Privacy Policy
Last updated: July 11, 2026
1. The short version
We collect the minimum needed to run a release control plane: your account details, the release metadata you publish, and anonymous device check-ins. Devices are identified by random UUIDs generated on the device - we never see your end users' names, emails or accounts. We don't sell data, run ads, or use third-party trackers.
2. What we collect from you (the developer)
Account: name, email, password hash (or GitHub OAuth identity). Operational: API keys (stored as SHA-256 hashes, shown once), webhook secrets, and an append-only audit log of actions in your account - including the acting user or key, IP address and user agent. Audit records exist for security and compliance and are retained even when the resources they describe are deleted.
3. What we collect from devices
When software you ship checks for updates, we record: the anonymous device UUID your app generates, the app and channel being asked about, reported version, platform and CPU architecture, and the timestamp. That's the fleet dataset that powers your dashboard. Device IP addresses are used transiently for rate limiting and are not stored in the fleet dataset. We have no way to connect a device UUID to a person.
4. Subprocessors
The Service runs on: Vercel (hosting and edge network), Supabase (Postgres database), and Upstash (Redis, rate limiting). Each processes data only to provide their infrastructure service. We'll keep this list updated as it changes.
5. Retention and deletion
Deleting an app removes its channels, releases, devices and check-ins. Deleting your account removes your personal data; audit logs are retained for up to one year for security purposes, then deleted. Backups age out on our database provider's schedule.
6. Your rights
Wherever you are, you can request access to, correction of, or deletion of your personal data by contacting us. If you're in the EEA/UK, this is how we honor GDPR access/rectification/erasure requests; the legal basis for processing is performance of contract (running the Service) and legitimate interest (security, audit).
7. Cookies
One session cookie, set on sign-in, to keep you signed in. No advertising or analytics cookies. That's why there's no cookie banner.
8. Changes and contact
Material changes to this policy will be announced via the dashboard or email. Privacy questions and data requests: support@relayerapp.com