Privacy Policy

Levee ("we", "us", "the service") is operated by Khalid Alomar as an independent developer-run product. This policy explains what we collect, why we collect it, where it's stored, and how you can delete it.

1. Who we are

Levee is operated by Khalid Alomar. You can reach us at team@leveehub.com for any privacy question, including deletion requests.

2. What we collect

2.1 Account data (you give us directly)

• Your email address and a salted bcrypt hash of your password.
• Your display name, role title, and organisation name (optional, used to personalise AI drafts).
• Your timezone and digest schedule preferences.

2.2 Third-party connections (you authorise via OAuth or paste tokens)

• Slack: a User OAuth token, a Bot OAuth token (after you grant the app), your Slack user ID, team ID, and team name. Tokens are encrypted at rest with AES-256-GCM.
• Atlassian (Jira / Confluence): a Cloud API token, your Atlassian account ID, site URL, and the list of Jira project keys you choose to scope to. Token is encrypted at rest.
• Anthropic: if you provide your own API key, it's encrypted at rest. Otherwise Levee uses its own server-side key for AI summarisation (your data still flows through Anthropic for that single call — see §4).

2.3 Working cache

• Slack messages: for each digest run we cache up to ~50 message IDs, the user ID of each sender, channel ID, timestamp, permalink, and the text of the message — only for items that match your search (mentions and DMs in the last 48 hours). Cache TTL: until the next digest run replaces it.
• Jira issues: we cache issue keys, summaries, statuses, assignees, due dates, and project metadata returned by your JQL queries (5-minute server cache).
• Action log: when you send a Jira comment or Slack reply via Levee, we record the issue key / channel ID, recipient label, a 280-character excerpt of what you sent, and the timestamp. This powers the "follow-ups" view.
• Snoozes, narrative cache, conversational digest cache: short-lived JSON blobs keyed to your user ID.

2.4 Operational data

• Session cookie (HttpOnly, SameSite=Lax, 14-day expiry). No analytics cookies.
• Error logs: when something throws server-side, or your browser's window.onerror fires, we record the message, stack trace, route, your user ID, IP address, and user agent so we can fix bugs. Pruned manually by the admin.

3. Why we collect it

Each piece of data has a single purpose:

• Account data → authenticate you, address you by name in AI drafts.
• Tokens → call Slack and Atlassian APIs on your behalf to read your inbox and post replies.
• Working cache → assemble the dashboard fast, build the daily digest, support the ⌘K palette.
• Action log → render the "follow-ups" tracking view and let you search past actions.
• Error logs → fix bugs before users have to report them.

4. Third parties we share data with

• Anthropic (claude.ai) — when generating an AI summary or reply draft, the relevant message text and your display name are sent to Anthropic's Messages API. Anthropic does not retain prompts on the API tier we use; see Anthropic's privacy policy.
• Resend (resend.com) — used to send signup/approval/password-reset emails. Only your email address and the email body transit Resend.
• DigitalOcean (digitalocean.com) — hosts the application server and database. All data at rest is on DigitalOcean's infrastructure in their default region (currently Frankfurt). See DigitalOcean's privacy policy.
• Slack and Atlassian — we call their APIs as you, using the tokens you authorised. Your data does not leave their platforms because of us; we only fetch it.

We do not sell, rent, or trade personal data with anyone. We do not run an analytics or advertising SDK.

5. Where it's stored

All Levee data is stored in a single SQLite database on a DigitalOcean droplet under our control. All third-party tokens are encrypted with AES-256-GCM using a master key held only on that server (not in source control, not backed up off-server). The database file itself is on an encrypted block volume.

6. How long we keep it

• Account record: until you delete it.
• Connections (encrypted tokens + meta): until you click Remove on /connections, or delete your account.
• Slack digest cache, Jira API cache: rolling, replaced on the next refresh (max ~24 hours).
• Action log: kept indefinitely for the "follow-ups" tracking feature; deleted when you delete your account or by request.
• Error logs: pruned manually by the admin once a bug is resolved (typical retention < 30 days).

7. Your rights — how to delete data

• Disconnect a service: visit /connections and click Remove on Slack, Atlassian, or Anthropic. The encrypted token is deleted immediately.
• Wipe your action log: email team@leveehub.com from the address tied to your account.
• Delete your account entirely: email us with the subject line "Delete my Levee account". We process within 7 days and confirm by reply. This removes every row tied to your user ID — connections, action log, snoozes, digest cache, narrative cache, feedback submissions, and the user record itself.

If you're in a jurisdiction with data-protection law (GDPR, UK GDPR, CCPA, PDPL etc.), the rights above apply to you specifically — access, rectification, erasure, portability, objection. Email us and we'll fulfil them within the statutory window.

8. Children

Levee is a workplace productivity tool intended for adults. We don't knowingly collect data from anyone under 18. If you believe we've inadvertently done so, email us and we'll delete the account on receipt.

9. Security

HTTPS only (Caddy + Let's Encrypt), HttpOnly cookies, AES-256-GCM at rest for all sensitive secrets, bcrypt for passwords, SameSite=Lax cookies. We don't currently undergo external security audits — we're a small developer-run product. If you find a security issue please email team@leveehub.com rather than disclosing publicly. We aim to respond within 48 hours.

10. Changes to this policy

If we make a material change we'll email everyone with an active account at least 14 days before the change takes effect. Trivial wording fixes ship without notice; the "Last updated" date at the top of this page is always authoritative.

11. Contact

For any privacy question, deletion request, or security report: team@leveehub.com.