GOBYSign in →

Privacy Policy

Effective: May 25, 2026 · Last updated: May 25, 2026

Goby ("Goby", "we", "us", or "our") is a test case management platform for software teams. This Privacy Policy describes how we collect, use, store, share, and protect information about you when you use our website and platform (collectively, the "Service"). Please read this policy carefully. By using the Service, you agree to the practices described here.

1. Information We Collect

We collect information in three ways: information you give us directly, information we collect automatically, and information we receive from third parties.

1.1 Information You Provide

  • Account registration: When you create an account, we collect your name, email address, and password (stored as a secure hash). If you sign in with Google, we receive your name, email, and profile picture from Google.
  • Profile information: You may optionally provide a job title, organisation name, or profile picture.
  • Content you create: We store all content you input into Goby, including test cases, test plans, test execution results, folder structures, requirements documents, custom field definitions, team members, project settings, and comments.
  • Communications: If you contact us via email or support channels, we retain those communications.
  • Payment information: If you subscribe to a paid plan, payment is processed by our payment provider. We do not store full credit card details on our servers.

1.2 Information Collected Automatically

  • Usage data: We collect data about how you interact with the Service, including pages visited, features used, buttons clicked, and time spent.
  • Session recordings: We use PostHog to record user sessions. Recordings capture mouse movements, clicks, scrolling, and navigation. Sensitive input fields (passwords, etc.) are masked and never recorded.
  • Device and technical data: We collect your IP address, browser type and version, operating system, screen resolution, and referring URL.
  • Log data: Our servers automatically record requests made to the Service, including timestamps, error logs, and response times.
  • Cookies and local storage: We use cookies and browser local storage for authentication, preferences, and analytics. See Section 7 for details.

1.3 Information from Third Parties

  • Google OAuth: If you choose to sign in with Google, we receive your name, email, and profile picture from Google, subject to your Google account permissions.
  • Team invitations: When a team administrator invites you to Goby, we receive your email address from the inviting party.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your account and session
  • Enable team collaboration features including invitations, shared projects, and role-based access
  • Process and store content you create within the platform
  • Send transactional emails such as team invitations, password resets, and execution notifications
  • Send product updates and announcements (you may opt out at any time)
  • Analyse usage patterns to understand how the product is used and where to improve it
  • Debug errors, diagnose technical issues, and maintain service reliability and security
  • Detect and prevent fraud, abuse, and violations of our Terms of Service
  • Comply with applicable legal obligations
  • Respond to your enquiries and support requests

We do not sell your personal data. We do not use your content to train AI models that are shared externally.

3. Legal Bases for Processing (EEA / UK Users)

If you are located in the European Economic Area or the United Kingdom, our legal bases for processing your personal data are:

  • Contract performance: Processing necessary to provide the Service you have signed up for.
  • Legitimate interests: Analytics, fraud prevention, security, and product improvement, where these interests are not overridden by your rights.
  • Consent: Where we rely on your consent (e.g. marketing emails), you may withdraw consent at any time.
  • Legal obligation: Where processing is required to comply with applicable law.

4. How We Share Your Information

We do not sell, rent, or trade your personal data. We share information only in the following circumstances:

4.1 Within Your Team

Content you create within a Goby project is visible to other members of that project and team, according to the permission levels assigned by the team administrator.

4.2 Service Providers

We share data with trusted third-party providers who help us operate the Service. These providers are contractually bound to protect your data and may only use it to perform services on our behalf:
  • Supabase - database hosting and authentication (AWS infrastructure)
  • PostHog - product analytics and session recording
  • Vercel - application hosting and CDN
  • Google - OAuth sign-in (if used)
  • OpenAI / AI providers - powering AI-assisted features such as test case generation (content sent to AI providers is not used to train their public models under our agreements)

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process (e.g. a court order or subpoena). We will notify you of such requests where legally permitted to do so.

4.4 Business Transfers

If Goby is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

4.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Supabase's infrastructure (AWS). All data is encrypted in transit using TLS/HTTPS. Data at rest is encrypted by our hosting providers.

We implement access controls, authentication requirements, and monitoring to protect against unauthorised access. Only authorised personnel have access to production data, and only when necessary to operate or support the Service.

Despite our best efforts, no security system is impenetrable. In the event of a data breach that affects your personal data, we will notify affected users and relevant authorities as required by applicable law, typically within 72 hours of becoming aware.

6. Data Retention

We retain your account data and content for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal, accounting, or fraud-prevention purposes.

Aggregate, anonymised analytics data (which cannot identify you) may be retained indefinitely for product improvement purposes.

Backup copies of data may persist for up to 90 days after deletion from our live systems.

7. Cookies and Tracking

We use the following types of cookies and similar technologies:

  • Essential cookies: Required for authentication and core functionality. The Service cannot function without these.
  • Analytics cookies: Set by PostHog to track usage patterns and session behaviour. You can opt out of analytics tracking by contacting us or using a browser extension that blocks PostHog.
  • Preference cookies: Store your settings and preferences (e.g. last used sign-in method, column preferences) in browser local storage.

You can control cookies through your browser settings. Disabling essential cookies will prevent you from signing in and using the Service.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete data.
  • Deletion: Request that we delete your personal data ("right to be forgotten").
  • Portability: Request an export of your data in a machine-readable format.
  • Restriction: Request that we limit how we process your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where we rely on consent, withdraw it at any time without affecting prior processing.
  • Opt out of marketing: Unsubscribe from marketing emails at any time using the link in any email or by contacting us.

To exercise any of these rights, email us at privacy@goby.app. We will respond within 30 days.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect, to request deletion, to opt out of the "sale" of personal information (we do not sell personal information), and to non-discrimination for exercising your rights. To submit a request, contact us at privacy@goby.app.

10. International Data Transfers

Goby is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. For EEA and UK users, we rely on Standard Contractual Clauses (SCCs) with our service providers to ensure adequate protection of your data in accordance with GDPR.

11. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us immediately and we will delete it.

12. Third-Party Links

The Service may contain links to third-party websites or integrations. This Privacy Policy does not apply to those third-party services and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you use.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice within the Service before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

Goby

Email: privacy@goby.app

For EEA/UK data protection enquiries, you also have the right to lodge a complaint with your local supervisory authority.

© 2026 Goby. All rights reserved.Terms of Service