Last updated: March 2026

Alloy ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Alloy platform, website, APIs, and related services (collectively, the "Service").

1. Data Collection

We collect information that you provide directly to us, as well as information generated through your use of the Service:

• Account information: name, email address, company name, role, and billing details when you create an account or subscribe to the Service
• Usage data: information about how you interact with the Service, including deployment logs, API calls, feature usage, and session metadata
• Technical data: IP addresses, browser type, device identifiers, operating system, and referral URLs collected automatically when you access the Service
• Communications: content of messages you send to us, including support requests, feedback, and correspondence
• Integration data: information from third-party services you connect to the platform, such as Shopify storefront configurations and Git repository metadata

2. Use of Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process transactions and send related billing information
• Respond to your requests, comments, and support inquiries
• Monitor and analyze usage patterns to improve platform performance and reliability
• Detect, investigate, and prevent security incidents and fraudulent activity
• Send technical notices, updates, and administrative communications
• Comply with legal obligations and enforce our Terms of Service

We do not sell your personal information to third parties. We do not use your deployment data, source code, or storefront configurations for any purpose other than providing the Service.

3. Data Storage and Security

Your data is stored on infrastructure hosted in the United States using industry-standard cloud providers. We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Pod-per-tenant isolation ensuring complete separation of merchant environments
• Regular security audits and penetration testing
• Role-based access controls for all internal systems
• Automated monitoring and anomaly detection

While we implement commercially reasonable security measures, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data.

4. Third-Party Services

The Service may integrate with or contain links to third-party services, including but not limited to:

• Infrastructure providers: for hosting, compute, and storage
• Payment processors: for billing and subscription management
• Analytics services: for understanding usage patterns (anonymized and aggregated)
• Communication tools: for support and notifications

These third-party services have their own privacy policies. We encourage you to review them. We only share the minimum information necessary for these services to function.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Upon account termination, we will retain your data for 30 days to facilitate export, after which it will be permanently deleted. We may retain certain information as required by law, to resolve disputes, or to enforce our agreements. Aggregated, anonymized data that cannot be used to identify you may be retained indefinitely for analytical purposes.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal data we hold about you
• Correction: request that we correct inaccurate or incomplete data
• Deletion: request that we delete your personal data, subject to legal obligations
• Portability: request a machine-readable copy of your data
• Restriction: request that we limit the processing of your data
• Objection: object to processing of your data for certain purposes

To exercise any of these rights, contact us at security@getalloy.dev. We will respond to your request within 30 days.

7. International Data Transfers

If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States. Where required by applicable law, we implement appropriate safeguards for international data transfers, including standard contractual clauses.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a notice on the Service at least 30 days before they take effect. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

10. Contact Information

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: security@getalloy.dev
• General inquiries: hello@getalloy.dev