FeatSmith — Privacy Policy
Last updated: 11 July 2026
FeatSmith ("the extension") is a Chrome extension by SiraLabs that helps you draft rule-compliant
feature fields for issue trackers such as Jira and Linear. This policy explains what data we
process, why, and your choices.
1. Data we process
- Account email — used to authenticate you (email one-time code or Google sign-in) and to identify your account.
- Issue-tracker connection credentials (Jira, Linear) — the tracker's base URL and either an API token/key or an OAuth token, only for the trackers you choose to connect. These are stored only on your device (in the browser's extension storage) and are never sent to or stored on our servers. The extension calls each tracker's API directly from your browser (the Jira REST API and the Linear GraphQL API). For "Sign in with Jira" / "Sign in with Linear" (OAuth), our stateless broker performs the token exchange using our app's client secret and returns the tokens to your browser without storing them.
- Your rule profiles and generated content — the rule profiles you create, the rules extracted from a document (plus that document's filename and format), and the feature fields generated for you, including the issue key and the input context of a generation. Rule profiles sync across your own devices via your account.
- Usage counters — a count of AI generations (lifetime for the free tier, per calendar month for Pro fair use), to enforce your plan's limits.
- Device identifier and activity — a random identifier generated on your device (not personal information), with the times it was first and last seen. We use it for security and abuse prevention — enforcing the concurrent-device limit and fair-use limits. You can see how many devices your account is currently active on, and sign out of your other devices, in Options → Account.
- Billing information (Pro only) — if you upgrade, payment is taken by Stripe on Stripe's own checkout page. We never see or store your card details. Stripe tells us your subscription's status, and we store only your plan, its status and renewal date, and Stripe's customer and subscription identifiers, so we can grant you Pro access.
- Contact-us submissions — if you use the in-app Contact form, the category, your message, and any attachment you add are emailed to us (and a confirmation to you); they are not stored in our database.
- Beta-access requests — if you use the "Request beta access" form on the sign-in screen, we collect the email address, name/short profile, profession, and reason you submit. We use them solely to review your request and grant access (we store the request, email you a waitlist confirmation, and email you again when a decision is made). Because this form is public (it works before you have an account), we also record the source IP address of the request and use it only to rate-limit and block abuse of that form; it is never used for marketing, profiling, or analytics, is not shared, and is visible only to our servers. This is not marketing: it is separate from the opt-in product-update and survey emails described below, and submitting a request does not opt you into anything.
- Referrals — when you invite a teammate, or someone requests beta access using your referral code, we store the referral linkage: your account id, the invited email address, and the invite's lifecycle status (invited, joined, first use, upgraded). We use this solely to power the referral feature — attributing who referred whom and showing you your own referral statistics. Your referral code itself is a random identifier and contains no personal information.
- Product-usage analytics — pseudonymous, aggregate usage events (for example: the panel was opened, a generation started/finished, a variant was accepted, a tracker was connected) together with your account id, a random device id, and coarse properties such as your plan and profile count. We use this to understand which features help and to improve the product. We never include the content you work with — no issue text, generated output, emails, document contents, or tracker tokens are ever sent as analytics. Analytics is on by default and you can turn it off at any time (Options → Account → "Product analytics").
- Product updates & surveys (optional) — with your explicit consent, we use your account email to send you occasional product-update and survey emails. This is off by default: we send these only if you opt in (Options → Account → "Product updates & surveys"). You can withdraw consent at any time from that same screen, or unsubscribe from any such email using the unsubscribe link it contains. This is separate from essential transactional emails — sign-in codes, teammate invites, and contact-form confirmations — which we send so the service works and which do not require this consent.
- AI request & response logs — to improve the quality of the AI output, we store the exact prompt we send to the AI model and the response it returns. This includes the content used as context: the issue text (summary, description, existing fields) and any details you type in, the text extracted from a rules document you upload for extraction, and the generated output itself. These logs are kept for up to 30 days, after which the prompt and response content is automatically deleted and only non-content metrics (such as the model used, token counts, and timings) are retained. Access is restricted to authorized SiraLabs personnel for the sole purpose of diagnosing and improving generation quality. You can request deletion of your logs at any time (see Contact).
We do not retain your uploaded documents as files. When you upload a rules document, it is processed in memory to extract rules and the file itself is then discarded — we keep the resulting rules and the document's filename. Note that the text extracted from the document is included in the AI request logs described above and is therefore retained, as part of that prompt, for up to 30 days before its content is purged.
2. How we use it
Solely to provide the service: authenticate you, generate and store your rules and outputs, let your browser connect to your issue tracker, take payment for Pro and grant your plan, respond to your contact messages, prevent abuse, and enforce plan limits. If (and only if) you opt in, we also use your email to send product updates and surveys, which you can stop at any time. We do not sell your data or use it for advertising.
3. Service providers
- Supabase — authentication, database, storage, and our server functions (hosts your account, rules, generations, usage, and plan data). Your tracker credentials are not stored here.
- Anthropic — the AI model that generates/extracts content. The text you submit for generation or extraction is sent to Anthropic to produce the output. Do not submit secrets or sensitive personal data in generation inputs.
- Atlassian / Jira and Linear — your own tracker workspace, accessed directly from your browser using the credentials you provide, to fetch issue content and (optionally) write back fields. Your token is not routed through our servers.
- Google — only if you choose "Continue with Google" to sign in; Google confirms your identity and email to us.
- Stripe — payment processing for Pro subscriptions. Stripe collects and processes your payment details under its own privacy policy; we receive only your subscription status and Stripe's customer/subscription identifiers.
- Resend — email delivery for transactional email (Contact-us submissions and their confirmations, sign-in codes, teammate invites, beta-access decisions) and, if you opt in, product-update and survey emails.
- Amplitude — product-usage analytics, hosted in the US data center. Receives the pseudonymous usage events described above (keyed by your account id and a random device id), never your content. You can opt out in Options → Account.
Our servers and database are hosted with Supabase, and analytics with Amplitude, in the United States. Using FeatSmith from outside the US means your data is transferred to and processed there.
4. Permissions
The extension requests only what it needs: storage (save your settings and, locally, your tracker credentials), sidePanel (the generation UI), identity (sign in with Google, Jira, or Linear), and host access to the issue trackers and their APIs (*.atlassian.net, api.atlassian.com, linear.app, api.linear.app) so it can detect the issue you're viewing and call the tracker's API directly from your browser, plus network access to the US analytics endpoint (api2.amplitude.com) for the pseudonymous usage analytics described above. It does not read pages outside those issue-tracker domains, and it contains no remotely hosted code.
5. Storage, security, and retention
Server-side data is isolated per user via row-level security. Your tracker credentials are stored only on your device and never on our servers. We retain your account data (rules, generations, usage, plan) while your account is active. AI request & response logs (see §1) are retained for up to 30 days; a scheduled job then automatically purges the prompt and response content, keeping only non-content metrics. Beta-access requests (including the source IP recorded for abuse control) are retained while we administer the waitlist and are deleted on request. You can delete an on-device tracker connection at any time (Options → Connections → Disconnect), sign out of your other devices (Options → Account), and request account deletion or deletion of your AI logs (see Contact) to remove your rules, usage records, and stored prompts/responses.
6. Your choices and rights
Connecting an issue tracker is optional. You can disconnect a tracker on your device at any time (which clears the stored credentials), revoke OAuth access from your Atlassian or Linear account, turn off product-usage analytics (Options → Account), and sign out of your other devices (Options → Account). Product-update and survey emails are opt-in and off by default; you can withdraw consent at any time (Options → Account → "Product updates & surveys") or use the unsubscribe link in any such email. Subject to your local law (including the GDPR/UK GDPR and the CCPA where they apply), you may request access to, correction of, a copy of, or deletion of your personal data, and you may object to or restrict certain processing — contact us and we will respond.
Questions, data requests, or deletion requests (including deletion of your AI request & response logs): hello@siralabs.ai.