Privacy & data handling

DevUpdate.io is a developer tool, so the trust bar is high. This page lists what we keep, what we don't, and the third parties involved.

What we store #

• Account data: email, hashed password (or OAuth identity), display name, timezone, digest preferences.
• Source list: the GitHub URLs and vendor URLs you've added as tracked sources.
• Lockfile snapshots: package names and versions extracted from uploaded lockfiles. The original file is not retained.
• Release analysis output: summaries, risk scores, and detected changes for each release we've processed. Cached so we don't re-bill the AI for the same diff twice.
• Billing data: subscription tier, billing cadence, invoice history.

What we don't store #

• Lockfile raw bytes. Parsed and discarded; only package + version pairs persist.
• Source code. We never clone repositories. Diff analysis goes through GitHub's compare API and the result is summarized; the raw diff is not stored.
• OAuth tokens beyond what we need. We hold the minimum scope required to identify you (email, basic profile). We do not request repository access — public-only data goes through the GitHub API unauthenticated.

Third parties #

Service	What they see
OpenAI (LLM)	Diff text + release notes for analysis. Not used for training per OpenAI's API terms.
AWS SES	Outbound email (digests, transactional).
AWS S3	Encrypted backups of analysis output.
PayPro Global	Billing details (name, billing address, payment method).
PostHog	Anonymized product analytics — page views, feature usage. No PII beyond your account ID.

Retention #

• Active accounts: all data retained.
• Closed accounts: see Account → Deletion. Account-deletion is self-serve and removes personal data within 30 days, with cryptographic confirmation.

Data export #

You can export a JSON dump of your account data (sources, lockfiles, analysis history, billing) on request. Email info@devupdate.io from your account address — it's a manual job today, not yet self-serve.