How we collect, use, and protect your data
Last updated: June 10, 2026
DevUpdate.io ("we," "us," or "our") operates devupdate.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our dependency tracking service. We are committed to protecting your privacy and handling your data in accordance with GDPR and other applicable data protection laws.
When you create an account, we collect:
When you add tracked sources to monitor:
Our AI analysis generates and stores:
When you upload lockfiles:
For security and functionality:
When you subscribe to a paid plan or use AI-powered features:
If you use the programmatic-access features:
When you create or join a team, we collect:
We use your information to:
We use the following third-party services to operate DevUpdate.io:
With your consent, we use PostHog for product analytics. PostHog helps us understand how you use DevUpdate.io so we can improve your experience. All analytics data is hosted on PostHog's EU servers (eu.posthog.com) and is never shared with third parties or used for advertising. Events are pseudonymized by your account identifier rather than fully anonymized, meaning we can correlate events back to your account internally, but the data is never shared externally. Events include page views, feature interactions, and session information. You can opt out of analytics tracking at any time. PostHog's data processing is governed by their Privacy Policy.
We send git diffs, release notes, README and page excerpts, and similar publicly available content to OpenAI's API for analysis and summary generation. We may engage other LLM providers in the future; if we do, we will update this policy and, where required by law, notify affected users before the change takes effect. OpenAI's data processing is governed by their Privacy Policy.
Public data ingestion:We fetch public repository data (releases, diffs, and README excerpts) via GitHub's API.
Sign-in (DevUpdate.io GitHub App): If you sign in with GitHub, the DevUpdate.io GitHub App requests read-only access to your email addresses and to the contents and metadata of repositories you select, never write access. The consent screen explicitly lists those permissions. We receive your GitHub email address, username, and avatar URL, and a short-lived user-to-server access token (plus refresh token) we use to call GitHub on your behalf.
GitHub App install (required for private repos): Authorizing the App at sign-in is enough for public-repo features. To use private-repo features (private starred sync, private-repo source tracking, live lockfile sync from a private repo), install the same App on the owning user account or org and pick which repos it can see. The App stays read-only (contents + metadata only) regardless of which repos you grant. We use it to periodically fetch connected lockfile contents and run dependency change-detection. We store only the parsed dependency list (package names and versions), not the raw lockfile or any other repository contents. You control this access and can revoke or change install scope at any time from your GitHub settings.
GitHub starred-repository sync (optional):If you enable this feature, we store your GitHub username and periodically fetch your public starred repositories via GitHub's public API (/users/{username}/starred). We use the resulting repository URLs to create tracked sources on your behalf, and we deactivate tracked sources that you originally added through this feature when you un-star the corresponding repository. We do not access private stars, and we do not access any data beyond the public star list itself. You control the username and can clear it from your settings at any time.
When you track a VS Code extension, we make read-only requests to the public Visual Studio Marketplace and Open VSX Registry APIs to retrieve the extension's version history and changelogs. We send no authentication and access no editor, workspace, or account data. Extension metadata and changelog excerpts are publicly available content and are handled the same way as other non-GitHub release pages, including being sent to our AI provider for summary generation.
If you sign in with Google, we receive your Google account email, name, and profile picture. We request only the minimum OAuth scopes (openid, email, profile) needed for sign-in.
We use AWS infrastructure to host and operate our service:
All AWS services are configured in accordance with their Privacy Notice.
We use PayPro Global as our Merchant of Record for payment processing. When you subscribe to a paid plan, PayPro Global collects and processes:
PayPro Global handles all payment compliance, including VAT/sales tax calculation and collection. We receive webhook notifications about subscription events (creation, renewal, cancellation) but do not store your payment card details. PayPro Global's data processing is governed by their Privacy Policy.
When you create or join a team subscription, certain information is shared with other team members to enable collaboration and team management.
All team members (including regular members) can see:
Team admins and owners have additional visibility into:
Your personal data remains private. Team members cannot see:
Important: By accepting a team invitation, you consent to sharing your username and email address with other team members. If you do not wish to share this information with the team, you should decline the invitation. You can leave a team at any time from your team settings, which will immediately stop sharing your information with team members.
You can create a link that lets anyone view a single release summary without a DevUpdate.io account. This is an action you choose to take: no release summary is made public unless you generate a link for it.
We use cookies for essential functionality and analytics (with your consent):
When you're signed in, we maintain a persistent server-sent-events connection from your browser to deliver live updates (subscription status, release announcements). This stream uses the same NextAuth session token as the rest of the site; no additional cookies are introduced.
With your consent, we use PostHog for analytics to understand how you use our service and improve your experience:
Your Choice:You can accept or reject analytics cookies via the cookie banner. You can change your preference at any time by clearing your browser's local storage or contacting us at info@devupdate.io. Rejecting analytics cookies will not affect core functionality.
We do not use advertising cookies or third-party tracking for marketing. We do not sell or share your personal data with advertisers.
We retain your data for as long as your account is active. When you delete your account:
Temporary tokens (email verification, password reset) are automatically deleted upon expiration or use.
Unverified accounts: Accounts created with email and password that do not complete email verification within 7 days of signup are automatically deleted. We send a reminder email around day 4 of that window. During this window we store only the email address, username, password hash, and a hashed verification token. No other personal data is collected before verification.
Inactive verified accounts: Verified free-tier accounts that have never added a tracked source and never connected a lockfile are automatically deleted 30 days after signup. We send up to five reminder emails over the preceding 27 days, the last of which is an explicit deletion warning. Accounts on a paid subscription and accounts that have joined a team are excluded from this sweep. After deletion we send a final notification email to the address on file, and the row is removed from production storage along with sessions and OAuth links.
Billing-record retention obligation: Some billing records, including subscription history, order records, and withdrawal-waiver consent, may be retained for up to 10 years after account deletion to comply with German commercial and tax-law retention obligations (§147 AO, §257 HGB). These retained records are reduced to the minimum required by law and contain no source data, no analysis output, and no profile data beyond what the invoice and audit trail require.
Under GDPR and other data protection laws, you have the following rights:
To exercise these rights, contact us at info@devupdate.io.
We implement industry-standard security measures:
While we take reasonable measures to protect your data, no internet transmission is 100% secure. We cannot guarantee absolute security.
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (AWS infrastructure, OpenAI processing). These transfers are protected by appropriate safeguards such as Standard Contractual Clauses and compliance with GDPR requirements.
DevUpdate.io is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of DevUpdate.io after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or how we handle your data, contact us: