Skip to main content

Privacy Policy

Last updated: March 2026

1. Who We Are

CheckUpstream (“we”, “us”, “our”) is the data controller for personal data processed through this service. You can reach us at privacy@checkupstream.com.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: email address, display name, and OAuth identity (GitHub or GitLab user ID) used for authentication.
  • Repository metadata: repository names, dependency manifest file contents (package.json, requirements.txt, Cargo.toml, go.mod, etc.), and branch information from repositories you explicitly connect. We do not store source code.
  • Telemetry data: if you install an SDK, we collect latency and error rate measurements for third-party API calls made from your production environment. No request payloads or response bodies are captured.
  • Usage data: pages visited, features used, and timestamps — used to improve the product.
  • Cookies and session tokens: a secure, HTTP-only session cookie is set on sign-in to maintain your authenticated session. No third-party advertising cookies are used.

3. Legal Bases for Processing

Where GDPR or equivalent law applies, we process your data under the following legal bases:

  • Contract performance — processing necessary to provide the service you signed up for (authentication, dependency scanning, alerting).
  • Legitimate interests — product analytics and security monitoring, balanced against your privacy interests.
  • Legal obligation — where we are required to retain records by law.

4. How We Use Your Data

  • To authenticate you and maintain your session.
  • To parse your dependency manifests, map them to upstream services, and monitor those services' status pages on your behalf.
  • To send alerts via the channels you configure (email, Slack, PagerDuty, etc.).
  • To aggregate anonymised incident signals across multiple organisations.
  • To detect abuse and ensure platform security.
  • To communicate service updates and changes to these policies.

We do not sell your data, share it with advertisers, or use it to train AI models.

5. Third-Party Processors

We share data only with sub-processors necessary to operate the service:

  • Turso / LibSQL — database hosting for your account and project data.
  • GitHub / GitLab — OAuth identity provider; we access only the scopes you grant.
  • Transactional email provider — for alert emails and account notifications.
  • Cloud infrastructure provider — hosting and CDN.

All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security measures.

6. International Transfers

Our infrastructure is hosted in the European Union or the United States. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or an adequacy decision to ensure an equivalent level of protection.

7. Data Retention

We retain your personal data for as long as your account is active. You may delete your account at any time from Settings → Account → Delete Account. Deletion permanently removes all associated repositories, alert configurations, telemetry data, and personal data within 30 days, except where retention is required by law (e.g. billing records).

8. Your Rights

Depending on your jurisdiction you may have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data (“right to be forgotten”).
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, email privacy@checkupstream.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. California Residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: request disclosure of the categories and specific pieces of personal information we have collected about you, and how it is used and shared.
  • Right to Delete: request deletion of personal information we have collected, subject to certain exceptions.
  • Right to Correct: request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: we do not sell or share your personal information for cross-context behavioural advertising, so no opt-out action is required.
  • Right to Limit Use of Sensitive Information: we do not use sensitive personal information beyond what is necessary to provide the Service.
  • Right to Non-Discrimination: we will not discriminate against you for exercising any of these rights.

To submit a request, email privacy@checkupstream.com with the subject line “California Privacy Request”. We will respond within 45 days. You may designate an authorised agent to submit requests on your behalf.

10. Security

We use TLS for all data in transit, encrypted storage for sensitive credentials, and HTTP-only secure cookies for sessions. OAuth tokens are stored encrypted and never logged. Access to production data is restricted to authorised personnel only.

11. Children

CheckUpstream is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email or an in-app notice at least 14 days before they take effect. Continued use of the service after that date constitutes acceptance.

13. Contact

For any privacy questions or to exercise your rights, email privacy@checkupstream.com.