Privacy Policy
Last updated: June 23, 2026
Operator: Malveon, operated by Ladson Antony Raj. Malveon is not yet incorporated as a legal entity. Incorporation as a Private Limited company in India is planned for 2026.
1. What we collect
From you directly
- Name, work email, and company name when you sign up, contact us, or join the waitlist.
- Account credentials (email and hashed password) when you create a Malveon account.
- Your role and team membership within your Malveon company.
When you connect integrations
- OAuth access tokens and refresh tokens for the integrations you authorize through OAuth: GitHub, Slack, Notion, Linear, Jira, Confluence, Google Docs, and Microsoft Teams.
- Webhook and API connections for the services you wire up without OAuth: Datadog, Sentry, PagerDuty, Vercel, and LaunchDarkly.
- User identifiers from those services, for example a GitHub username, a Slack workspace ID, or an Atlassian AccountID.
- Data your integrations sync to Malveon, including pull requests, code review comments, CI status, incident records, decision threads, project tasks, deploy events, and discussions.
Through normal use
- Usage analytics (page views, session duration, referrer) via Google Analytics. No personally identifying information is sent to Google Analytics.
- Server-side logs (request paths, status codes, error traces). We do not log request bodies that contain sensitive content.
2. How we use it
- Power the core Malveon product: surface tasks, decisions, deploy status, incidents, and team activity to the right people at the right time.
- Send transactional emails (account verification, invites, password resets).
- Contact you about pilot onboarding if you opted in.
- Improve the product using aggregated usage patterns only, never individual user behavior.
We do not sell, rent, or share your data with third parties for marketing.
3. Where your data lives
| What | Where | Why |
|---|---|---|
| Account and product data | Supabase (PostgreSQL), AWS Asia Pacific (Sydney) region | Primary database |
| Background jobs and cache | Redis on Railway | Job queue and rate limiting |
| API backends | Railway | Application runtime |
| Frontend assets | Vercel global edge network | Static assets and hosting |
| Email delivery | Resend | Transactional email |
| Analytics | Google Analytics 4 | Usage analytics |
Malveon's primary data store is located in Australia, and the operator is based in India. By using Malveon you understand that your data may be stored and processed outside your own country, including in Australia.
4. Subprocessors
We use the following third-party services to operate Malveon:
- Supabase (database)
- Railway (compute, Redis)
- Vercel (CDN, frontend hosting)
- Resend (email)
- Google Analytics (web analytics)
If you connect any integration (for example GitHub, Slack, or Atlassian), that vendor processes data per their own privacy policy.
5. Data security
- All OAuth tokens are encrypted at rest using AES-256-GCM before being written to the database.
- All traffic between you, Malveon, and integration providers uses TLS 1.2 or higher.
- Database access is limited to the application backend via service-role credentials.
- Production secrets are stored in Railway and Vercel encrypted environments. They are not committed to source control.
6. Your rights
You can:
- Request a copy of the personal data we hold about you.
- Correct inaccurate personal data.
- Request deletion of your account and associated personal data.
- Disconnect any integration at any time from the Malve integrations page, which removes the OAuth token from our database.
To exercise any of these rights, email ladson@malveon.com. We will respond within 30 days.
Atlassian users: Malveon participates in Atlassian's Personal Data Reporting program. Account closures on Atlassian's side trigger automatic deletion of related Malveon data within seven days.
7. Data retention
- Account data: retained while your account is active. Deleted within 30 days of account closure.
- OAuth tokens: retained until you disconnect the integration or close your account. Deleted within 7 days of either event.
- Synced integration data (PRs, tasks, decisions, incidents): retained for the lifetime of your Malveon company. Deleted within 30 days of company closure.
- Server logs: 30 days.
- Google Analytics data: retained per Google's default settings (currently 14 months).
8. Children
Malveon is not directed at anyone under 18. We do not knowingly collect data from minors.
9. Cookies
Malveon uses a small number of cookies:
- A session cookie for authentication (HttpOnly, Secure, SameSite=Lax).
- Google Analytics cookies for usage analytics.
- No marketing or advertising cookies.
10. Changes to this policy
We update the “Last updated” date when material changes are made. For significant changes, we notify active users by email.
11. Contact
Email ladson@malveon.com for any privacy questions or data requests.