Privacy Policy

Last updated: June 29, 2026

Overview

This Privacy Policy explains how Scrapybara, Inc. ("Scrapybara," "Capy," "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit our websites, use Capy, interact with our team, apply for a job, or use related services (collectively, the "Services").

Capy is an AI software engineering platform. Depending on how you configure it, the Services may process source code, prompts, agent conversations, connected-service content, logs, files, screenshots, terminal output, generated code, pull requests, and other development data. Some of that data may contain personal information.

This Policy applies when we act as a controller of personal information, such as for account administration, marketing, website analytics, billing, security, support, and recruiting. When a business customer uses Capy to process personal information contained in its repositories, prompts, tickets, Slack messages, Linear issues, logs, or other Customer Content, we generally act as that customer’s processor or service provider. That processing is governed by our agreement with the customer, including our Data Processing Addendum where applicable.

Personal information we collect

Information you provide

We collect information that you or your organization provide directly, including:

  • Account and identity information: name, email address, avatar, organization, role, login identifiers, authentication state, workspace membership, preferences, and account settings.
  • Organization and administration information: company name, team members, project names, repository configuration, default branches, project setup scripts, model preferences, automation settings, billing contacts, security contacts, and support contacts.
  • Customer Content: source code, repositories, files, diffs, commits, branches, pull requests, issues, comments, documentation, prompts, instructions, chat messages, task history, PR review findings, summaries, generated code, generated text, images, screenshots, terminal output, command logs, artifacts, attachments, and other materials submitted to or generated by the Services.
  • Integration content: information made available through connected services such as GitHub, Slack, Linear, Sentry, Vercel, or other integrations you authorize. This may include repository metadata, PR data, issue text, comments, Slack channel/thread messages, Linear issue context, Sentry issue data, deployment metadata, user identifiers, and permission metadata.
  • Secrets and environment configuration: environment-variable names, project setup configuration, and secret values or credentials that you intentionally store in designated secret or environment-variable features. You should not put secrets in ordinary prompts, support tickets, or free-text fields.
  • Billing information: plan, subscription, credit balance, invoices, transaction identifiers, payment status, tax information, billing address, payment-method metadata, auto-reload settings, overage settings, and dispute information. Full payment-card numbers are processed by our payment providers, not stored directly by Capy.
  • Communications: emails, support requests, sales requests, meeting information, feedback, survey responses, community messages, and other communications with us.
  • Recruiting information: information submitted through careers pages or referral forms, such as name, email, resume, application materials, referral notes, job preferences, and interview communications.

Information collected automatically

When you use the Services, we and our service providers may automatically collect:

  • Device and browser information: IP address, browser type, device type, operating system, language, time zone, referring page, and approximate location inferred from IP address.
  • Usage and product telemetry: pages viewed, buttons clicked, feature usage, session metadata, route paths, project and organization identifiers, timestamps, latency, errors, performance events, model selections, token counts, VM runtime, command metadata, task state, PR state, and credit usage.
  • Security and operational logs: authentication events, access logs, API requests, webhook events, integration sync logs, audit logs, abuse signals, error reports, crash diagnostics, and infrastructure events.
  • Cookies and similar technologies: cookies, pixels, scripts, local storage, session storage, and similar technologies used for authentication, security, preferences, analytics, referral attribution, UTM capture, and product improvement. See our Cookie Policy.

Information from third parties

We may receive information from:

  • authentication providers, such as Clerk;
  • payment and billing providers, such as Stripe and Autumn;
  • analytics, email, support, monitoring, and recruiting providers;
  • connected services you authorize, such as GitHub, Slack, Linear, Sentry, and Vercel;
  • model providers and infrastructure providers involved in delivering agent functionality;
  • resellers, partners, or referral programs;
  • public sources, if relevant to sales, security, support, or recruiting; and
  • other users in your organization who invite you, mention you, assign work, share content, or configure access.

How we use personal information

We use personal information to:

  • provide, operate, maintain, secure, monitor, and improve the Services;
  • create and administer accounts, organizations, projects, repositories, tasks, threads, automations, reviews, API access, and integrations;
  • execute your instructions, run agents, generate Output, create branches and pull requests, analyze diffs, review code, and synchronize context from connected services;
  • route prompts, context, and Output to model providers and other processors as necessary to provide the Services;
  • authenticate users, authorize access, enforce permissions, and prevent unauthorized access;
  • calculate usage, credits, subscriptions, taxes, invoices, overage, auto-reload, and billing records;
  • provide support, troubleshoot issues, respond to requests, and communicate service, security, billing, and administrative notices;
  • send product updates, marketing communications, events, and similar communications, where permitted by law;
  • analyze product usage, performance, reliability, security, and business metrics;
  • detect, prevent, and investigate fraud, abuse, policy violations, security incidents, and illegal activity;
  • comply with legal obligations, enforce agreements, resolve disputes, and protect rights, safety, and property;
  • process job applications and referrals; and
  • create aggregated or de-identified information that does not identify you or your Customer Content.

AI and model-provider processing

Capy uses AI model providers and model-hosting infrastructure to provide the Services. When you run an agent or use an AI feature, we may send relevant prompts, code context, files, logs, tool outputs, images, screenshots, metadata, and generated content to the selected or routed model provider as needed to produce the requested Output.

Capy does not use non-public Customer Content to train models that Capy develops or controls unless you explicitly opt in or otherwise agree in writing. Third-party model-provider processing is subject to the applicable provider’s terms, policies, configurations, and data-processing commitments.

Some models, features, external subscriptions, BYOK configurations, or customer-directed integrations may be subject to different provider terms, retention, abuse-monitoring, or data-use practices. If you bring your own API key, connect your own ChatGPT/Codex or GitHub Copilot subscription, or instruct an agent to use a third-party service, that provider’s agreement with you may govern its handling of data.

Cookies, analytics, and tracking

Our marketing site and app use cookies and similar technologies for authentication, security, preferences, referral attribution, UTM attribution, pageview analytics, product analytics, and performance measurement. For example, the marketing site uses PostHog analytics and stores referral and UTM parameters in local storage when present in the URL.

We do not currently sell personal information, and we do not currently share personal information for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws. If our practices change, we will update this Policy and provide any required opt-out mechanism.

For details and controls, see our Cookie Policy.

How we disclose personal information

We may disclose personal information to:

  • Service providers and subprocessors that provide hosting, compute, storage, model processing, authentication, billing, analytics, monitoring, support, email, recruiting, workflow orchestration, and similar services. See Subprocessors.
  • Customer-directed integrations such as GitHub, Slack, Linear, Sentry, Vercel, model providers, BYOK providers, external subscriptions, MCP servers, or other third-party tools you configure or instruct the Services to use.
  • Organization administrators who manage your workspace, billing, projects, members, integrations, settings, audit logs, and usage.
  • Other users in your organization when collaboration features, threads, projects, tasks, PRs, Slack sync, Linear delegation, or other sharing features make information visible to them.
  • Payment processors and billing providers to process payments, subscriptions, credits, taxes, invoices, disputes, and fraud checks.
  • Professional advisers such as lawyers, auditors, insurers, bankers, and accountants.
  • Authorities, courts, regulators, or third parties when we believe disclosure is necessary to comply with law, protect safety or security, investigate abuse, enforce agreements, or protect rights.
  • Transaction counterparties in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar corporate transaction.
  • Affiliates that process information consistent with this Policy.
  • Others with your consent or at your direction.

We require service providers that process personal information on our behalf to protect it and use it only for authorized purposes. Customer-directed integrations and third-party services you choose to connect may process information under their own terms and privacy policies.

Where GDPR, UK GDPR, or similar laws apply, our legal bases may include:

  • Contract: to provide the Services, administer accounts, process payments, run agents, provide support, and perform agreements.
  • Legitimate interests: to secure, improve, monitor, analyze, and market the Services; prevent abuse; troubleshoot; communicate with users; and operate our business, where those interests are not overridden by your rights.
  • Consent: for certain marketing, cookies, optional features, or where we ask for consent.
  • Legal obligations: to comply with accounting, tax, sanctions, security, consumer protection, employment, and other legal requirements.
  • Vital or public interests: where necessary to protect safety or respond to emergencies, though this is uncommon.

