Deploy Gate Privacy Policy

Last updated: February 2025

Overview

The HAP Deploy Gate service is a merge-blocking check that enables cryptographic attestations for GitHub Pull Requests. This privacy policy explains what data we collect, how we use it, and your rights.

Data We Collect

When you use the HAP Deploy Gate GitHub App, we collect and store:

• Repository information: Owner name, repository name
• Pull Request metadata: PR number, commit SHA
• Attestation data: Domain (role), frame hash, execution context hash, timestamps
• Cryptographic signatures: Ed25519 signatures of attestation payloads

Data We Do NOT Collect

• Source code or diff content
• Personal information beyond GitHub usernames visible in repository metadata
• Problem, objective, or tradeoff text you enter (this stays in your browser and is hashed)
• Browsing behavior or analytics

How We Use Your Data

Attestation data is used solely to:

• Verify that required attestations exist for a given commit
• Update GitHub PR check statuses
• Determine if all required domains have attested

Data Retention

Attestation data is stored with a Time-To-Live (TTL) of 1 hour from creation. After this period, attestations expire and are no longer valid. Expired data may be retained for audit purposes but is not used for verification.

Data Storage

Attestation data is stored on Vercel KV (Redis), a managed database service. Data is stored in data centers located in the United States. We do not share attestation data with third parties except as required to operate the service (Vercel infrastructure).

Your Rights

Under GDPR and similar regulations, you have the right to:

• Request access to your data
• Request deletion of your data
• Uninstall the GitHub App at any time to stop future data collection

GitHub Permissions

The GitHub App requests these permissions:

• Checks (read/write): To create and update PR check statuses
• Contents (read): To read the .hap/decision.json file
• Pull requests (read): To receive webhook events when PRs are opened/updated
• Metadata (read): Required for basic repository access

Open Source

The HAP Deploy Gate is open source. You can review exactly what data is collected and how it's processed in the source code.

Contact

For privacy inquiries, contact: andreas.schadauer@gmail.com

Impressum / Legal Notice