Privacy Policy

1. Introduction

Streaky ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our service.

2. Information We Collect

2.1 Information You Provide

• GitHub Account Information: When you sign in with GitHub OAuth, we collect your GitHub username, email, avatar, and user ID.
• GitHub Personal Access Token: You provide a GitHub PAT with read:user scope to check your contribution streak. This token is encrypted using AES-256-GCM before storage.
• Discord Webhook URL (Optional): If you choose to receive Discord notifications, we store your webhook URL in encrypted form.
• Telegram Bot Token (Optional): If you choose to receive Telegram notifications, we store your bot token and chat ID in encrypted form.

2.2 Automatically Collected Information

• Usage Data: We collect information about how you interact with the Service (page views, button clicks, features used).
• Device Information: Browser type, operating system, IP address (anonymized), and timezone.
• Streak Data: Your current GitHub contribution streak, longest streak, and contribution history.
• Notification History: Timestamps and delivery status of notifications sent to you.

4. How We Use Your Information

We use your information to:

• Check your GitHub contribution streak daily at 8 PM UTC
• Send notifications via Discord and/or Telegram when your streak is at risk
• Display your current streak and statistics on the dashboard
• Authenticate your account via GitHub OAuth
• Improve the Service and fix bugs
• Analyze usage patterns (anonymized data only)

5. Data Sharing and Third Parties

5.1 We DO NOT sell your data

We will never sell, rent, or trade your personal information to third parties.

5.2 Third-Party Services We Use

We use the following third-party services to operate Streaky:

• GitHub: For OAuth authentication and API access to check your contribution streak. Subject to GitHub Privacy Statement.
• Cloudflare Workers: For backend processing and data storage. Subject to Cloudflare Privacy Policy.
• Vercel: For frontend hosting. Subject to Vercel Privacy Policy.
• Vercel Analytics: For anonymized page view tracking (no cookies, no tracking across sites).
• Discord (Optional): If you provide a webhook, we send notifications to your Discord channel.
• Telegram (Optional): If you provide a bot token, we send notifications via Telegram API.
• Koyeb: For encrypted notification relay (Rust VPS proxy). Credentials are encrypted end-to-end before being sent. Subject to Koyeb Privacy Policy.

5.3 When We May Share Your Data

We may share your information only in these limited circumstances:

• Legal Requirements: If required by law, subpoena, or court order.
• Security Threats: To prevent fraud, abuse, or security threats.
• Service Providers: With Cloudflare and Vercel as necessary to operate the Service.

We will never share your GitHub PAT, Discord webhooks, or Telegram tokens with anyone except the services they are intended for.

6. Data Retention

We retain your data as follows:

• Account Data: Retained until you delete your account.
• Encrypted Credentials: Deleted immediately when you remove them from your account or delete your account.
• Notification History: Retained until you delete your account. All notifications are automatically deleted when you delete your account.
• Analytics Data: Anonymized and retained indefinitely for service improvement.

7. Your Rights

You have the right to:

• Access Your Data: View all data we have about you from the dashboard.
• Update Your Data: Edit your notification settings and credentials anytime.
• Delete Your Data: Contact us on GitHub to delete your account and all associated data permanently.
• Export Your Data: Request a copy of your data (contact us on GitHub).

8. Cookies and Tracking

We use minimal cookies and tracking:

• Authentication Cookie: NextAuth.js session cookie (required for login, expires after 30 days).
• Analytics: Vercel Analytics (no cookies, no cross-site tracking, privacy-friendly).

We do NOT use third-party advertising cookies or tracking pixels.

9. Children's Privacy

Streaky is not intended for users under 13 years old. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. International Data Transfers

Your data is stored in Cloudflare's global network and may be transferred to countries outside your residence. Cloudflare complies with GDPR and other international privacy regulations.

11. Security Measures

In addition to encryption, we implement these security measures:

• JWT authentication with signature verification
• CORS protection with strict allowlist
• Rate limiting (60 requests per minute)
• Request size limits (1MB maximum)
• Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
• Regular security audits and updates

12. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or dashboard notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

• GitHub Issues: Create an issue
• GitHub Discussions: Start a discussion

14. GDPR Compliance (EU Users)

If you are in the European Union, you have additional rights under GDPR:

• Right to access your personal data
• Right to rectification (correct inaccurate data)
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

To exercise these rights, delete your account from the dashboard or contact us on GitHub.