Data retention

We retain personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Services, maintain business records, comply with law, resolve disputes, enforce agreements, secure the Services, prevent abuse, and maintain backups.

Retention periods vary by data type and customer configuration. For example:

  • account, billing, tax, and transaction records may be retained for legal and accounting purposes;
  • task, thread, PR, review, and integration history may be retained while your account or organization is active unless deleted or configured otherwise;
  • operational logs, security logs, telemetry, and backups are retained for limited periods based on security, reliability, and legal needs;
  • Customer Content may be deleted or returned after termination according to the applicable agreement and our standard deletion processes; and
  • de-identified or aggregated data may be retained indefinitely if it no longer identifies a person or customer.

Deletion may not immediately remove data from encrypted backups, archival logs, legal holds, billing records, or systems where retention is required or permitted by law.

Security

We use administrative, technical, and organizational safeguards designed to protect personal information, including encryption in transit, encryption at rest where appropriate, access controls, logging, monitoring, employee access restrictions, vendor review, and incident-response procedures. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

You are responsible for securing your own accounts, devices, repositories, branches, CI/CD systems, cloud accounts, connected integrations, credentials, environment variables, and downstream use of Output.

Security issues should be reported to security@capy.ai.

International transfers

We are based in the United States, and we and our service providers may process personal information in the United States and other countries. These countries may have privacy laws that differ from the laws where you live.

Where required, we rely on legally recognized transfer mechanisms, which may include Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, data processing agreements, or other lawful mechanisms.

Your privacy rights and choices

Depending on where you live, you may have rights to:

  • access personal information we hold about you;
  • correct inaccurate personal information;
  • delete personal information;
  • receive a portable copy of personal information;
  • object to or restrict certain processing;
  • withdraw consent where processing is based on consent;
  • opt out of marketing communications;
  • appeal a denied privacy request; and
  • lodge a complaint with a privacy regulator.

You can exercise many account-level choices in the Services. You can opt out of marketing emails using the unsubscribe link in the email. To make a privacy request, email support@capy.ai from the email address associated with your account and include "Privacy Request" in the subject line.

We may need to verify your identity and authority before fulfilling a request. If your account is managed by an organization, we may direct your request to that organization or require the organization’s involvement because it may be the controller of the relevant data.

U.S. state privacy disclosures

Some U.S. state privacy laws require additional disclosures. The categories below describe our practices during the 12 months before the "Last updated" date.

CategoryExamplesSourcesPurposesDisclosed to
IdentifiersName, email, user ID, IP address, account IDs, GitHub/Slack/Linear identifiersYou, your organization, service providers, integrationsAccount, authentication, support, security, billing, communicationsService providers, integrations, organization admins
Commercial informationPlan, invoices, credits, payment status, transaction IDsYou, billing providersBilling, accounting, tax, fraud preventionBilling providers, professional advisers
Internet or network activityLogs, pageviews, clicks, device data, API requests, telemetryYour device, app usage, service providersSecurity, analytics, troubleshooting, product improvementAnalytics, monitoring, hosting providers
Professional or employment informationCompany, role, workspace membership, recruiting data, resumesYou, your organization, recruiting providersService administration, sales, recruitingRecruiting providers, organization admins
User content and development dataSource code, prompts, outputs, PRs, issues, Slack/Linear/Sentry content, logsYou, your organization, connected integrationsProviding agent, review, automation, and collaboration featuresModel providers, infrastructure providers, integrations, subprocessors
InferencesProduct preferences, usage patterns, model preferencesApp usage, analyticsProduct improvement, support, personalizationAnalytics providers, organization admins where applicable

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not knowingly collect personal information from children under 18. We do not use sensitive personal information to infer characteristics.

Children

The Services are not directed to children under 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information to us, contact support@capy.ai.

The Services may link to or integrate with third-party services. Their privacy practices are governed by their own policies. We are not responsible for third-party privacy or security practices.

Changes to this Policy

We may update this Privacy Policy at any time in our sole discretion. If we make material changes, we will update the "Last updated" date and provide notice as required by law. Your continued use of the Services after an update means the updated Policy applies to future processing.

Contact

Questions or privacy requests may be sent to support@capy.ai with the subject line "Privacy Request."

Scrapybara, Inc.
San Francisco, California, United States