Privacy Policy

Introduction

DevUpdate.io ("we," "us," or "our") operates devupdate.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our dependency tracking service. We are committed to protecting your privacy and handling your data in accordance with GDPR and other applicable data protection laws.

Information We Collect

Account Information

When you create an account, we collect:

• Username
• Email address
• Password (encrypted using bcrypt hashing) — not collected if you sign in only via Google or GitHub
• Timezone (used to schedule digest delivery)
• Avatar URL (from your OAuth provider, if you sign in with Google or GitHub)
• Account creation and last update timestamps
• Email verification status
• Notification preferences (disabled, daily, weekly, or realtime) and digest schedule

Tracked Source Data

When you add tracked sources to monitor:

• Source URLs you choose to watch (GitHub repositories, VS Code Marketplace and Open VSX extensions, and other public release-notes pages)
• Source metadata (owner, name, last checked timestamps)
• Your update frequency preferences
• Release and version information from those publicly available sources

AI-Generated Analysis Data

Our AI analysis generates and stores:

• Release summaries (features, breaking changes, bug fixes, security updates)
• Risk scores (0-100) based on code analysis
• Code churn metrics (lines and files changed)
• Identified undocumented changes
• Per-source descriptions and meta-summaries derived from publicly available metadata about the source (these describe third-party projects, not users, and are visible on the public source explorer)
• Full release notes stored in AWS S3

Lockfile Data

When you upload lockfiles:

• Lockfile type (package-lock.json, yarn.lock, go.sum, etc.)
• Parsed dependency data (package names and versions)
• Lockfile hash for change detection
• Generated alerts about risky dependency updates
• Only parsed dependency data is retained — the original lockfile bytes are discarded after parsing

Technical Data

For security and functionality:

• JWT authentication tokens (access tokens expire after 24 hours, refresh tokens after 30 days)
• Email verification and password reset tokens (temporary, with expiration)
• Session data (IP address, user agent, active sessions for security monitoring)
• Session idle timeout: sessions are signed out after 30 minutes of inactivity
• Each account is limited to a maximum of 3 concurrent active sessions; the oldest session is invalidated when a 4th sign-in occurs
• Theme preference (stored in browser local storage only)

Billing and Usage Data

When you subscribe to a paid plan or consume AI credits:

• Subscription tier, billing interval, status, and PayPro Global subscription, customer, and order identifiers
• AI usage events — operation type (digest, release-intelligence summary), prompt and completion token counts, and credits consumed — recorded per user for metering and overage calculation
• Wallet balance and ledger entries (top-ups and any auto-recharge events you have enabled)
• Auto-recharge configuration (your chosen threshold, target, last-charged timestamp, and consecutive-failure count) if you have opted in
• Withdrawal-waiver consent record (timestamp, IP address, and terms version) captured at checkout for EU Consumer Rights Directive §16(m) compliance
• Refund audit fields (refund amount, credits used at the time of refund, refund ratio) if a refund is issued

Programmatic Access (API Tokens & MCP Server)

If you use the programmatic-access features:

• API tokens are user-generated for programmatic access; we store only a SHA-256 hash and the creation timestamp — the raw token is shown to you once and is never stored or recoverable on our side. A token authenticates as you and carries your account's permissions, so treat it like a password; revoking it from Settings invalidates it immediately
• The MCP server (available on Professional and Team tiers) exposes your tracked sources, release summaries, and risk data over the Model Context Protocol — via our hosted endpoint at api.devupdate.io/mcp or a self-run server — authenticated by your API token or an OAuth grant
• When you authorize an AI client via OAuth (the hosted MCP server's consent flow), we store the client's self-registered metadata (name, redirect URLs), the scopes you approved, SHA-256 hashes of the issued access and refresh tokens (never the raw values), and created/last-used timestamps. Each authorization and revocation is recorded in the security audit log. You can revoke any connected client at any time from Settings → Connected AI Clients, which invalidates its tokens immediately
• Requests made by a connected AI client are processed as requests made by you; the data such a client receives is then governed by that client's own privacy terms — review them before approving access

Team and Collaboration Data

When you create or join a team, we collect:

• Team name and team ID
• Your role within the team (Owner, Admin, or Member)
• Team membership information (which users are in your team)
• Team invitation data (email addresses invited, invitation status, role assignments)
• Team action logs (who invited whom, role changes, member additions/removals, ownership transfers)
• Timestamps for all team-related activities

How We Use Your Information

We use your information to:

• Provide and maintain the DevUpdate.io service
• Authenticate your account and secure access
• Monitor the tracked sources you've chosen to watch
• Analyze git diffs and generate release summaries and risk scores
• Deliver live updates over a persistent server-sent-events connection from your browser to our servers. We use this channel to push subscription status changes (e.g. when your payment is finalized) and new release announcements for the sources you track, so you don't have to refresh the page. The connection authenticates with the same token as ordinary API requests; no new credentials or cookies are created.
• Send email notifications about source updates (based on your preferences)
• Send transactional emails (account verification, password reset, account deletion confirmations, team invitations)
• Detect and alert you about risky dependency updates in your lockfiles
• Manage team access control and enforce role-based permissions
• Facilitate team collaboration and member management
• Send team invitation emails and notifications
• Track team membership changes for security, billing, and audit purposes
• Improve our AI analysis and service quality
• Respond to your support requests
• Comply with legal obligations

Third-Party Services

We use the following third-party services to operate DevUpdate.io:

Data Sharing Within Teams

When you create or join a team subscription, certain information is shared with other team members to enable collaboration and team management.

Information Visible to All Team Members

All team members (including regular members) can see:

• Usernames and email addresses of all team members
• Roles of all team members (Owner, Admin, or Member)
• Team name and basic team information
• Team size and available seats

Information Visible to Team Admins and Owners

Team admins and owners have additional visibility into:

• Pending team invitations (email addresses and assigned roles)
• Team subscription details and seat usage
• Full list of team members with management capabilities

Data Not Shared Within Teams

Your personal data remains private. Team members cannot see:

• Your password or authentication tokens
• Your individual tracked sources or lockfiles (unless separately shared)
• Your notification preferences
• Your account creation date or activity history
• Your IP address or session information

Public Shared Release Links

You can create a link that lets anyone view a single release summary without a DevUpdate.io account. This is an action you choose to take — no release summary is made public unless you generate a link for it.

• Anyone with the link can view that one release summary. The link uses an unguessable random token and is not indexed by search engines.
• Each link expires automatically 7 days after creation and can be revoked by you at any time.
• We record a count of how many times a shared link is opened. These access counts are anonymous — we do not store the identity or personal data of people who open a shared link.
• The public page shows only the release summary content. It does not reveal your username, email address, or other personal account information.

Cookies and Tracking

We use cookies for essential functionality and analytics (with your consent):

Essential Cookies (Always Active)

• Authentication Cookie: NextAuth.js session cookie to maintain your login state (essential for service functionality)
• Theme Preference: Stored in browser local storage only (not a cookie)
• Cookie Consent Preference: Remembers your cookie consent choice

When you're signed in, we maintain a persistent server-sent-events connection from your browser to deliver live updates (subscription status, release announcements). This stream uses the same NextAuth session token as the rest of the site; no additional cookies are introduced.

Analytics Cookies (Optional - Requires Consent)

With your consent, we use PostHog for analytics to understand how you use our service and improve your experience:

• PostHog Session Cookie: Tracks your session to understand user behavior and feature usage
• Data Collected: Page views, button clicks, feature usage, session duration, and technical information (browser, device type, general location)
• Privacy-First: All analytics data is hosted in the EU, never shared with third parties, and only used to improve DevUpdate.io

We do not use advertising cookies or third-party tracking for marketing. We do not sell or share your personal data with advertisers.

Data Retention

We retain your data for as long as your account is active. When you delete your account:

• All account information is permanently deleted
• Tracked sources and monitoring preferences are removed
• Uploaded lockfiles and associated alerts are deleted
• Generated analysis data linked to your account is removed
• S3-stored data (lockfiles, release notes) is deleted

Temporary tokens (email verification, password reset) are automatically deleted upon expiration or use.

Unverified accounts: Accounts created with email and password that do not complete email verification within 7 days of signup are automatically deleted. We send a reminder email around day 4 of that window. During this window we store only the email address, username, password hash, and a hashed verification token. No other personal data is collected before verification.

Inactive verified accounts: Verified free-tier accounts that have never added a tracked source and never connected a lockfile are automatically deleted 30 days after signup. We send up to five reminder emails over the preceding 27 days, the last of which is an explicit deletion warning. Accounts on a paid subscription and accounts that have joined a team are excluded from this sweep. After deletion we send a final notification email to the address on file, and the row is removed from production storage along with sessions and OAuth links.

Billing-record retention obligation: Some billing records — including subscription history, order records, withdrawal-waiver consent, and wallet ledger entries — may be retained for up to 10 years after account deletion to comply with German commercial and tax-law retention obligations (§147 AO, §257 HGB). These retained records are reduced to the minimum required by law and contain no source data, no analysis output, and no profile data beyond what the invoice and audit trail require.

Your Rights (GDPR)

Under GDPR and other data protection laws, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Delete your account and all associated data via settings
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Request a JSON export of your account data (sources, lockfiles, analysis history, billing) by emailing info@devupdate.io. Today this is fulfilled manually within a reasonable timeframe; a self-serve export is on our roadmap.
• Right to Object: Object to certain types of processing
• Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at info@devupdate.io.

Data Security

We implement industry-standard security measures:

• All data transmitted over HTTPS (TLS encryption)
• Passwords hashed using bcrypt
• JWT tokens for secure authentication with automatic expiration
• Email verification required for account creation and sensitive actions
• AWS infrastructure with security best practices
• Regular security updates and monitoring

While we take reasonable measures to protect your data, no internet transmission is 100% secure. We cannot guarantee absolute security.

International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (AWS infrastructure, OpenAI processing). These transfers are protected by appropriate safeguards such as Standard Contractual Clauses and compliance with GDPR requirements.

Children's Privacy

DevUpdate.io is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of DevUpdate.io after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us: