Privacy Policy

AiLaiLe Technology Limited(“Linage”, “we”, “us”, “our”) operates the website at https://linage.ailaile.tech and the Linage service. Our registered address is RM 102, 1/F, THE CLOUD, 111 TUNG CHAU STREET, Tai Kok Tsui, Hong Kong. This policy explains what data we collect, how we use it, who we share it with, how long we keep it, and the privacy rights that may apply to you.

Linage is designed to minimize Linear issue content retention. We do not intentionally persist Linear issue descriptions, and issue titles are not stored in our database for report generation. We do process Linear issue metadata needed to compute metrics, and some issue titles may be processed transiently in memory and sent to an AI provider when they are needed to explain at-risk work in a report.

Account data — your email address and encrypted password hash, managed by Supabase Auth.

Linear workspace data — when you connect via OAuth, we receive and store (encrypted) a read-only access token. We use it to fetch cycle and issue metadata needed to compute metrics, including team names, cycle dates, issue states, estimates, labels, assignee identifiers, creation/completion timestamps, and state transition history. Issue titles may be processed transiently in memory for at-risk issue analysis, but are not intentionally persisted to our database.

Computed metrics — velocity, cycle time, completion rate, carry-over count, Gini coefficient, and similar aggregate statistics derived from your Linear data. These are stored to power your reports.

Generated reports — the AI-written narrative text produced from your metrics. Reports expire after 90 days.

Billing data — payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status; we never see or store your card details.

Usage data — basic analytics (page views, report generation events, device/browser information, event timestamps, and similar diagnostic information) via Vercel Analytics and PostHog to help us improve and debug the product. Depending on configuration, these events may include account or device identifiers.

Where GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases:

• Contract — to create your account, connect Linear, generate reports, deliver reports, and provide billing features.
• Legitimate interests — to secure, maintain, improve, and debug the service, prevent abuse, and understand product usage.
• Consent — where you choose to connect optional integrations or where consent is required for non-essential cookies or analytics.
• Legal obligation — to keep records required for tax, accounting, compliance, dispute resolution, or lawful requests.

• To authenticate your account and maintain your session.
• To fetch Linear cycle data and compute engineering metrics on your behalf.
• To send computed metrics and, where needed, limited at-risk issue context to an AI provider to generate your report.
• To deliver reports via Slack or email if you have configured those integrations.
• To process subscription payments via Stripe.
• To send transactional emails (welcome, weekly digest, billing notices) via Resend.
• To improve and debug the service through aggregated, anonymised analytics.

Report generation uses one or more third-party AI APIs, such as Anthropic, OpenAI, Google, Alibaba Cloud, or SiliconFlow. The primary payload is computed engineering metrics, such as velocity, completion rate, carry-over, cycle time, bottleneck stage, workload distribution, and bug ratio. When needed for report quality, we may also send limited at-risk issue context, such as an issue title and how long it has been stuck. We do not intentionally send Linear issue descriptions.

AI providers process this data under their own terms, data processing terms, and retention policies. We configure AI providers for service delivery and do not sell your data to AI providers.

We do not sell your personal data. We share data only with the following service providers (“subprocessors”) as needed to operate the service:

• Supabase (Ireland / US) — database, authentication, and row-level access control.
• Anthropic / OpenAI / Google / Alibaba Cloud / SiliconFlow — AI model APIs for report generation. We send computed metrics and, where applicable, limited at-risk issue context.
• Stripe, Inc. (US) — subscription billing and payment processing.
• Resend (US) — transactional email delivery.
• Slack Technologies (US) — report delivery to Slack channels you configure.
• Vercel (US) — application hosting and content delivery.
• PostHog (EU/US) — product analytics where enabled.

Each subprocessor processes data under their own data processing terms, privacy policies, and applicable transfer mechanisms. We may update this list and will notify you of material changes.

We may also disclose your data: (a) if required by law, regulation, or court order; (b) to protect the rights, property, or safety of Linage, its users, or others; or (c) in connection with a business transfer or acquisition, with appropriate confidentiality obligations.

Linage is operated from Hong Kong and uses service providers that may process data in Hong Kong, the United States, the European Economic Area, or other locations where they operate infrastructure. Where required, we rely on appropriate transfer mechanisms such as standard contractual clauses, data processing terms, or equivalent safeguards offered by our providers.

• Shared report links expire 90 days from generation — after that date, the shared link stops working. Backend report records may be retained in our systems beyond this date unless you actively delete them.
• Computed metrics and report records are retained while your account is active, and for a reasonable period thereafter for operational, legal, or accounting purposes, unless you delete your workspace or account.
• Linear and Slack access tokens are deleted from our database when you disconnect the respective integration.
• Account credentials are retained until you delete your account.
• After account deletion, we aim to remove active workspace data, metrics, and reports from production systems within 30 days. Residual copies may remain in encrypted backups, audit logs, or provider systems for a further period consistent with security, disaster recovery, tax, accounting, and legal obligations.

Depending on your location, you may have rights under GDPR, CCPA, or other privacy laws:

• Access — request a copy of the data we hold about you.
• Rectification — correct inaccurate account data.
• Deletion — request deletion of all your data. We will action this within 30 days.
• Portability — receive your data in a machine-readable format.
• Objection — object to certain processing activities.
• Restriction — ask us to restrict certain processing where applicable.
• Withdraw consent — withdraw consent where processing is based on consent.

To exercise any of these rights, email ailailetech@gmail.com. We will respond within 30 days.

If California privacy law applies to your use of Linage, this section supplements the policy above. We may collect identifiers, commercial information, internet or network activity, professional or employment-related information contained in connected workspace metadata, and inferences reflected in generated reports. We use these categories to provide, secure, bill for, improve, and support the service.

We do not sell personal information. We do not knowingly share personal information for cross-context behavioral advertising. You may request access, deletion, correction, and portability, and you may not be discriminated against for exercising those rights. To submit a request, contact ailailetech@gmail.com.

We use session cookies and local storage to keep you logged in and operate the service. We may use privacy-conscious analytics tools to understand product usage. We do not use third-party advertising cookies.

Linear and Slack access tokens are stored AES-256 encrypted in our database. All data is transmitted over HTTPS. We enforce access controls and Row Level Security (RLS) in our database so that each authenticated user can only access their own workspace data. Public shared reports are accessible only via their unique, randomly generated token; token validation is enforced server-side. No method of transmission or storage is completely secure, but we apply technical and organisational safeguards designed to protect the service and your data.

If we become aware of a security incident affecting your personal data, we will investigate and notify affected users or regulators where required by applicable law.

Linage is not directed at children under 16. We do not knowingly collect data from children.

We will notify you by email at least 14 days before any material change to this policy. Continued use of the service after the effective date constitutes acceptance of the updated policy.

Questions about this policy or privacy requests? Contact AiLaiLe Technology Limited at ailailetech@gmail.com. Registered address: RM 102, 1/F, THE CLOUD, 111 TUNG CHAU STREET, Tai Kok Tsui, Hong Kong.