Privacy Policy

Last updated: May 5, 2026

FlyDocs is a product of Plastr ("we", "our", or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the FlyDocs website (flydocs.ai), cloud dashboard (app.flydocs.ai), CLI tools (the @flydocs/cli npm package), and related services (collectively, the "Service").

FlyDocs is intended for professional software development use. By using the Service, you agree to the collection and use of information in accordance with this policy.

How FlyDocs Works

FlyDocs is an AI development workflow platform. The CLI installs structured context, skills, hooks, and slash commands into your project so AI coding tools follow your team's process. FlyDocs is available in two tiers:

  • Free (Local) tier — Runs entirely on your machine. All data stays on your local filesystem. No account is required and no information is transmitted to our servers, except optional anonymous CLI telemetry described below.
  • Cloud tier — Connects to our cloud services for the dashboard at app.flydocs.ai, the relay API for project management integrations, and team collaboration features.

What we collect depends entirely on which tier you use.

Information We Collect

Account Information (Cloud tier only)

When you create a cloud account, we collect:

  • Email address, name, and profile image (provided by your authentication provider)
  • Authentication identifiers issued by Clerk
  • Organization, workspace, and team membership details
  • Payment and billing information, processed by Stripe (we do not store card numbers)

Workspace Configuration (Cloud tier only)

Configuration you set in the portal is stored on our servers so every developer's CLI can resolve it. This includes:

  • Status mappings, label configurations, and issue type mappings
  • Provider selection (Linear or Jira) and the team or project the workspace is bound to
  • Workspace and repository topology (multi-repo workspaces)
  • Skill set selections and managed-artifact assignments

Provider Connection Credentials (Cloud tier only)

When you connect a project management or version control provider (Linear, Jira, GitHub, GitLab, Bitbucket), we store the credential required to act on your behalf — a personal API key for Linear, an OAuth token for Jira and SCM providers. These credentials are encrypted at rest with AES-256-GCM using a 12-byte IV and 16-byte authentication tag. They are decrypted only per-request when the relay API is making a call to the provider on your behalf and are never returned in API responses or written to logs.

FlyDocs API Keys (Cloud tier only)

CLI authentication keys with the fdk_ prefix are stored as a SHA-256 hash alongside a short plaintext prefix shown in the dashboard. We never store the full key after creation; if you lose a key, you must generate a new one.

AI-Generated Project Context (Cloud tier only)

When you opt into codebase scanning, the relay calls Anthropic's Claude (via the Vercel AI Gateway) to generate structured context for your project. The inputs sent to the model are:

  • Repository file tree (paths and names only)
  • package.json and similar manifest contents (dependencies, build system, entry points)
  • IDE config files (e.g. .cursorrules, .claude/CLAUDE.md, .cursor/rules/*.md), truncated to 5KB if larger
  • README.md and similar context files in the repo root
  • Service descriptor metadata, if present

Generated outputs (project.md, stack detection, service descriptor) are stored on our servers. Generated content is post-processed against a secret-pattern filter and rejected if potential secrets are detected. Raw source code, git history, secrets, and credentials in your repository are never sent to the model and never stored on our servers.

Usage Logs (Cloud tier only)

The relay API records request metadata for billing, debugging, and abuse prevention: endpoint, HTTP method, status code, latency, and provider type. Request and response bodies are not logged. Usage logs are retained for 90 days, after which they are deleted automatically.

CLI Telemetry (Optional)

The CLI can send anonymous usage telemetry to PostHog. This is enabled by default on first install and can be disabled at any time by running flydocs telemetry disable or setting the environment variable FLYDOCS_TELEMETRY=0. When enabled, telemetry includes:

  • An anonymous installation UUID (not linked to any account)
  • CLI version
  • Operating system, architecture, and Node.js version
  • Whether the session is running in a CI environment

Telemetry never includes your API key, your account identity, your project name, command arguments, file paths, or anything from your codebase.

Website Visitor Data

When you visit flydocs.ai, we collect:

  • Browser type, operating system, and device information
  • IP address (used for geolocation and abuse prevention; not retained in identified form past 90 days)
  • Pages visited, referring URLs, and interaction patterns

Marketing-site analytics are handled by PostHog. Email signups for product updates are handled by HubSpot. Neither is present in the cloud dashboard or relay API.

Communications

If you contact us for support or feedback, we retain the content of those communications along with your contact information.

