Privacy Policy

This page explains, in plain language, what data NoCrash collects when you use the product, why we collect it, who we share it with, and what you can do about it.

We try to write this the way a normal human talks. If anything is unclear, email [email protected] and we'll explain.

What we collect

When you sign up

• Your email address.
• Either a password (stored as a one-way BCrypt hash — we cannot read it) or a Google or GitHub identifier if you sign in with one of those.
• The timezone you pick (so the daily brief lands at the right time of day).

When you connect your tools

• API keys and connection details for the services you ask NoCrash to watch (for example, the address of your n8n setup and an API key). API keys are encrypted at rest using AES-256-GCM via Rails Active Record Encryption. Only NoCrash's servers can decrypt them, and only when running a check on your behalf.
• The URLs you ask us to ping.
• If you install the NoCrash JavaScript snippet in an app: page loads, uncaught errors, unhandled promise rejections, and failed network requests from that app. We do not capture form values, keystrokes, or page content.

When you use the product

• Events from your connected tools (workflow runs, errors, recoveries) — this is the data that powers the dashboard, the daily brief, and the alerts.
• Product analytics: page views, clicks, and session recordings via PostHog so we can see which parts of the product are confusing.
• Aggregate page-view analytics via Google Analytics 4.
• Error reports via Sentry when something breaks inside NoCrash itself.

When you pay

• Subscription status, plan, and payment history. Card details are handled entirely by Stripe — we never see or store your card number.

Why we collect it

• To run the service you signed up for: watch your tools, send the daily brief, deliver alerts.
• To bill you, if you're on a paid plan.
• To improve the product (which buttons confuse people, which pages are slow).
• To respond when you email us for help.

We do not sell your data. We do not run ad networks against your data.

Who we share it with

We use a small number of trusted vendors ("processors") to run the service. They each see only the slice they need:

• Amazon Web Services — hosts our servers and database (data center: United States).
• Stripe — handles all payments and stores card details.
• PostHog — product analytics and session recordings.
• Google Analytics 4 — aggregate page-view counts.
• Sentry — error reports from NoCrash itself.
• OpenRouter — relays the short summaries that become your daily brief to a language-model provider. We send a compact description of your events; we do not retain the model's response beyond the brief itself.
• Anthropic — the language-model provider that actually generates your daily brief and answers questions from your own AI assistants (see "How your own AI assistants connect" below). Today we reach Anthropic through OpenRouter; we name them here so you know who sees the text we send. Anthropic does not train on your data.
• Amazon SES — sends our email (alerts, daily briefs, account email).
• Telegram — if you choose Telegram alerts, we send the alert to Telegram's Bot API.
• Slack — if you choose Slack alerts, we send the alert to Slack's API for delivery to the channel you picked.

Your connected tools (for example, your own n8n instance) are your systems. NoCrash reads from them with the credentials you provide; how those tools handle data is governed by their own policies, not ours.

How your own AI assistants connect (MCP)

NoCrash offers an optional way for your own AI assistants — for example Claude Desktop, Cursor, or any other tool that speaks the Model Context Protocol — to ask NoCrash questions on your behalf. You turn this on by connecting one of those tools with your NoCrash API key; you can turn it off at any time by deleting the key.

When the connection is on, here's what flows out of NoCrash to the AI assistant you connected:

• The list of things you've asked NoCrash to watch, and their current green/yellow/red status.
• Recent events from those watches (workflow runs, errors, recoveries) when your assistant asks for them.
• The plain-language text of your daily brief when your assistant asks for it.

That data leaves NoCrash and reaches the assistant you connected. From there, the assistant's own provider sees it too — for most users that means Anthropic (the maker of Claude) when you connect Claude Desktop, or whichever model provider sits behind the assistant you picked. Those providers handle the data under their own privacy terms, not ours.

You stay in control. Nothing flows to your AI assistant unless you connected it. Revoke the API key in Settings and the connection ends right away. NoCrash never pushes your data to an AI assistant on its own — your assistant has to ask, and it can only ask with a key you handed it.

Forwarded recipients (Agency tier)

The Agency plan includes a setting that forwards alerts and weekly reports to your clients' email addresses. When you turn that on, here's what happens with your client's data:

• You give us your client's email address (and, optionally, a display name) by entering it on the connection.
• We send operational emails (alerts and weekly reports) from a @nocrash.io address to that recipient on your behalf.
• We store the email address only on the connection record itself — we do not build a separate marketing list, and we do not contact your clients for any reason other than delivering the alerts and reports you configured.
• Every forwarded email includes a List-Unsubscribe header and a footer link that lets your client opt out directly with us. When they do, we stop sending and notify you.
• When you delete the connection (or remove the client's email from it), we stop forwarding immediately. We do not retain the recipient address independently of the connection record.

In this flow, you (the agency) are the data controller for your client's email address; NoCrash is the processor. The processor obligations are in our Data Processing Addendum.

Cookies

We use a session cookie to keep you signed in, a CSRF cookie to protect form submissions, and analytics cookies from PostHog and Google Analytics. We do not use advertising or cross-site tracking cookies.

How long we keep it

• Account data: while your account is active, plus 30 days after you delete it (so we can recover from accidental deletions).
• Event history: capped by your plan (24 hours on Free, 30 days on Pro, 90 days on Team, 1 year on Agency). Older events are deleted automatically.
• Billing records: kept as long as required by tax law (typically 7 years).
• Server logs and error reports: 30 days.

Your rights

You can:

• See what we have about you — email [email protected] and we'll send it.
• Correct anything that's wrong — most fields you can edit yourself in Settings.
• Export your data — ask us, we'll send a JSON dump.
• Delete your account and all your data — Settings → Delete account, or email us.
• Object to a specific use — tell us, we'll work it out.

If you're in the EU/EEA or UK, you have the right to lodge a complaint with your local data protection authority. In Estonia, that's the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Children

NoCrash is not intended for children under 16. If you believe a child has signed up, email us and we'll delete the account.

Changes to this policy

If we change anything material, we'll update the "Last updated" date at the top and email you if you have an active account. Small wording fixes won't trigger an email.

Contact

Questions, requests, or anything else: [email protected].