Privacy
Policy
Your data belongs to you. Here’s how we handle it.
Overview
Redshift is a workflow hub for developers that combines local-first design with optional cloud sync. We believe your data belongs to you, and we've built our app to reflect that principle. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your information.
Data We Collect
1. Local-Only Data
The following data is stored exclusively on your device and never transmitted to our servers:
Location: ~/Library/Application Support/Redshift/
2. Backend-Synced Data
The following data is synced to our backend servers to enable cross-device sync and team collaboration:
Account information: GitHub username, email, avatar URL
Workspace data: Team name, members, roles, settings, billing info
Notes & Todos: Personal notes and todos (synced across your devices)
Pre-PRs: Draft pull requests, descriptions, comments, line-level feedback
Automation rules: Workflow signals, rules, alert configurations
Notifications: Workspace invites, team assignments, alerts
Usage data: AI token consumption, feature usage for billing
This data is encrypted in transit (TLS 1.3) and stored securely in our PostgreSQL database.
3. Third-Party Integration Data
When you connect external services, we process the following data:
GitHub: Repository metadata, PRs, issues, commits, branches (via OAuth)
OAuth tokens are encrypted with AES-256-CBC and stored securely. We only access your third-party data when you explicitly use features that require it.
How We Use Your Data
We use collected data for the following purposes:
Service delivery: Provide workflow automation, sync, and collaboration features
Account management: Authenticate users, manage workspaces, enforce access controls
Billing: Process payments, track usage, enforce plan limits
Feature improvements: Analyze usage patterns to improve the product
Support: Respond to customer inquiries and troubleshoot issues
Security: Detect and prevent fraud, abuse, and security incidents
Legal basis (GDPR): Legitimate interest for service delivery, contractual necessity for billing, and your consent for optional features (AI, integrations).
Data Sharing & Third Parties
We share data with the following third-party service providers (subprocessors):
| Service | Purpose | Certification |
|---|---|---|
| GitHub | Source control (when you connect) | SOC 2 Type II |
| Cloudinary | Workspace logos (optional) | ISO 27001 |
See our complete list of subprocessors for detailed information and privacy policy links.
We will never:
Data Retention
Active data: Retained while your account is active and for 90 days after subscription cancellation.
Soft-deleted items (notes/todos): 30 days before permanent deletion.
Event logs and alerts: 7 days (Free plan), 30 days (Enterprise plan).
Session tokens: Auto-expire after 30 days.
AI usage logs: 90-day rolling window for billing purposes.
Billing records: Retained for 7 years for legal compliance (tax, auditing).
Security
We protect your data with enterprise-grade security:
Encryption at rest: AES-256-CBC for OAuth tokens and API keys
Encryption in transit: TLS 1.3 for all API communications
Access controls: Role-based permissions, session authentication
Infrastructure: Firebase (Google Cloud), SOC 2 Type II certified
Monitoring: 24/7 security monitoring and incident response
For complete security details, see our Security Overview.
Your Rights (GDPR & CCPA)
You have the following rights regarding your personal data:
Right to Access — Request a copy of all personal data we hold about you.
Right to Rectification — Correct inaccurate data (most editable directly in the app).
Right to Erasure ("Right to be Forgotten") — Request deletion of all your personal data. We will comply within 30 days.
Right to Data Portability — Receive your data in JSON format for transfer to another service.
Right to Object — Object to processing for specific purposes (e.g., disable AI features).
Right to Restriction — Request temporary suspension of data processing.
How to Exercise Your Rights
To exercise any of these rights, email us at hello@redshifthub.com
We will respond within 30 days of receiving your request. Identity verification may be required to protect your privacy.
International Data Transfers
Redshift is operated from the United States, and your data is processed and stored on servers located in the United States.
For users in the EU/EEA: We rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) to ensure adequate protection for international data transfers.
Enterprise customers can execute our Data Processing Agreement (DPA) for additional GDPR safeguards.
Children's Privacy
Redshift is not intended for use by individuals under the age of 13 (or 16 in the EU). We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at hello@redshifthub.com.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to workspace owners and posted on this page with an updated "Last updated" date. Continued use of Redshift after changes constitutes acceptance of the updated policy.
Contact Us
For privacy-related questions, data requests, or concerns, please contact us:
Redshift Privacy Team
Email: hello@redshifthub.com
We typically respond within 2 business days.