Privacy Policy

CalloutPay is a web application that helps on-call teams generate accurate monthly pay reports from PagerDuty data. We are operated by LI Ltd, registered in England and Wales.

If you have questions about this policy, contact us at support@calloutpay.com.

When you create an account or use CalloutPay, we may collect:

• Your email address and hashed password (for authentication)
• Subscription and billing status (via our payment processor)
• Report generation activity (dates, not content) for service improvement
• Basic browser and device information for error logging

CalloutPay connects to PagerDuty via OAuth (recommended) or, optionally, a manual Read-only API key. In both cases the access token is used only to fetch on-call and incident data for the report you are generating.

Tokens are encrypted at rest using AES-128 (Fernet) before being stored against your account, so we can use them on your behalf without you needing to paste them every time. The encryption key is held server-side and never sent to the browser. Tokens are never returned to the browser in plaintext, never written to log files, and never included in exported spreadsheets.

You can revoke a stored OAuth token at any time by clicking Disconnecton the report page or in your account settings — this deletes the encrypted token from our records. You can also revoke access from your PagerDuty account's authorised applications list.

On-call schedule data fetched from PagerDuty is processed in memory to produce your report and is not persisted after the report is delivered. We do not store, analyse, or share your on-call or incident data.

• To provide and maintain your CalloutPay subscription
• To process payments via our payment processor (Stripe)
• To send transactional emails (account creation, billing receipts)
• To investigate errors and improve reliability

We do not sell your data to third parties. We do not use your data for advertising.

Account data is retained for as long as your account is active. If you close your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain records for legal or financial compliance.

We use the following third-party services to operate CalloutPay:

• Stripe — payment processing. Stripe handles card data; we never see or store card numbers.
• PagerDuty — schedule and incident data is fetched on your behalf using the OAuth access token (or manual API key) you have authorised. The token is stored encrypted at rest.

Under UK GDPR you have the right to access, correct, or delete the personal data we hold about you, and to object to or restrict processing. To exercise any of these rights, contact us at support@calloutpay.com.

CalloutPay uses a session cookie to keep you logged in. We do not use tracking, analytics, or advertising cookies.

We may update this policy from time to time. If changes are material, we will notify you by email or via a notice on the site before the change takes effect.