Legal
Privacy Policy
Last updated July 2, 2026
This policy describes our actual data practices as implemented. It is a template and has not yet been reviewed by counsel — treat it as a good-faith starting point, not a final legal document, until it has.
What we collect
When you create an govern.sh account we collect your name, email address, and workspace name. When you use the product we store the agent identities, policies, tool connections, and action receipts you create — this operational data is the product; it's scoped to your workspace and not shared across workspaces.
Authentication is handled by Supabase Auth. We store a session cookie to keep you signed in; we do not use third-party advertising or analytics trackers.
How we use it
Your data is used to operate the product: rendering your dashboard, evaluating policies against agent actions, enforcing budgets, and producing your audit log. We do not sell your data or your workspace's operational data to third parties.
Data isolation
Every workspace's data is isolated with database-level row security — other customers cannot query your agents, policies, or receipts, and neither can we outside of what's required to operate or debug the service.
Retention & deletion
Your data is retained for as long as your account is active. You can request deletion of your account and associated data by contacting us; signed audit receipts may be retained longer where required for the tamper-evident audit trail you've generated, consistent with what a compliance-grade audit product needs to promise its own customers.
Contact
Questions about this policy: privacy@govern.sh