DéjàDéjài
Effective Date: December 19, 2025

Privacy Policy

This Privacy Policy describes how Déjà, Inc. ("Déjà", "we", or "us") collects, uses, and discloses information associated with an identified or identifiable individual ("Personal Data") and what choices you have around this activity.

1. Information We Collect And Receive

Déjà collects and receives information in a variety of ways to provide our deterministic recall service.

Customer Data (Integration Data)

  • Observability Data: Stack traces, error messages, exception types, and timestamped event logs.
  • Source Control Data: Git commit hashes, pull request titles/descriptions, file paths, code diffs, and author attribution.

What We Do NOT Collect

  • Audio or video metadata.
  • Arbitrary files outside the scope of active incidents.
  • Source code repositories in their entirety (we only fetch specific diffs related to incidents).

2. How We Process Your Information

Prohibition on Generative Training

Déjà is a deterministic system. We strictly prohibit the use of Customer Data (including code snippets, stack traces, and commit messages) for the training, fine-tuning, or vectorization of any generative AI models, whether global, local, or proprietary.

Purposes of Processing

  • Provide deterministic recall through hashing and matching.
  • Prevent recurrence by validating fixes via Rate Gates.
  • Ensure security, prevent fraud, and debug infrastructure.
  • Comply with legal obligations.

3. Data Retention & Minimization

Ephemeral Ingestion (Zero-Disk Policy)

Raw payload data (stack traces, PII, environment variables) is processed exclusively in volatile memory (RAM). It is cryptographically hashed upon receipt. The raw payload is strictly prohibited from being written to non-volatile storage (Disk/DB) at any point in the lifecycle.

Metadata

Hashes, file paths, and PR links are retained unless deletion is requested.

Tokens

OAuth tokens are stored encrypted at rest using AES-256.

4. How We Share and Disclose Information

  • With authorized users in your organization.
  • With trusted service providers under strict confidentiality (e.g., AWS for infrastructure).
  • For legal compliance or law enforcement requests.
  • As part of business transfers (e.g., merger or acquisition).

5. Security

We implement enterprise-grade security controls including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Strict tenant isolation logic in the database.
  • Least-privilege access controls for employees.
View Security Architecture

6. Your Rights

You have the right to access, correction, and deletion of your data. We do not sell personal data under CCPA.

  • Right to Cryptographic Shredding: Upon a deletion request, Déjà performs a "Crypto-Shred" of your tenant's master key, rendering all retained metadata and verification hashes mathematically irretrievable instantly, confirming strict compliance with the "Right to be Forgotten".

To exercise these rights, contact privacy@deja.dev.