Privacy Policy

Veda AI

Last updated: June 2026

1. Overview

Veda AI ("we," "our," or "us") is a project management health analytics platform that helps teams monitor project performance, identify risks, and improve delivery. This Privacy Policy describes how we collect, use, store, and protect your information when you use our services.

By using Veda AI, you agree to the practices described in this policy. If you do not agree, please do not use our services.

2. Data We Collect

We collect the following categories of data:

  • Account data: Email address, name, and authentication credentials when you sign up or log in.
  • Project data: For health analytics we store project keys (e.g. PROJ, TZ1) and raw numerical metrics (e.g. SPI, CPI, hours, task counts) needed for analysis. We do not persist Jira project display names in our analytics database. Display names are loaded transiently in your browser memory via a live API proxy and are cleared when you end your session or switch workspace.
  • Usage data: How you interact with the platform (e.g., pages viewed, features used) to improve our product.
  • Feedback: Optional anonymized diagnosis snapshots when you report issues, used solely to improve our analytics.

2a. Personal Data

If you agree to use our services, we store your user ID (from your authentication provider, e.g., Supabase Auth) to enable access control, permissions, and reporting features on the Dashboard. Your user ID is used solely to:

  • Authentication and authorization: To identify you and ensure you can access only your own data.
  • Dashboard and reporting: To associate project data, sync history, and analytics with your account so you can view and manage your portfolio.

We do not sell or share your user ID with third parties for marketing purposes. You can request deletion of your account and associated data at any time (see Section 8).

3. Connected Services

Veda AI integrates with third-party project management and development tools (collectively, "Connected Services"). These include:

  • Currently supported: Jira (Atlassian), via OAuth 2.0.
  • Planned integrations: GitHub, Backlog, Asana, Monday.com, and similar tools.

When you connect a Connected Service, we access only the data necessary to compute project health metrics (e.g., SPI, CPI, task status). We do not access or store content beyond what is required for analytics. You control which projects and data sources are connected.

Each Connected Service has its own privacy policy. We encourage you to review their policies when authorizing access.

3b. Atlassian API Data Processing

When you authorize Veda to access your Atlassian Cloud site, we read project and work-item data needed to compute delivery-health metrics. Sensitive Jira identity labels are not persisted in Veda's analytics database.

We connect using OAuth 2.0 (we never ask for your Atlassian password). Access tokens are encrypted and scoped to your workspace. You can revoke access in Atlassian or in Veda Integrations settings.

Zero-Knowledge Storage (Jira identity fields)

For Jira-sourced labels on the Dashboard and Heatmap:

  • Project display names: not stored in our analytics database; fetched live for display in browser memory; fallback to project key if unavailable.
  • Project keys (e.g. TZ1): stored as anonymous identifiers to join metrics.
  • Issue titles, descriptions, comments: not stored for health sync.
  • SPI, CPI, hours, task counts, pillar scores: stored as numerical snapshots only.
  • OAuth tokens: stored encrypted until you disconnect.

Transient processing

Our live proxy (GET /api/jira/projects/live) returns a key-to-name map through server memory only for that request—we do not write Jira project names to the database or log them.

Your browser matches metrics (project_key only) with the live map in RAM (short-lived cache per workspace). When you switch workspace, the previous map is cleared. If the live API fails, the UI shows a fallback label such as Project PROJ-123.

Zero-Knowledge Storage applies to Jira labels in the analytics pipeline, not to all Veda data. Account email, profile name, encrypted OAuth credentials, and workspace membership data are stored under our standard practices.

We request read-oriented scopes to list projects and read work items for metrics. You choose which projects to connect. Disconnecting removes our ability to call Atlassian on your behalf.

Atlassian processes your data under its own terms. Review Atlassian's privacy policy when granting OAuth consent.

OAuth reviewers: Veda's stored health dataset is numerical and key-based, not a copy of your Jira project catalog or issue text.

