Project Spine
Policy · last updated 2026-04-18

Privacy

Project Spine is an alpha developer tool. This page is plain-English, the short version of what we do with your data. If something here is unclear, email support@projectspine.dev.

What we collect

  • GitHub identity. When you run spine login, GitHub shares your user id, login, name, avatar URL, and primary verified email (if granted viauser:email). We never receive or store your GitHub password or any OAuth-unrelated GitHub token beyond the one-time code exchange.
  • Workspaces and templates. When you create a workspace or push a template, we store the workspace slug, name, optional description/brand color, the template manifest, brief markdown, and optional design-rules markdown you send.
  • Published rationales. When you publish a rationale, we store the rendered markdown and a reference to the spine hash.
  • Drift snapshots. When you push drift reports from CI, we store a compact summary (counts + item list) plus the spine hashes you observed.
  • API tokens. CLI bearer tokens are stored sha256-hashed only. Plaintext never hits our database.
  • Operational logs. Vercel records request logs (IP, path, status, timestamp) for up to 30 days to help us investigate errors. No request bodies are logged by default.

What we do not collect

  • Your repo source code. The CLI runs offline for compile and drift checks.
  • Your GitHub access token beyond the short-lived one used to identify you.
  • Analytics cookies or third-party trackers on the landing page or hosted routes.

Where your data lives

Vercel (hosting + function execution) and Neon (Postgres database), both in the iad1 region (US East). Deployments and backups are managed by those providers. Neon replicas may exist in the same region for durability.

How long we keep it

  • Active data (workspaces, templates, rationales, drift snapshots) is kept until you delete it or close your account.
  • Revoked rationales are soft-deleted; the public URL returns 404 but the row remains in the database for audit. You can request hard deletion.
  • Vercel request logsare retained per Vercel's own policy (currently 30 days).

Your rights

You can ask us to export, correct, or permanently delete anything associated with your account by emailing support@projectspine.devfrom the address on your GitHub account. We will respond within 30 days. If we can't identify you, we'll tell you what we'd need.

Subprocessors

  • GitHub (OAuth identity, source-of-truth for your repo)
  • Vercel (hosting, DNS, logging)
  • Neon (Postgres)
  • Cloudflare (DNS for projectspine.dev)

Changes

We'll date any material changes and announce them in the repo's GitHub release notes. No silent changes.

← Project Spine · Terms · Security policy