Information We Do NOT Collect

We want to be explicit about what we never collect or store on our servers:

  • Source code — We never read, transmit, or store the contents of your source code files. The relay API receives no source code; the codebase scan sends only structural metadata, manifests, and IDE config files as listed above.
  • Secrets and credentials — API keys, passwords, tokens, and environment variables in your codebase are never collected. Generated context is filtered for secret patterns before storage.
  • Git history — Your commit history, diffs, and authorship data remain on your machine.
  • CLI command arguments or session content — Telemetry never sees what you typed, what files you edited, or what your AI session produced.

The Free (Local) tier collects no data whatsoever, except optional CLI telemetry. If you use FlyDocs locally without a cloud account and disable telemetry, none of your information reaches our servers.

How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process payments and manage subscriptions through Stripe
  • Authenticate you and route operations to your provider on your behalf
  • Generate and update AI-powered project context when you opt in
  • Improve and develop new features based on aggregate usage patterns
  • Send technical notices, updates, and support communications
  • Respond to inquiries and provide customer support
  • Monitor and analyze usage trends, system performance, and quota usage
  • Detect, prevent, and address security issues, fraud, or abuse
  • Comply with legal obligations

Subprocessors

We use the following third-party services to operate the Service. Each operates under its own terms and privacy policy.

  • Clerk — User authentication and identity management for the cloud dashboard
  • Convex — Primary database for cloud workspace, identity, and configuration data
  • Stripe — Subscription billing and payment processing
  • Vercel — Hosting for the marketing site, dashboard, and relay API
  • Vercel AI Gateway / Anthropic — LLM provider for codebase scanning and context generation (Claude models)
  • GitHub, GitLab, Bitbucket — OAuth-based version control integrations for repo scanning and PR workflows
  • Linear, Jira — Project management providers reached through the relay API on your behalf
  • PostHog — Anonymous product analytics on the marketing site, and optional CLI telemetry
  • HubSpot — Email capture for marketing-site signups and product update communications

We do not sell your personal information. We share data with the subprocessors above only as needed to provide the Service, and with project management or SCM providers only when you have connected them and only for the operations you initiate.

We may also disclose information when required by law, legal process, or to protect our rights, safety, or property; and in connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy.

Data Retention

The Service applies the following retention windows:

  • Usage logs (relay API request metadata) — 90 days, after which they are deleted automatically.
  • AI generation logs (codebase-scan invocations) — 90 days, after which they are deleted automatically.
  • Generated project context (project.md, service descriptors, context versions) — Retained for the life of your workspace, or until you delete it.
  • Workspace configuration and provider connections — Retained for the life of your organization, or until you delete it.
  • Account and billing records — Retained as required for tax, accounting, and legal obligations after account closure.
  • Website analytics — Retained in aggregate form; not linked to individual identities after 90 days.

When you delete your organization, we cascade delete its workspaces, repositories, context versions, templates, skills, API keys, provider connections, usage logs, AI generation logs, projects, scans, and project files. We notify GitHub to remove our app installation. Stripe customer records are retained as required for billing and tax compliance.

Data Security

We implement the following technical measures:

  • Encryption in transit — TLS 1.2+ for all network traffic to flydocs.ai, app.flydocs.ai, and the relay API.
  • Encryption at rest — Provider credentials are encrypted with AES-256-GCM. FlyDocs API keys are stored as SHA-256 hashes and are never recoverable in plaintext after creation.
  • Per-request decryption — Provider credentials are decrypted only for the lifetime of an individual relay request and never returned to clients.
  • Access controls — Workspace and organization data is scoped to its members; relay operations are authorized against the API key's organization.
  • Secret filtering — AI-generated outputs are scanned for secret patterns before storage.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We do not accept liability for unauthorized access resulting from your sharing of credentials.

Your Rights

Depending on your location, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict certain processing
  • Receive a portable copy of your data
  • Withdraw consent where processing is based on consent

Organization administrators can delete an organization at any time from the dashboard, which triggers the cascade described above. Individual data subject requests within an active organization can be made by contacting us at support@flydocs.ai; we will respond within 30 days.

International Data Transfers

FlyDocs is operated from the United States. Your information may be transferred to and processed in the United States and other countries where our subprocessors operate. We take steps to ensure that your data receives an adequate level of protection wherever it is processed.

Children's Privacy

FlyDocs is intended for professional software development and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn we have collected such information, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will revise the "Last updated" date at the top of this page. For significant changes, we will provide additional notice through the Service or by email.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us at: