Privacy Policy

Last updated: 2026-05-26.

RepoCritics is operated as a community-curated review platform for open-source software. We try to collect only what we need to run the service, and to be explicit about every byte we keep. This document covers both repocritics.com and the official RepoCritics browser extension.

What we collect

• Account data — when you sign in we receive your GitHub username, public profile, and verified primary email via GitHub OAuth. We store these in Supabase Postgres (us-east-1).
• Content you publish — reviews, wiki edits, comments, votes, and the repos you claim. All published content is public and is licensed under CC-BY-SA 4.0.
• Session cookies — Supabase issues an authentication cookie (HttpOnly, Secure, SameSite=Lax) so you stay signed in. We use no other first-party cookies.
• Server logs — Vercel keeps short-lived edge logs for abuse-prevention and debugging (IP, user-agent, path). These rotate on Vercel's default schedule and we do not aggregate them into profiles.

What we do not collect

• No third-party analytics (no Google Analytics, no Mixpanel, no Segment).
• No tracking pixels, fingerprinting, or behavioural advertising.
• No telemetry from the browser extension. The extension does not phone home beyond the repo lookups described below.

The browser extension

The RepoCritics extension is intentionally minimal:

• Reads the URL of the active GitHub tab to detect which repository you are viewing.
• Calls https://repocritics.com/api/… with that owner/name pair to fetch the public RepoCritics score and metadata.
• Stores your local UI preferences (e.g. badge on/off) in chrome.storage.local. Nothing in that storage is transmitted to us.
• Does not read repository contents, your DOM input, or any other browsing activity.

The extension uses the activeTab and storage permissions plus the host permission https://github.com/* for badge injection. No other origins are read.

Sharing

• Public by default — reviews, wiki text, comments, and username are visible to everyone, and indexed by search engines.
• Service providers — Supabase (database + auth), Vercel (hosting), and Resend (transactional email) process data on our behalf under their respective data processing agreements.
• We do not sell user data. Ever.

Retention

Account profile and published content are retained until you ask us to delete them. Edge logs rotate within 30 days. Backups roll on a 7-day cycle.

Your rights

Under GDPR and similar regimes you may request a copy of your personal data or ask us to delete it. Self-service export and delete will ship in Phase 2 from your account settings. Until then, email privacy@repocritics.com and we will respond within 30 days.

Note that published content (reviews, wiki edits) may remain attributed to the deleting user's last-known username, or be re-attributed to "[deleted]" at our discretion, to preserve the integrity of the public record. Personal data — email, OAuth tokens, session cookies — is always purged on request.

Security

Auth tokens are HttpOnly and Secure. Database access is restricted by row-level security. We do not store passwords (GitHub OAuth only). Report security issues to security@repocritics.com.

Changes

We will update the "last updated" date at the top of this page when we make material changes. Significant changes will also be announced in the site footer and, where appropriate, by email to registered users.

Contact

Privacy questions: privacy@repocritics.com. General contact: hello@repocritics.com.