Legal
Privacy Policy
How Webb Applications collects, uses, and protects your data when you use RectifAI.
Privacy Policy
Effective date: 19 April 2026
Last updated: 19 April 2026
This Privacy Policy explains how Webb Applications ("we", "us", "our") collects, uses, stores, and protects personal data when you use RectifAI (the "Service"). It also describes your rights under applicable law.
1. Who we are
Webb Applications is the data controller for personal data processed through RectifAI. We are incorporated in England and Wales.
Contact: privacy@webbapplications.co.uk
Website: webbapplications.co.uk
2. What data we collect
2.1 Account and identity data
- Full name and email address (from Atlassian OAuth or direct sign-in)
- Profile image URL
- Workspace membership and role
2.2 Incident and operational data
- Incident title, description, status, severity, and timeline
- Incident event messages and actor names
- Task descriptions and role assignments
- Linked Jira issue keys, IDs, and field values
- Team and system names, descriptions, and runbook URLs
2.3 Integration credentials
- OAuth access and refresh tokens for connected providers (Atlassian, Slack, PagerDuty, Zoom, Google, Microsoft). These are encrypted with AES-256-GCM before storage.
2.4 Usage and diagnostic data
- Error reports and performance traces collected via Sentry (with text masking applied — see section 5)
- Application logs generated during normal operation
2.5 Communication data
- Email addresses used to send workspace invitations via Resend
3. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the incident management service | Performance of contract (Art. 6(1)(b)) |
| Syncing incidents with Jira, Slack, PagerDuty, Zoom, Teams, and Google Chat | Performance of contract (Art. 6(1)(b)) |
| Generating AI-assisted post-incident reports via OpenAI | Performance of contract (Art. 6(1)(b)) |
| Sending workspace invitation emails | Performance of contract / legitimate interest (Art. 6(1)(f)) |
| Error monitoring and application stability | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Data storage and location
All primary data is stored in a Google Cloud SQL (PostgreSQL 16) database hosted in the europe-west2 (London, United Kingdom) region. Profile and workspace images are stored in Google Cloud Storage in the same region.
OAuth tokens are encrypted at rest using AES-256-GCM with keys managed in Google Cloud Secret Manager. The database itself uses SSL-only connections and encrypted SSD storage.
5. Third-party sub-processors
We share personal data with the following sub-processors to operate the Service. A full list with data categories transferred is maintained on our Sub-processor List page.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Hosting, database, storage, messaging | UK (europe-west2) |
| OpenAI | AI-assisted post-incident analysis | United States |
| Sentry | Error monitoring and performance tracing | Germany (de.sentry.io) |
| Resend | Transactional email (workspace invitations) | United States |
| Slack | Chat integration (bidirectional incident sync) | United States |
| PagerDuty | Paging integration | United States |
| Microsoft | Teams integration | United States / EU |
| Zoom | Meeting integration | United States |
| Atlassian | Jira Service Management integration | Australia / US |
Where sub-processors are located outside the European Economic Area (EEA), transfers take place under the EU Standard Contractual Clauses (SCCs) or equivalent approved safeguards.
6. Data transfers outside the EEA
Some sub-processors (OpenAI, Resend, Slack, PagerDuty, Zoom, Atlassian) process data in countries outside the EEA, including the United States. We rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Sub-processor's own binding corporate rules or certification
By using the Service, you acknowledge that your data may be transferred to and processed in these countries.
7. Data retention
| Data type | Retention period |
|---|---|
| Account and workspace data | Until you delete your workspace or request erasure |
| Incident data | Until workspace deletion |
| OAuth tokens | Until you disconnect the integration or delete the workspace |
| Error logs (Sentry) | 90 days (Sentry default) |
| Email invitation records | 30 days after the invitation expires |
When a workspace is deleted, all associated data is removed from our systems within 30 days via cascading database deletion. Data that has been synced to third-party systems (e.g. Jira issues, Slack messages) may persist in those systems and must be removed directly there.
8. Your rights
If you are located in the EEA or UK, you have the following rights under the GDPR / UK GDPR:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — restrict how we process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent
To exercise any right, contact us at privacy@webbapplications.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you are in the UK, or your local supervisory authority if you are in the EEA.
9. Security
We implement the following technical and organisational measures to protect your data:
- AES-256-GCM encryption for OAuth tokens at rest
- TLS for all data in transit
- Google Cloud SQL encrypted storage (SSL-only mode)
- Role-based access controls on all application resources
- Secret Manager for all credentials and API keys
- Sentry text masking to reduce PII exposure in error reports
See our Security Policy for full details.
10. Cookies
RectifAI uses only essential session cookies required for authentication. We do not use advertising or tracking cookies.
11. Children's data
RectifAI is a B2B service intended for business users. We do not knowingly collect personal data from anyone under the age of 16.
12. Changes to this policy
We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will notify workspace administrators by email or in-app notice.
13. Contact
For privacy-related questions, data subject requests, or to report a concern:
Email: privacy@webbapplications.co.uk
Post: Webb Applications, England, United Kingdom