year expiry and can be removed after 90 days of inactivity.
Workspace content and finalized attachments are otherwise retained while the relevant workspace remains active, subject to customer instructions and a valid deletion request. Deleting a workspace removes its live database graph immediately and queues its file objects for permanent deletion. Deleting an account removes access, memberships, profile, preferences and personal credentials; collaborative records and finalized workspace files can remain with their author identity detached as “Deleted user.” Saved views and integrations configured by that account are removed, recurring schedules it created are disabled, structured mentions are anonymized, and saved assignee filters are cleared. Storage and authentication cleanup is retried by a durable background job after a short upload-quiescence window.
Pseudonymized deletion receipts are retained for 90 days for accountability and incident investigation, then automatically removed. An account receipt contains a one-way account digest, request/completion dates and the number of Storage objects processed. A workspace receipt contains one-way workspace and actor-workspace digests, its request date, and attachment and Storage-object counts; it does not retain either raw identifier.
Final periods for audit records, provider logs and backups have not yet been approved and must be documented before production. Backup copies may persist for a limited provider recovery cycle after a live deletion; the actual cycle must be verified rather than assumed.
Your privacy rights
Depending on applicable law, you may request access, correction, deletion, restriction, objection or portability, and may withdraw a consent without affecting earlier processing. You may also complain to the CNIL or your competent supervisory authority.
Signed-in users can download a bounded, machine-readable snapshot from the privacy export endpoint. It is a convenience export, not a complete access response: each collection is capped, attachment binaries and some administrative records are not included, and third-party rights can limit disclosure.
Signed-in users can request account deletion from Account & privacy in Settings. A workspace owner must first transfer each workspace to another member or permanently delete it. Current-password verification and an exact typed confirmation protect both destructive operations.
For deletion of specific collaborative content, a complete access request, correction or any other privacy request, email privacy@cadylo.appfrom your account address. Cadylo will verify identity and respond within the period required by applicable law. Data already delivered to an integration or customer-configured webhook cannot be recalled by deleting it from Cadylo and must be handled with that recipient where applicable.
Security and incidents
Current safeguards include row-level database access rules, scoped permissions, private attachment access, hashed API credentials, secure transport expectations, content-security headers and limited webhook logs. No online service can promise absolute security.
Suspected privacy or security incidents should be reported promptly to privacy@cadylo.app. The operator still needs a documented breach-assessment, notification and incident-register procedure before production use.
Changes and contact
This notice will change as the beta, vendors and operating policies evolve. Material changes should be announced through the product or an account communication, with a new update date on this page.
Privacy questions and requests: privacy@cadylo.app. A DPO is not named because no appointment has been confirmed.