Privacy Policy

Last updated: February 22, 2026

DevSignal ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our development activity reporting service.

1. Information We Collect

1.1 Account Information

When you sign up for DevSignal, we collect:

• GitHub username and email address (via GitHub OAuth)
• GitHub organization memberships
• Session identifier

1.2 GitHub Activity Metadata

When you generate reports, we access the following metadata from your GitHub account:

• Pull request titles, descriptions, and status
• Commit messages and metadata
• Code review comments and status
• Issue titles, descriptions, and status

Important: We do not access, read, store, or analyze your actual source code. We only process activity metadata — information about what was done, not the code itself.

1.3 Usage Data

We collect limited usage data to improve our service:

• Token consumption per report
• Report generation timestamps
• Feature usage patterns (anonymized)

2. How We Use Your Information

We use the information we collect to:

• Generate development activity reports based on your GitHub data
• Authenticate your identity and maintain your session
• Track and manage your token usage and quota
• Improve and optimize our service
• Communicate with you about your account and service updates

3. Data Storage and Retention

3.1 Report Content

Generated reports are stored in your workspace and are accessible only to you and members of your workspace. Reports are retained until you delete them or close your account.

3.2 GitHub Data

GitHub activity metadata is fetched in real-time when generating reports and is not permanently stored beyond the generated report content. Raw GitHub data is processed in memory and discarded after report generation.

3.3 Authentication Tokens

Your GitHub access token is stored as a secure, httpOnly cookie with an 8-hour expiry. It is never exposed to client-side JavaScript or stored in our database. When the token expires, you are prompted to re-authenticate.

4. AI Processing

We use Anthropic's Claude AI to analyze your GitHub activity metadata and generate reports. When processing your data:

• Only activity metadata (not source code) is sent to the AI model
• Your data is not used to train AI models
• AI processing occurs on-demand and data is not retained by the AI provider after processing
• Reports are generated in real-time and are unique to each request

5. Data Sharing

We do not sell, trade, or rent your personal information. We may share your information only in the following circumstances:

• Service Providers: We use third-party services (Supabase for authentication and database, Anthropic for AI processing, Vercel for hosting) that process data on our behalf under strict data protection agreements.
• Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Row-level security (RLS) ensuring multi-tenant data isolation
• Secure, httpOnly cookies for authentication tokens
• HTTPS encryption for all data in transit
• No client-side exposure of sensitive credentials
• Regular security reviews and updates

7. Your Rights

You have the following rights regarding your data:

• Access: You can request a copy of the data we hold about you.
• Deletion: You can request deletion of your account and all associated data.
• Portability: You can export your generated reports at any time.
• Revoke Access: You can revoke DevSignal's access to your GitHub account at any time through your GitHub settings.

8. Cookies

We use only essential cookies required for the service to function:

• Authentication session cookie: Maintains your logged-in state
• GitHub token cookie: Secure, httpOnly cookie for GitHub API access (8-hour expiry)

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Children's Privacy

DevSignal is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the service after any changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

hello@devsignal.app