Privacy Policy

Effective date: 12 April 2026

1. Who we are

Distilled ("we", "us", "our") is a product operated from Scotland. We are the data controller for the personal data we process through our website at distilledmetrics.com (the "Website") and the Distilled application (the "Application").

If you have any questions about this policy or how we handle your data, please contact us at hello@distilledmetrics.com.

2. What data we collect

We collect and process the following categories of personal data:

• Account information: your name, email address, and profile information provided via your GitHub account when you sign in through our authentication provider (Clerk).
• Repository metadata: information about your GitHub repositories, pull requests, deployments, and related development activity. We do not access or store your source code.
• Usage data: information about how you interact with the Application, including pages viewed, features used, and session duration.
• Technical data: IP address, browser type and version, operating system, and device information collected automatically when you visit the Website or use the Application.
• Cookie data: we use strictly necessary cookies for authentication and session management. See section 8 for details.

3. How we use your data

We process your personal data for the following purposes:

• Providing the service: to authenticate you, connect to your GitHub repositories, and generate engineering delivery metrics and insights.
• Service improvement: to understand how the Application is used and to improve its features and performance.
• Communication: to send you service-related notices, such as security alerts or changes to our terms.
• Legal compliance: to comply with applicable laws and regulations, and to protect our legal rights.

4. Legal basis for processing

Under UK GDPR, we rely on the following legal bases:

• Contract: processing necessary to perform our contract with you (providing the Application).
• Legitimate interests: processing necessary for our legitimate interests, such as improving the service and ensuring security, where these are not overridden by your rights.
• Legal obligation: processing necessary to comply with UK law.
• Consent: where we rely on consent, you may withdraw it at any time by contacting us.

5. Who we share your data with

We share personal data only with the following categories of recipients, and only to the extent necessary:

• Authentication provider: Clerk, for managing user authentication and sessions.
• Hosting and infrastructure: our cloud hosting providers, who process data on our behalf under appropriate data processing agreements.
• GitHub: we access the GitHub API on your behalf using the permissions you grant via the Distilled GitHub App.

We do not sell your personal data to third parties. We do not share your data with advertisers.

6. International transfers

Some of our service providers may process data outside the UK. Where this happens, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK Information Commissioner's Office (ICO), or transfers to countries with an adequate level of data protection.

7. Data retention

We retain your personal data for as long as your account is active and as needed to provide you with the service. If you delete your account, we will delete or anonymise your personal data within 30 days, unless we are required by law to retain it for longer.

Aggregated, non-identifying metrics data may be retained indefinitely for service improvement purposes.

8. Cookies

We use strictly necessary cookies to enable authentication and maintain your session. These cookies are essential for the Website and Application to function and cannot be disabled.

We do not use cookies for advertising, tracking, or analytics purposes.

9. Your rights

Under UK GDPR, you have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate personal data.
• Erasure: request deletion of your personal data.
• Restriction: request that we restrict processing of your data.
• Portability: request your data in a portable, machine-readable format.
• Objection: object to processing based on legitimate interests.

To exercise any of these rights, please contact us at hello@distilledmetrics.com. We will respond within 60 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), encryption at rest, access controls, and regular security reviews.

11. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on the Website and updating the effective date above. Your continued use of the Application after changes are posted constitutes your acceptance of the revised policy.

12. Contact us

If you have any questions or concerns about this privacy policy or our data practices, please contact us at:
hello@distilledmetrics.com