How we handle your data and your repo

Branchpost has no password database. You sign in with GitHub, and we store only your GitHub user ID, username, email, and avatar URL. Your session is held in a single httpOnly cookie signed with a per-environment secret (blog_session), set with SameSite=Lax and Secure in production.

The Branchpost GitHub App requests the minimum scopes needed to do its job:

• Repository contents: read
• Pull requests: write
• Metadata: read
• Webhooks (optional, opt-in per repo): push events for topic suggestion

We never push to your default branch and we never merge pull requests on your behalf. You can revoke our access at any time from github.com/settings/installations; access is immediate.

All connections to Branchpost use TLS 1.2 or higher. Data at rest is encrypted by our managed providers (Neon Postgres, Cloudflare R2, Vercel). Sensitive credentials — GitHub installation tokens, Stripe customer references, webhook signing secrets, QStash signing keys — are stored as environment variables in Vercel and never written to logs or transmitted to the browser.

Prompts and outputs sent to our AI subprocessors (Anthropic for text, Replicate for optional images) are configured so that they are not used to train third-party models. Each request is processed and discarded by the provider per their zero-retention or short-retention enterprise terms.

We share the minimum data required to operate the Service with a vetted list of subprocessors. The current list lives in our Privacy Policy § 4 and includes GitHub, Stripe, Anthropic, Cloudflare R2, Resend, Replicate, Unsplash, Vercel, Neon, and Upstash. We update that list whenever we onboard or retire a provider.

We do not touch full card numbers. All payments are processed by Stripe (a PCI-DSS Level 1 service provider). We store only a Stripe customer ID, plan, subscription status, and the last-four digits of your card.

Production access is restricted to the founders. Database queries are scoped per user via row-level checks in application code. All deploys go through GitHub-protected branches and require passing build + type checks before reaching production.

Postgres is backed up daily by Neon with point-in-time recovery. Server logs are retained for up to 30 days. You can request account deletion at any time by emailing support@branchpost.com; we delete or anonymize personal data within 30 days.

If you have discovered a security issue, please email security@branchpost.com with a description and reproduction steps. Do not publicly disclose the issue until we have had a reasonable chance to investigate and remediate.

We do not currently run a paid bug bounty, but we will acknowledge your report promptly, keep you posted, and credit you publicly if you would like.