Privacy Policy
Last updated: 9 June 2026
This Privacy Policy explains how PullNotifier ("PullNotifier", "we", "us") collects, uses, and protects personal data when you use our service. PullNotifier delivers GitHub pull-request notifications and daily reports into Slack.
We are committed to processing personal data lawfully under the EU General Data Protection Regulation (GDPR) and applicable UAE data-protection law. All personal data is stored in the European Union.
1. Who is responsible for your data (Data Controller)
The data controller is Kaustav Chakraborty, operating PullNotifier as an individual.
- Contact: support@progresify.dev
We do not maintain a public postal address. Please direct all privacy enquiries to the email above.
2. EU Representative
PullNotifier is operated from outside the European Union. An EU representative under Article 27 GDPR will be appointed upon our public launch to EU users. Until then, you may contact us directly at support@progresify.dev for any matter you would otherwise raise with a representative.
3. Personal data we collect
We collect only what we need to operate the service:
| Category | Examples | Source |
|---|---|---|
| GitHub identity | GitHub username, numeric user ID, profile email (used to link identities) | GitHub OAuth / webhooks |
| Slack identity | Slack user ID, workspace (team) ID | Slack OAuth |
| Integration credentials | Slack bot token (stored encrypted at rest) | Slack OAuth |
| Workspace configuration | Teams, channel routing, report schedules | You |
| Product analytics | Pseudonymous usage and funnel events | Our website/app (cookieless) |
| Session recordings | Screen + click recordings of the onboarding flow only; all form inputs are masked | Our website/app (onboarding pages only) |
| Support correspondence | Email content you send us | You |
| Abuse-prevention signals | One-way hashes of identifiers (see §8) | Derived on account deletion |
We do not collect special-category data, and we do not sell personal data.
4. Why we process it, and our lawful basis
| Purpose | Lawful basis (GDPR Art 6) |
|---|---|
| Provide the notification/report service you signed up for | Performance of a contract (Art 6(1)(b)) |
| Link GitHub identities to Slack users for @mentions | Performance of a contract (Art 6(1)(b)) |
| Product analytics and session recordings (onboarding funnel) to improve the service | Legitimate interests (Art 6(1)(f)) |
| Security, abuse and fraud prevention | Legitimate interests (Art 6(1)(f); see Recital 47) |
| Responding to your support requests | Legitimate interests / contract |
Where we rely on legitimate interests, we have balanced those interests against your rights and use the minimum data necessary.
5. Sub-processors
We use the following third parties to operate the service. Each processes personal data only on our instructions under a data-processing agreement.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Application database | EU |
| Railway | Application/API hosting | EU (Frankfurt) |
| Vercel | Website & app hosting | EU (Frankfurt) |
| Cloudflare R2 | Encrypted backups | EU |
| PostHog | Product analytics | EU |
| Sentry | Error and performance monitoring | EU |
| Resend | Transactional email | United States |
| Zoho Mail | Support inbox | EU |
| Slack | Message delivery to your workspace | Per Slack |
| GitHub | Source of pull-request data | Per GitHub |
| Doppler | Configuration & secrets management (no personal data) | United States |
6. International transfers
Personal data is stored in the EU. Two providers process limited data in the United States:
- Resend (transactional email) processes recipient email addresses and message content in the US under Standard Contractual Clauses (SCCs).
- Doppler holds configuration and encryption keys only — no personal data.
7. How long we keep data
| Data | Retention |
|---|---|
| Account & workspace data | Until you delete your account |
| Webhook/delivery logs | 30–90 days |
| Error monitoring (Sentry) | ~90 days |
| Product analytics (PostHog) | 12 months |
| Backups | 14–30 days (rolling) |
| Support correspondence | 24 months after resolution |
| Abuse-prevention hashes | 24 months |
8. Your rights, and how account deletion works
Under the GDPR you have the right to access, rectify, export, restrict, object to, and erase your personal data. To exercise any right, email support@progresify.dev; we respond within 30 days.
How we erase your data. On deletion we irreversibly anonymise the personal-data fields in our records (your email, GitHub username, and display name are overwritten and cannot be recovered) and permanently delete integration credentials such as Slack tokens. We keep no key that could re-identify you. We instruct our sub-processors (e.g. PostHog) to delete your data. Personal data contained in encrypted backups is not individually edited; it is purged automatically as backups age out within 14–30 days, and any restored backup re-applies pending deletions.
Abuse prevention. To prevent banned or fraudulent accounts from re-registering, we retain one-way cryptographic hashes of your GitHub user ID and email address for 24 months after deletion. These hashes cannot be reversed to reveal your identity; they are used only to detect a repeat sign-up. This processing relies on our legitimate interest in preventing fraud and abuse (GDPR Recital 47).
You also have the right to lodge a complaint with a supervisory authority.
9. Cookies and session recordings
We use only strictly necessary cookies (for authentication and session management). Our product analytics run cookieless and set no tracking cookies.
We record screen sessions on the onboarding flow only (the setup wizard you see after signing up) to understand where users get stuck. All form inputs are masked before transmission — we never capture passwords, tokens, or text you type. These recordings are processed by PostHog on EU infrastructure and are retained for 12 months. No cookies are set for this purpose.
Because we set no non-essential cookies, we do not display a cookie-consent banner. See our Cookie Policy.
10. Security
We encrypt integration tokens at rest, isolate each customer's data with row-level security, restrict access on a least-privilege basis, and keep encrypted backups. No system is perfectly secure, but we work to protect your data and will notify you of a qualifying breach as required by law.
11. Children
PullNotifier is a tool for software teams and is not directed to children under 16. We do not knowingly collect their data.
12. Changes
We may update this policy. Material changes will be reflected by the "Last updated" date above and, where appropriate, communicated to you.
13. Contact
Questions about this policy or your data: support@progresify.dev.