How we handle your data

Detego ("we," "us," "our") operates the web application at detego.app (the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding that information.

By using Detego, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

For a technical deep dive into our security architecture, see our Security & Data Privacy page.

2.1 Account Information

When you create an account, we collect your name, email address, and an encrypted password hash (for email/password authentication). If you sign in via Google or Microsoft OAuth, we receive your name and email from the identity provider. We may also store an optional company name and role if you choose to provide them.

2.2 COMTRADE Recordings & Files

When you use local-only mode (the default), your COMTRADE files are processed entirely in your browser. No file data is transmitted to our servers or any third party.

When you opt in to cloud storage, your uploaded .cfg, .dat, and .cff files are stored in our database along with metadata extracted from the file headers (station name, device ID, recording timestamp, duration, sample rate, channel names, and channel counts).

2.3 AI Analysis Data

When you use AI-powered fault analysis, we send computed summaries only to our AI provider — never your raw waveform data. This includes station metadata, channel definitions, RMS summaries, digital event timelines, computed phasor values, sequence components, harmonic spectra, and impedance values. These values are computed in your browser and only the results are transmitted.

If relay settings are loaded (e.g., XRIO files), protection parameter names and values may also be included to enable contextual analysis.

2.4 Relay Manual Queries

When AI analysis queries a relay manual for manufacturer guidance, a text query and relay family identifier are sent to Google's Gemini File Search service. No user identity, waveform data, or fault measurements are included in these queries.

2.5 Usage Analytics

We collect anonymized usage events (e.g., file uploads, analysis runs, page views) to understand how the Service is used and to improve it. For authenticated users, events are associated with your user ID. For guests, events are tied to a random session identifier stored in your browser's localStorage — no personal information is attached.

We also use Vercel Analytics, a cookieless, privacy-friendly service that collects Web Vitals performance metrics (page load times, rendering performance). Vercel Analytics does not use cookies, does not collect personally identifiable information, and does not track individual users.

2.6 Feedback

When you submit feedback through our in-app form, we collect your message, an optional name and email (or your account email if signed in), the page URL, and an optional screenshot. Feedback is stored in our database and an email notification is sent to our team.

2.7 Sharing

When you create a share link for a recording, a unique token and expiry date are generated. Anyone with the link can view the shared recording in read-only mode. Share links expire after 30 days by default and are revocable at any time.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate your identity and manage your account
• Store and retrieve your COMTRADE recordings (when cloud storage is enabled)
• Generate AI-powered fault analysis reports
• Query relay manufacturer documentation for contextual guidance
• Enable sharing of recordings with colleagues via secure links
• Understand usage patterns and improve the Service
• Respond to feedback and support requests
• Detect, prevent, and address technical issues or abuse

We do not sell your data. We do not use your recordings or analysis results for advertising. We do not use your data to train AI models.

We use the following third-party services to operate Detego. Each service has its own privacy policy governing how they handle data:

AI data usage: Anthropic's API does not use inputs or outputs for model training by default. Your fault analysis data is processed, returned as a report, and retained by Anthropic only per their standard API data retention policy (typically 30 days for safety monitoring, then deleted).

All data is transmitted over HTTPS/TLS. Our database uses PostgreSQL with row-level security (RLS) — each user can only access their own recordings, analyses, and account data. Administrators have read access for support and operational purposes.

Our security measures include:

• HTTPS/TLS encryption for all data in transit
• PKCE (Proof Key for Code Exchange) authentication — tokens never appear in URLs
• Cookie-based session storage (not localStorage)
• Content Security Policy headers to prevent XSS and data exfiltration
• Server-side API keys — secrets never exposed to the browser
• Input validation on all API routes (Zod schema validation)
• Version-locked dependencies with vulnerability scanning

For full technical details, see our Security & Data Privacy page.

We retain your data as follows:

• Account data — retained until you delete your account
• Recordings & analyses — retained until you delete them individually or delete your account (cascading delete)
• Share links — expire after 30 days, revocable at any time
• Usage analytics — retained to provide aggregate usage insights
• Feedback — retained to help us improve the Service

When you delete a recording, all associated data (analyses, conversations, share links, and stored files) are permanently removed from our servers.

Depending on your location, you may have the following rights under applicable data protection laws (including GDPR and CCPA):

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate data
• Deletion — request deletion of your account and associated data. You can delete individual recordings directly in the app, or request full account deletion by contacting us
• Portability — request an export of your data in a machine-readable format
• Restriction — request that we limit how we process your data
• Objection — object to our processing of your data for certain purposes

To exercise any of these rights, contact us at privacy@detego.app. We will respond within 30 days.

California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information to third parties.

Our infrastructure providers (Supabase, Vercel, Anthropic, Google) operate servers in multiple countries. Your data may be transferred to and processed in countries outside your own, including the United States. These providers maintain appropriate safeguards for international data transfers in compliance with applicable data protection laws.

Detego is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via email or an in-app notification. Your continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at: