Lineman -- Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Goo Holdings Ltd (trading as "Lineman") collects, uses, shares, and protects your personal data when you use the Lineman service, visit our website, or interact with our support channels. Please read it carefully alongside our Terms and Conditions, which govern your use of the Service.

Goo Holdings Ltd is a company registered in England and Wales under company number 17141115, with its registered office at 79 Shawclough Way, Greater Manchester, OL12 6DS, England.

Where we use capitalised terms not defined in this policy, they have the meanings given in our Terms and Conditions.

Definitions
What Personal Data We Collect
Customer Content -- How We Handle Your Code
How and Why We Use Your Data
Data Sharing and Sub-processors
International Data Transfers
Data Retention
Cookies and Similar Technologies
Your Rights Under UK GDPR
Jurisdiction-Specific Disclosures
Children's Privacy
Data Security
Changes to This Policy
Contact Us

1. Definitions

In addition to the definitions in our Terms and Conditions, the following terms apply throughout this policy:

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).

"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and erasure.

"Controller" means the entity that determines the purposes and means of processing Personal Data.

"Processor" means an entity that processes Personal Data on behalf of a Controller.

"Data Subject" means the individual to whom Personal Data relates.

"Sub-processor" means a third party engaged by Goo Holdings Ltd to process Personal Data on its behalf.

"ICO" means the Information Commissioner's Office, the UK's independent supervisory authority for data protection.

2. What Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

When you create an account, we collect:

Name
Email address
Organisation name (if applicable)
Billing address
Account configuration and preferences

2.2 Payment Data

When you subscribe to the Service, payment is processed by our third-party payment processor. We receive a transaction reference, billing address, and the last four digits of your payment method. We do not store full card numbers or bank account details on our systems.

2.3 Usage Data and Telemetry

We collect anonymised, aggregated operational data about how you use the Service:

Task types and categories
Token counts and model selection
Latency measurements and error rates
Feature usage and API access patterns

Usage Data does not contain Customer Content. It is collected and stored separately from any code or files you process through the Service.

You can disable Usage Data and Telemetry collection at any time via the /lineman:telemetry off command in the Lineman MCP plugin. Disabling telemetry stops collection of the data described above.

2.3.1 Service-Operation Stream ("phone home")

Independently of telemetry, the Lineman MCP plugin sends a minimal "service-operation" event stream that we rely on to operate the product. This stream carries:

A randomly generated install identifier (install_id) and, if you have signed in, your user identifier (user_id)
The version of the Lineman MCP plugin installed on your machine
A snapshot of your service configuration: telemetry on/off, signed-in/anonymous, plan tier
Lifecycle events: plugin start, version upgrade, sign-in / sign-out, telemetry-toggle
A snapshot of the Git repository state of the project you are working in: the origin remote URL, the current branch, the current commit SHA, and whether your working tree has uncommitted changes. We use this to correlate failures we observe in the Service to a specific source-code state, so we can replay scenarios with adjusted settings during beta-test triage. If your project is not a Git repository, or if you do not have a git binary installed, this snapshot is omitted. If you set the environment variable LINEMAN_REDACT_REPO_REMOTE=1, the remote URL is replaced with an irreversible SHA-256 hash before transmission (we still see the SHA, branch, and dirty flag).

This stream does not contain Customer Content, file contents, prompts, command output, or stack traces. It exists so that we can count active installs, identify which release is in the field for crash-rate and regression analysis, trace the sign-in / sign-out funnel for support, and correlate failures to a specific source state for replay.

Because it is required to operate the Service safely, this stream cannot be disabled while you continue to use the Lineman MCP plugin. It is collected on the basis of legitimate interests (UK GDPR Article 6(1)(f)). If you do not want this data collected, please uninstall the plugin.

2.4 Security Logs

To maintain the security of the Service, we collect:

Authentication events (login times, methods used)
IP addresses
API access patterns
Anomaly detection signals

2.5 Error Logs

We collect anonymised error traces to diagnose and resolve technical issues. Error logs do not contain Customer Content.

2.6 Support Data

When you contact us for support or submit feedback, we collect:

The content of your correspondence
Your email address and name
Any attachments or screenshots you provide

2.7 Website Data

When you visit our website, we may collect:

Pages visited and time spent
Referral source
Browser type and version
Device type and operating system
IP address (which may be truncated or anonymised)

3. Customer Content -- How We Handle Your Code

This section explains how we handle the code, files, and data you submit for processing through the Service ("Customer Content"). This is central to our privacy commitment.

3.1 Transient processing only

Customer Content is processed in real-time and is not retained after the response is delivered to you. We do not maintain a persistent store of your code.

3.2 No training, no fine-tuning, no model improvement

Goo Holdings Ltd does not use Customer Content to train, fine-tune, or improve AI models. This commitment is absolute and applies to all deployment topologies and subscription tiers.

3.3 Limited operational exceptions

Customer Content may be temporarily retained, subject to strict data minimisation, solely for the following purposes:

Short-term caching to complete multi-step requests within a single session
Abuse detection and prevention where there is a reasonable basis to suspect misuse
Security monitoring and incident response to protect the Service and its users
Debugging where necessary to resolve a specific technical issue (with data minimisation and prompt deletion)
Legal compliance where required by law or legal process

All operational retention is subject to defined retention periods, access controls, and the principle of data minimisation.

3.4 Cloud processing

When you use the Lineman API (cloud endpoint), your code is transmitted to Goo Holdings Ltd servers for processing. It is processed transiently and discarded after the response is delivered, subject to the limited operational exceptions above.

3.5 Data protection roles for Customer Content

Business customers: Goo Holdings Ltd acts as a Processor for Customer Content processed on your behalf. A Data Processing Agreement (DPA) is available and forms part of the Terms for business users.
Consumer users: Goo Holdings Ltd may act as a Controller or joint Controller for certain processing activities related to the Service. The lawful basis and your rights are set out in Sections 4 and 9 of this policy.

4. How and Why We Use Your Data

Under UK GDPR, we must have a lawful basis for each type of processing. The table below sets out our purposes and the lawful basis we rely on for each.

4.1 Performance of contract (UK GDPR Article 6(1)(b))

Providing the Service and processing your requests
Managing your account and subscription
Processing payments
Sending service-related communications (e.g. subscription confirmations, service updates, security notices)

4.2 Legitimate interests (UK GDPR Article 6(1)(f))

We have carried out a balancing assessment for each of the following purposes and concluded that our legitimate interests are not overridden by your rights and freedoms:

Maintaining security and preventing abuse: collecting security logs and limited operational data to detect and respond to threats
Improving reliability: collecting error logs and telemetry to diagnose issues, monitor performance, and improve the stability of the Service
Aggregated analytics: using Usage Data to understand how the Service is used and to inform product development (no individual identification)
Fraud prevention: detecting and preventing fraudulent activity on the Service

4.3 Consent (UK GDPR Article 6(1)(a))

Marketing communications: we will only send you marketing emails if you have opted in. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us at privacy@lineman.dev.

4.4 Legal obligation (UK GDPR Article 6(1)(c))

Retaining payment and billing records as required by tax and accounting law
Responding to lawful requests from law enforcement or regulatory authorities
Complying with court orders or other legal process

4.5 No model training

For the avoidance of doubt, we do not rely on legitimate interests or any other lawful basis to use your Customer Content or Personal Data for training, fine-tuning, or improving AI models.

5. Data Sharing and Sub-processors

5.1 Categories of recipients

We may share your Personal Data with the following categories of third parties, solely for the purposes described in this policy:

Cloud infrastructure providers -- hosting, compute, and storage for the Service
LLM inference providers -- third-party model providers used to process tasks through the cloud API
Payment processors -- to process subscription payments securely
Support tools -- to manage support tickets and correspondence
Analytics providers -- to process aggregated, anonymised usage data (if applicable)

5.2 Sub-processor obligations

All sub-processors are bound by data processing agreements that require them to:

Process Personal Data only on our documented instructions
Implement appropriate technical and organisational security measures
Notify us of any personal data breach without undue delay
Delete or return Personal Data at the end of the engagement

5.3 Sub-processor list

We maintain a list of our current sub-processors. You may request this list at any time by emailing privacy@lineman.dev. We will provide reasonable advance notice before engaging a new sub-processor that processes Personal Data.

5.4 No selling of Personal Data

We do not sell your Personal Data to third parties. This applies under all circumstances and all applicable privacy regimes, including the California Consumer Privacy Act (CCPA/CPRA).

5.5 Law enforcement and legal disclosure

We may disclose Personal Data where required to do so by law, court order, or regulatory authority. Where permitted, we will notify you before making such a disclosure.

6. International Data Transfers

Your Personal Data may be transferred to, and processed in, countries outside the United Kingdom and European Economic Area. Where such transfers occur, we ensure that appropriate safeguards are in place:

UK International Data Transfer Agreement (IDTA): We use the UK IDTA as our primary transfer mechanism for transfers outside the UK.
UK Addendum to the EU Standard Contractual Clauses: Where appropriate, we rely on the UK Addendum to the EU SCCs.
Adequacy decisions: Where the UK government has made an adequacy decision for the recipient country, we rely on that decision.

You may request information about the specific safeguards applied to transfers of your data by contacting privacy@lineman.dev.

7. Data Retention

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following retention periods apply:

Account Data: retained for the duration of your account, plus [X months] after account closure to handle any post-termination queries or disputes
Payment records: retained for [X years] after the transaction date, as required by UK tax and accounting law
Customer Content: not retained -- processed transiently and discarded after response delivery (subject to the limited operational exceptions in Section 3.3)
Security Logs: retained for [X months]
Telemetry and Usage Data: retained for [X months]
Error Logs: retained for [X months]
Support correspondence: retained for [X months] after the matter is resolved

7.1 Account deletion

You may request deletion of your account and all associated Personal Data at any time. We will process deletion requests within 30 days, subject to any legal retention obligations (for example, tax records that must be kept for a statutory period). To request deletion, email privacy@lineman.dev or use the account settings in the Service.

8. Cookies and Similar Technologies

8.1 What cookies we use

We use a minimal set of cookies to operate the Service:

Strictly necessary cookies: session cookies and authentication tokens required for the Service to function. These cannot be disabled.
Functional cookies: cookies that remember your preferences and settings (e.g. theme, language).

8.2 What we do not use

We do not use third-party advertising or tracking cookies. We do not participate in cross-site tracking or interest-based advertising.

8.3 Analytics

If we use analytics tools, they will be configured to anonymise IP addresses and to avoid setting persistent tracking cookies. We will update this section if our analytics practices change.

8.4 Managing cookies

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning correctly. For more information about cookies, visit allaboutcookies.org.

9. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights in relation to your Personal Data:

9.1 Right of access

You have the right to request a copy of the Personal Data we hold about you, together with information about how it is processed.

9.2 Right to rectification

You have the right to request that we correct any inaccurate or incomplete Personal Data.

9.3 Right to erasure

You have the right to request that we delete your Personal Data. We will comply within 30 days, subject to any legal retention obligations.

9.4 Right to restriction of processing

You have the right to request that we restrict the processing of your Personal Data in certain circumstances -- for example, where you contest its accuracy or object to our processing.

9.5 Right to data portability

You have the right to receive a copy of your Personal Data in a structured, commonly used, and machine-readable format, and to transmit it to another controller, where the processing is based on consent or contract and is carried out by automated means.

9.6 Right to object

You have the right to object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your rights and freedoms.

9.7 Right to withdraw consent

Where we process your data on the basis of consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

9.8 How to exercise your rights

To exercise any of these rights, email privacy@lineman.dev. We will respond within one calendar month. If your request is complex or we receive a large number of requests, we may extend this by a further two months, in which case we will notify you within the first month.