4. AI & Analytics

We use artificial intelligence and analytical models to process your project data for the following purposes:

  • Computing project health indicators (e.g., Schedule Performance Index (SPI), Cost Performance Index (CPI)).
  • Identifying risks, blind spots, and patterns (e.g., shadow work, optimism bias, team burnout signals).
  • Generating forecasts and what-if simulations to support decision-making.

Important: We do not use your data to train or improve public or third-party AI models. Your project data is processed solely to deliver analytics within your account and is not shared for model training purposes.

4b. Cookies & Browser Storage

We use first-party cookies and limited browser storage to run Veda AI. We do not use advertising or cross-site tracking cookies on our marketing pages today. If we add optional analytics (for example Google Analytics) in the future, we will load them only after you opt in via our cookie banner (required for visitors in the EU/UK and similar regions).

Essential cookies (always active — no consent required):

  • NEXT_LOCALE — remembers your language preference (about 1 year).
  • Supabase Auth session cookies — keep you signed in securely.
  • pmhd_workspace_id — remembers your active workspace in the app.
  • veda_cookie_consent — stores your cookie choices (about 12 months).

Optional categories (off until you accept in the banner):

  • Analytics — aggregated visit statistics if we enable a third-party or marketing analytics tool.
  • Marketing — advertising or remarketing pixels (not used today).

We may use localStorage for product UX (for example onboarding A/B variant). This stays on your device and is not shared with ad networks.

You can change your choice anytime by clearing site cookies or using the banner when it reappears. For EU/UK visitors, rejecting non-essential cookies must be as easy as accepting them.

5. Data Security & Storage

Your data is stored and managed using Supabase, a secure cloud infrastructure provider. We implement industry-standard measures to protect your information:

  • Encryption: Data at rest is encrypted. Sensitive credentials (e.g., OAuth tokens) are encrypted with AES-256-GCM before storage.
  • Access control: Row-level security (RLS) ensures users can access only their own data.
  • Transmission: All data in transit is protected via TLS/HTTPS.

Supabase is SOC 2 compliant and provides robust security controls. For more information, see Supabase Security.

5a. Security Excellence

We align our security practices with industry standards and multi-tenant isolation so your data stays strictly separated from other customers.

  • OWASP alignment: We address OWASP Top 10 risks: broken access control (A01), injection (A03), and authentication failures (A07). All API inputs are validated with schemas; credentials are never stored in code; and every table is protected by Row Level Security (RLS).
  • Tenant isolation: Every query is scoped by workspace. You only see and act on data in workspaces where you are a member. RLS policies enforce that project, connector, and analytics data cannot leak across tenants. Our security audits confirm workspace-scoped policies on all relevant tables.
  • Least privilege: We use the most restrictive RLS policies possible. Service-role bypass is limited to server-side operations (e.g. sync jobs) and never exposes cross-tenant data to the client.

6. Permissions & Access

We are committed to transparency about the permissions we request from Connected Services:

  • Read-only access: For most integrations (e.g., Jira), we request read-only or minimally scoped permissions. We do not modify, delete, or create data in your Connected Services unless you explicitly trigger such actions.
  • Limited scope: Permissions are tailored to the purpose you select (e.g., syncing specific projects). You can revoke access at any time through the Connected Service or our Integrations settings.
  • User control: You choose which projects to sync and which data to include. We do not access data beyond what you authorize.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete or anonymize your personal and project data within 30 days, except where we are required to retain data for legal or regulatory purposes.

Feedback and anonymized snapshots may be retained in aggregated form to improve our services, but they do not contain personally identifiable information.

8. Your Rights

Depending on your location, you may have the right to:

  • Access and receive a copy of your personal data.
  • Correct or update inaccurate data.
  • Request deletion of your data.
  • Object to or restrict certain processing.
  • Data portability.
  • Withdraw consent where processing is based on consent.

To exercise these rights, please submit a request via our Support form. We will respond within the timeframe required by applicable law.

9. Contact Us

If you have questions about this Privacy Policy or our data practices, please use the Support form on this site.

Support

We may update this policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date.