Privacy Policy for Signal for GitHub

Effective Date: May 26, 2026

1. Introduction and Scope

Signal for GitHub ("the Extension") is a productivity browser extension designed to provide real-time tracking of pull requests, code reviews, and Continuous Integration (CI) status contexts directly within the browser's native side panel.

This Privacy Policy governs the data processing practices of the Extension. It delineates the specific data types the Extension accesses, the localized methods of processing, and our strict commitment to user data minimization. The Extension operates under a strict local-first, read-only paradigm.

2. Information Accessed and Processed

The Extension interfaces with local APIs and official infrastructure endpoints to execute its core functionality. Personal credentials and profile data are processed strictly within our sandboxed architecture and official platform providers; data is never sold, shared, or transmitted to independent third-party analytics or monetization servers.

A. Core Routing and Infrastructure Processing

To facilitate the security handshakes required for standard OAuth 2.0 authentication, the Extension utilizes trusted cloud routing infrastructure:

GitHub API Infrastructure: Direct client-side network requests are established to populate your dashboard metadata locally.
Supabase Authentication Gateway: Supabase acts as the secure identity broker to process the initial GitHub OAuth sign-in routine. Session identities and core cryptographic tokens are processed securely via Supabase Auth database schemas to establish and manage user authentication states.

B. Specific Data Disclosures

Authentication Credentials (GitHub OAuth Token)

Data Type: Scoped OAuth 2.0 security token generated during the GitHub authentication flow.
Purpose: Authenticating queries executed against the official GitHub GraphQL and REST APIs.
Storage and Security: Following the initial authentication handshake managed by our infrastructure gateway (Supabase), the operational token is retained locally within the client-side sandboxed runtime environment via chrome.storage.local. Beyond official infrastructure communication required for session management and GitHub API fulfillment, data remains completely isolated.
Retention: Persists locally until explicitly terminated by user logout or uninstallation of the Extension.

User Profile Data

Data Type: Public GitHub username and avatar asset URL.
Purpose: Localized session identification within the interface header context.