We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

9.9 Right to complain

If you are not satisfied with our response, you have the right to lodge a complaint with the ICO:

Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Website: ico.org.uk Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first at privacy@lineman.dev.

10. Jurisdiction-Specific Disclosures

10.1 California (CCPA/CPRA)

If you are a California resident, the following additional disclosures apply under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Categories of Personal Information collected: Identifiers (name, email, IP address); commercial information (subscription and payment records); internet or electronic network activity (usage data, telemetry, security logs); professional or employment-related information (organisation name, if provided).

Business or commercial purpose for collection: as described in Section 4 of this policy.

Categories of third parties with whom we share Personal Information: service providers (cloud infrastructure, payment processors, support tools) as described in Section 5.

Sale or sharing: We do not "sell" or "share" your Personal Information as those terms are defined under the CCPA/CPRA. We have not sold or shared Personal Information in the preceding 12 months.

Your California rights:

Right to know: You may request that we disclose the categories and specific pieces of Personal Information we have collected about you.
Right to delete: You may request deletion of your Personal Information, subject to statutory exceptions.
Right to correct: You may request correction of inaccurate Personal Information.
Right to opt out of sale/sharing: Not applicable, as we do not sell or share your data.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, email privacy@lineman.dev.

10.2 Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Protecao de Dados (LGPD) provides you with additional rights:

Lawful bases: We rely on the performance of contract, legitimate interests, and consent (where applicable), which correspond to the bases set out in LGPD Article 7.

Your LGPD rights include: confirmation of the existence of processing; access to your data; correction of incomplete, inaccurate, or outdated data; anonymisation, blocking, or deletion of unnecessary or excessive data; data portability; deletion of data processed with consent; information about public and private entities with which we share data; information about the possibility of denying consent and the consequences; and revocation of consent.

To exercise your rights under the LGPD, email privacy@lineman.dev.

10.3 Other jurisdictions

Where mandatory local law in your jurisdiction provides data protection rights that are stronger than those set out in this policy, those rights are preserved and prevail to the extent of any inconsistency. This includes, without limitation, rights under the EU General Data Protection Regulation (where applicable), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable data protection legislation.

11. Children's Privacy

The Service is intended for users aged 18 and over. We do not knowingly collect Personal Data from anyone under the age of 18. If we become aware that we have collected Personal Data from a child under 18, we will take steps to delete that data promptly.

If you believe that a child under 18 has provided Personal Data to us, please contact us immediately at privacy@lineman.dev.

12. Data Security

We implement appropriate technical and organisational measures to protect your Personal Data against unauthorised access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit (TLS) and at rest
Access controls limiting data access to authorised personnel on a need-to-know basis
Regular security assessments and monitoring
Incident response procedures

No method of transmission over the internet or electronic storage is completely secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

12.1 Breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay and, where required, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law.

Material changes: We will provide at least 30 days' notice of material changes by email to the address associated with your account or by prominent notice within the Service.
Non-material changes: Minor updates (e.g. formatting, clarifications that do not affect your rights) will be posted on our website with an updated "Last updated" date.

Your continued use of the Service after a change takes effect constitutes your acceptance of the updated policy, subject to any legal requirement for fresh consent.

Previous versions of this policy are available on request by emailing privacy@lineman.dev.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, you can reach us at:

Goo Holdings Ltd (trading as "Lineman") Registered in England and Wales, company number 17141115 Registered office: 79 Shawclough Way, Greater Manchester, OL12 6DS, England

Privacy and data protection enquiries: privacy@lineman.dev
General support: support@lineman.dev
Legal enquiries: legal@lineman.dev

Data Protection Officer: Goo Holdings Ltd has assessed its processing activities and [has appointed / is not required under UK GDPR Article 37 to appoint] a Data Protection Officer. [If appointed: contact details.]

UK/EU representative for privacy matters: Where required by applicable data protection law, details of our UK or EU representative will be published here.

Supervisory authority: If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the ICO: