Privacy Policy

Introduction

DevUpdate.io ("we," "us," or "our") operates devupdate.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our dependency intelligence platform. We are committed to protecting your privacy and handling your data in accordance with GDPR and other applicable data protection laws.

Information We Collect

Account Information

When you create an account, we collect:

• Username
• Email address
• Password (encrypted using bcrypt hashing)
• Account creation and last update timestamps
• Email verification status
• Notification preferences (disabled, daily, weekly, or realtime)

Repository Monitoring Data

When you add repositories to monitor:

• GitHub repository URLs you choose to watch
• Repository metadata (owner, name, last checked timestamps)
• Your update frequency preferences
• Release information from public GitHub repositories

AI-Generated Analysis Data

Our AI analysis generates and stores:

• Release summaries (features, breaking changes, bug fixes, security updates)
• Risk scores (0-100) based on code analysis
• Code churn metrics (lines and files changed)
• Identified undocumented changes
• Full release notes stored in AWS S3

Lockfile Data

When you upload lockfiles:

• Lockfile type (package-lock.json, yarn.lock, go.sum, etc.)
• Parsed dependency data (package names and versions)
• Lockfile hash for change detection
• Generated alerts about risky dependency updates
• Raw lockfiles optionally stored in AWS S3 for audit purposes

Technical Data

For security and functionality:

• JWT authentication tokens (expire after 8 days for access, 30 days for refresh)
• Email verification and password reset tokens (temporary, with expiration)
• Session data (IP address, user agent, active sessions for security monitoring)
• Theme preference (stored in browser local storage only)

Team and Collaboration Data

When you create or join a team, we collect:

• Team name and team ID
• Your role within the team (Owner, Admin, or Member)
• Team membership information (which users are in your team)
• Team invitation data (email addresses invited, invitation status, role assignments)
• Team action logs (who invited whom, role changes, member additions/removals, ownership transfers)
• Timestamps for all team-related activities

How We Use Your Information

We use your information to:

• Provide and maintain the DevUpdate.io service
• Authenticate your account and secure access
• Monitor GitHub repositories you've chosen to watch
• Analyze git diffs and generate dependency intelligence
• Send email notifications about repository updates (based on your preferences)
• Send transactional emails (account verification, password reset, account deletion confirmations, team invitations)
• Detect and alert you about risky dependency updates in your lockfiles
• Manage team access control and enforce role-based permissions
• Facilitate team collaboration and member management
• Send team invitation emails and notifications
• Track team membership changes for security, billing, and audit purposes
• Improve our AI analysis and service quality
• Respond to your support requests
• Comply with legal obligations

Third-Party Services

We use the following third-party services to operate DevUpdate.io:

Data Sharing Within Teams

When you create or join a team subscription, certain information is shared with other team members to enable collaboration and team management.

Information Visible to All Team Members

All team members (including regular members) can see:

• Usernames and email addresses of all team members
• Roles of all team members (Owner, Admin, or Member)
• Team name and basic team information
• Team size and available seats

Information Visible to Team Admins and Owners

Team admins and owners have additional visibility into:

• Pending team invitations (email addresses and assigned roles)
• Team subscription details and seat usage
• Full list of team members with management capabilities

Data Not Shared Within Teams

Your personal data remains private. Team members cannot see:

• Your password or authentication tokens
• Your individual repositories or lockfiles (unless separately shared)
• Your notification preferences
• Your account creation date or activity history
• Your IP address or session information

Cookies and Tracking

We use cookies for essential functionality and analytics (with your consent):

Essential Cookies (Always Active)

• Authentication Cookie: NextAuth.js session cookie to maintain your login state (essential for service functionality)
• Theme Preference: Stored in browser local storage only (not a cookie)
• Cookie Consent Preference: Remembers your cookie consent choice

Analytics Cookies (Optional - Requires Consent)

With your consent, we use PostHog for analytics to understand how you use our service and improve your experience:

• PostHog Session Cookie: Tracks your session to understand user behavior and feature usage
• Data Collected: Page views, button clicks, feature usage, session duration, and technical information (browser, device type, general location)
• Privacy-First: All analytics data is hosted in the EU, never shared with third parties, and only used to improve DevUpdate.io

We do not use advertising cookies or third-party tracking for marketing. We do not sell or share your personal data with advertisers.

Data Retention

We retain your data for as long as your account is active. When you delete your account:

• All account information is permanently deleted
• Watched repositories and monitoring preferences are removed
• Uploaded lockfiles and associated alerts are deleted
• Generated analysis data linked to your account is removed
• S3-stored data (lockfiles, release notes) is deleted

Temporary tokens (email verification, password reset) are automatically deleted upon expiration or use.

Your Rights (GDPR)

Under GDPR and other data protection laws, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Delete your account and all associated data via settings
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your data in a structured format
• Right to Object: Object to certain types of processing
• Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at info@devupdate.io.

Data Security

We implement industry-standard security measures:

• All data transmitted over HTTPS (TLS encryption)
• Passwords hashed using bcrypt
• JWT tokens for secure authentication with automatic expiration
• Email verification required for account creation and sensitive actions
• AWS infrastructure with security best practices
• Regular security updates and monitoring

While we take reasonable measures to protect your data, no internet transmission is 100% secure. We cannot guarantee absolute security.

International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (AWS infrastructure, OpenAI processing). These transfers are protected by appropriate safeguards such as Standard Contractual Clauses and compliance with GDPR requirements.

Children's Privacy

DevUpdate.io is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of DevUpdate.io after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us: