HomeMCPPricingFAQ

Privacy Policy

Last Updated: January 19, 2026
Effective Date: January 19, 2026

1. Introduction

Projcity ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our engineering metrics platform ("Service").

By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

When you sign up for Projcity, we collect:

  • Account Information: Email address, full name, company name, password (hashed, never stored in plain text)
  • Contact Information: Phone number (optional)
  • Payment Information: Credit card details processed securely through Stripe (we do not store full card numbers)

2.2 Integration Data

When you connect integrations, we collect:

  • OAuth Tokens: Access tokens for GitHub, GitLab, Jira, Shortcut (stored encrypted)
  • Repository Metadata: Repository names, branch information, commit metadata
  • Code Activity Data: Commit messages, timestamps, authors, file changes, pull request data, code review comments
  • Issue Tracking Data: Issue titles, descriptions, status, assignees, labels, sprint information
  • Developer Activity: Metrics derived from the above (e.g., commit frequency, PR velocity, code review participation)

Important: We do NOT collect or store the actual source code from your repositories. We only collect metadata and activity information.

2.3 Shortcut Integration Specifics

When you connect your Shortcut workspace to Projcity:

Permissions We Request:

  • Read access to stories, epics, projects, and iterations
  • Read access to member profiles and team structure

Data We Collect:

  • Story metadata (titles, descriptions, status, estimates, labels)
  • Epic and milestone information
  • Team member activity and assignments
  • Workflow state transitions
  • Custom field values (if configured)

Data We Do NOT Collect:

  • Story attachments or file uploads
  • Private comments marked as internal-only
  • Archived workspaces (unless explicitly enabled)

OAuth Token Security:
Shortcut OAuth tokens are stored encrypted using AES-256 encryption and are never logged or exposed in error messages.

2.4 Automatically Collected Information

  • Usage Data: Pages visited, features used, time spent, click patterns
  • Device Information: Browser type, operating system, IP address, device identifiers
  • Log Data: Access times, error logs, performance data
  • Cookies: Session cookies, preference cookies, analytics cookies (see Section 8)

3. Source Code Security

No Access to Source Code: Projcity processes only metadata about your engineering activities. We analyze:

  • Commit timestamps and frequency (not the actual code changes)
  • Pull request titles, status, and review cycles (not the code diffs)
  • Story status, estimates, and workflow transitions (not story attachments)
  • User IDs and team assignments (not personal communications)

What This Means: Our system is designed to analyze the process of engineering—how your team works, collaborates, and delivers—not the content of your files or proprietary code.

Technical Implementation: We use read-only API access to integration platforms (GitHub, GitLab, Shortcut, Jira). These APIs provide only metadata, never file contents. Even if we wanted to access your source code, our integration architecture does not have the technical capability to do so.

4. How We Use Your Information

We use your information to:

  • Provide the Service: Calculate metrics, generate reports, display analytics, create AI-powered insights
  • Improve the Service: Analyze usage patterns, identify bugs, develop new features
  • Communicate with You: Send service updates, security alerts, feature announcements, support responses
  • Process Payments: Bill your account, process refunds, prevent fraud
  • Ensure Security: Detect and prevent unauthorized access, abuse, or security threats
  • Comply with Legal Obligations: Respond to legal requests, enforce our Terms of Use
  • Aggregate Analytics: Create anonymous, aggregated statistics for product improvement (opt-out available)

5. Integration & OAuth Control

How We Connect to Your Tools: We use the official OAuth 2.0 authorization framework to connect with GitHub, GitLab, Shortcut, and Jira. This is the industry-standard secure authorization protocol.

What This Means for Your Security:

  • No Password Access: We never see or store your passwords or Personal Access Tokens
  • Granular Permissions: You explicitly approve which data Projcity can access during the OAuth flow
  • Revocable Access: You can revoke Projcity's access at any time through your GitHub, GitLab, Shortcut, or Jira account settings
  • Immediate Disconnection: Once revoked, we lose all access to your data immediately and cannot retrieve new information

Token Storage: OAuth access tokens are encrypted using AES-256 encryption before being stored in our EU-hosted database. Tokens are never logged, exposed in error messages, or transmitted in plain text.

6. AI and Data Processing

AI Ethics & Privacy: We use automated data processing and AI to generate insights, Dynamic Archetype classifications, and personalized feedback for your team.

Your Data Stays Private:

  • No Training on Your Data: We do not use your proprietary data to train, fine-tune, or improve general-purpose AI models
  • Organization-Private: Your data remains private to your organization and is used solely to generate reports and insights for your team
  • Anonymized Processing: When we use third-party AI services (such as OpenAI), we send only anonymized, aggregated data without identifiable information
  • No Data Sharing with AI Vendors: AI service providers process data on our behalf but do not retain, train on, or have access to your raw organizational data

Transparency: All AI-generated insights are clearly labeled as such. You can always request information about how a specific insight was generated by contacting our support team.

7. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your data under the following legal bases:

  • Contractual Necessity: Processing required to provide the Service you requested
  • Legitimate Interest: Improving our Service, preventing fraud, ensuring security
  • Consent: Analytics cookies, marketing communications (you can withdraw consent anytime)
  • Legal Obligation: Complying with legal requirements, responding to law enforcement

7.1 Data Controller and Data Processor Roles

When You Use Projcity: For personal data collected directly from you (account information, contact details, payment information), Projcity acts as the Data Controller. We determine the purposes and means of processing this data.

When We Process Team Data: Where Projcity processes personal data on behalf of customers (integration data from GitHub, Shortcut, etc.), the customer acts as the Data Controller and Projcity acts as the Data Processor. The customer determines what data is collected from their team members, and we process it according to their instructions and this Privacy Policy.

8. How We Share Your Information

We do NOT sell your personal data. We share your information only in these circumstances:

8.1 Service Providers

We share data with trusted third-party providers who help us operate the Service:

  • Cloud Hosting: Railway (EU-hosted infrastructure)
  • Payment Processing: Stripe (PCI DSS compliant)
  • Email Services: For transactional emails and notifications
  • AI Processing: For generating insights (your data is not used for training AI models)
  • Analytics: Google Analytics (anonymized, opt-out available)
  • User Behavior Analytics: Hotjar/ContentSquare for session recordings, heatmaps, and user experience analysis (anonymized, GDPR compliant)
  • Live Chat Support: Crisp.chat for customer support conversations (GDPR compliant, EU-hosted data option)

All service providers are contractually obligated to protect your data and use it only for the specified purposes.

8.2 Legal Requirements

We may disclose your information if required by law or in response to:

  • Subpoenas, court orders, or legal processes
  • Requests from law enforcement or government agencies
  • Situations involving potential threats to safety or security

8.3 Business Transfers

If Projcity is acquired, merged, or sells assets, your information may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

9. Data Storage and Security

9.1 Where We Store Data

  • Primary Location: European Union (EU)
  • Hosting Provider: Railway with EU data centers
  • Database: Encrypted at rest
  • Backups: Automated daily backups retained for 30 days

9.2 Security Measures

We implement industry-standard security practices:

  • Encryption in Transit: All data transmitted using TLS/HTTPS
  • Encryption at Rest: Database encryption for stored data
  • OAuth Token Protection: Integration tokens stored encrypted
  • Password Security: Passwords hashed using bcrypt
  • Access Controls: Role-based access, principle of least privilege
  • Regular Audits: Security reviews and vulnerability scanning
  • Monitoring: 24/7 intrusion detection and logging

While we take reasonable precautions, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

10. Data Retention

Data Deletion: Upon account cancellation or a formal deletion request, we will delete all data retrieved from your integrations from our active databases within 30 days.

  • Active Accounts: Data retained while your account is active to provide the Service
  • Canceled Accounts: Data retained for 30 days after cancellation to allow account recovery
  • After 30 Days: All personal data and integration data permanently deleted from active databases
  • Backups: Backup data purged after 30-day backup retention period
  • Anonymized Data: We may retain anonymized, aggregated data for system performance analysis, but this data will not be linked to your identity or organization
  • Legal Requirements: We may retain certain data longer if required by law or for dispute resolution (e.g., financial records for tax compliance)

Your Control: You can request immediate data deletion at any time by contacting us at contact@projcity.com. We will process your request within 30 days.

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

  • Essential Cookies: Required for authentication and basic functionality (cannot be disabled)
  • Preference Cookies: Remember your settings and UI preferences
  • Analytics Cookies: Google Analytics for usage patterns (can be opted out)
  • Performance Cookies: Monitor site performance and errors
  • Behavior Analytics Cookies: Hotjar/ContentSquare for session recordings, heatmaps, and user experience insights (enabled only after consent where required by law, including GDPR jurisdictions)
  • Chat Support Cookies: Crisp.chat for live chat functionality and conversation history

11.2 Cookie Consent

Consent Management: For users in jurisdictions requiring consent (such as the EU under GDPR), non-essential cookies including behavior analytics tools (Hotjar, ContentSquare) and marketing cookies will only be enabled after you provide explicit consent through our cookie consent banner.

Withdrawing Consent: You can withdraw your consent at any time by adjusting your cookie preferences in your browser settings or by contacting us at contact@projcity.com.

11.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality. Disabling analytics and behavior tracking cookies will not impact core functionality.

12. Your Privacy Rights

12.1 GDPR Rights (EEA Users)

If you are in the European Economic Area, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent for data processing anytime

12.2 CCPA Rights (California Users)

If you are a California resident, you have the right to:

  • Know: Request disclosure of data collected and shared
  • Delete: Request deletion of your personal data
  • Opt-Out: Opt out of data sale (we do not sell data)
  • Non-Discrimination: Equal service regardless of privacy choices

12.3 Exercising Your Rights

To exercise any of these rights, contact us at:

Email: contact@projcity.com

We will respond to your request within 30 days. You may also file a complaint with your local data protection authority.

13. Data Export and Portability

You can request a copy of your data at any time:

  • Data Export: Contact us to receive your data in a machine-readable format (JSON/CSV)
  • Post-Cancellation: 30-day window to request data export after account cancellation
  • Response Time: We will provide your data within 30 days of your request

14. Children's Privacy

Projcity is not intended for children under 16 (GDPR minimum age). We do not knowingly collect personal information from children. If you believe we have collected information from a child under 16, contact us immediately and we will delete it.

15. International Data Transfers

Your data is stored and processed within the European Union (EU). We use Railway's EU data centers to ensure your data remains within EU jurisdiction.

For EEA users, this means:

  • No cross-border data transfers outside the EU for storage
  • Full GDPR compliance without requiring Standard Contractual Clauses (SCCs) for storage
  • Your data benefits from EU data protection laws

Note: Some third-party services (such as AI processing) may involve limited data transfers outside the EU. When such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to your registered email address
  • Prominent notice on our website
  • Updating the "Last Updated" date at the top of this policy

Your continued use of the Service after changes constitutes acceptance of the updated policy.

17. Do Not Track Signals

We do not currently respond to "Do Not Track" browser signals. You can disable analytics cookies through your browser settings or by opting out of Google Analytics.

18. Third-Party Links

Our Service may contain links to third-party websites (GitHub, GitLab, Jira, etc.). We are not responsible for the privacy practices of these external sites. Please review their privacy policies separately.

19. Contact Us & Data Controller

Data Controller: Under GDPR, the entity responsible for your personal data is:

Zils (doing business as Projcity)
Lodz, Poland

Privacy Questions & Requests: For any privacy-related questions, data access requests, deletion requests, or concerns about this Privacy Policy, please contact us at:

contact@projcity.com
https://projcity.com

We will respond to your request within 30 days as required by GDPR and CCPA regulations.

Engineering metrics and developer well-being platform. Track 50+ metrics, AI-powered insights, and Dynamic Archetypes for just $10/active user/month.
contact@projcity.com
Product
Integrations
© 2026 Projcity · Engineering Metrics Platform
Terms of Use · Privacy Policy