Overview

NoShip ("we," "our," or "us") provides org-wide code freeze management for GitHub. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

NoShip is designed with a minimal-access philosophy. We do not read, store, or access your source code. Our GitHub App only requires permissions necessary to manage commit statuses and deployment protection rules.

Information We Collect

Account Information

When you sign in with GitHub, we collect your GitHub username, user ID, email address, and avatar URL. This information is provided by GitHub's OAuth flow and is used to identify you within the application.

Organization Data

When you install the NoShip GitHub App on an organization, we store the organization login name, organization ID, installation ID, and your configured settings such as timezone preferences and access control configuration.

Repository Metadata

We store repository names, IDs, and default branch names for repositories where NoShip is installed. We never access, read, or store your source code, pull request content, or commit diffs.

Freeze & Schedule Configuration

We store the freeze windows, recurring schedules, freeze rules (including repository patterns, branch patterns, and environment patterns), and emergency override requests that you create and manage through the service.

Audit Logs

We maintain audit logs of actions taken within the service, including the actor, action type, affected resource, and contextual details such as repository name and environment.

Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription ID for managing your plan, but we never store credit card numbers, bank account details, or other sensitive payment information on our servers.

Slack Workspace Data

If you connect Slack, we store the workspace ID, team name, channel ID, and channel name necessary to send freeze notifications. We do not read or store Slack message history.

AI Assistant Conversations

If you use the AI assistant feature, conversation messages are stored to provide continuity within your session. These conversations are scoped to your organization and are not shared with other users.

How We Use Your Data

We use the information we collect to:

Provide, operate, and maintain the NoShip service
Set and enforce commit statuses on pull requests during active freeze windows
Enforce deployment protection rules via GitHub's native integration
Process emergency override requests and maintain approval workflows
Generate and display audit trails for compliance and accountability
Send freeze notifications via Slack when configured
Process billing and manage subscriptions through Stripe
Provide AI-assisted freeze management through the chat interface
Improve the service based on aggregated, anonymized usage patterns

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising purposes.

GitHub Integration

NoShip operates as a GitHub App with carefully scoped permissions. Here is exactly what we request and why:

Permission	Access	Purpose
Commit statuses	Read & Write	Set pass/fail status checks on PRs
Deployments	Read & Write	Enforce deployment protection rules
Metadata	Read	List repositories and basic org info
Members	Read	Verify organization membership

We do not request access to repository contents, pull request bodies, issues, actions, secrets, or any other sensitive GitHub resources. NoShip operates entirely through status checks and deployment protection rules.

Third-Party Services

We use the following third-party services to operate NoShip:

GitHub

Authentication (OAuth), App integration for commit statuses and deployment protection

Stripe

Payment processing and subscription management

Slack

Optional notifications for freeze events

Sentry

Error tracking and performance monitoring

Each third-party service processes data according to their own privacy policies. We encourage you to review their policies for details on how they handle your data.

Cookies & Tracking

NoShip uses only essential cookies required for the service to function. These include:

Session cookie — Maintains your authenticated session after signing in with GitHub
Theme preference — Remembers your light/dark mode preference

We do not use advertising cookies, analytics trackers, or any third-party tracking pixels. We do not participate in cross-site tracking or sell cookie data.

Data Retention

We retain your data for as long as your account is active and as needed to provide the service. Specific retention periods:

Account data — Retained while your account exists
Freeze windows & schedules — Retained while your installation is active
Audit logs — Retained according to your plan (7 days for Free, 30 days for Team, 90 days for Business, 365 days for Enterprise)
AI conversations — Retained for the duration of the session

When you uninstall the NoShip GitHub App from your organization, we will delete all associated organization data, freeze configurations, and audit logs within 30 days. You may also request immediate deletion by contacting us.

Data Security

We implement industry-standard security measures to protect your data:

All data is encrypted in transit using TLS 1.2+
Database encryption at rest
GitHub OAuth tokens are stored securely and scoped to minimum required permissions
API tokens are hashed before storage
Role-based access control within organizations
Regular security reviews and dependency auditing

While we take every reasonable precaution to protect your data, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please report it to security@noship.io.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access — Request a copy of the personal data we hold about you
Correction — Request correction of inaccurate personal data
Deletion — Request deletion of your personal data
Portability — Request a machine-readable copy of your data
Objection — Object to processing of your personal data
Restriction — Request restriction of processing

To exercise any of these rights, contact us at privacy@noship.io. We will respond to your request within 30 days.

Legal Basis for Processing

We process your personal data under the following legal bases:

Contract performance — Processing necessary to provide the NoShip service you subscribed to
Legitimate interests — Processing necessary for service improvement, security, and fraud prevention
Consent — Where you have explicitly consented, such as connecting optional integrations like Slack
Legal obligation — Where required by applicable law

Policy Changes

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the date at the top of this page and, where appropriate, provide additional notice such as an in-app notification or email.

Your continued use of NoShip after any changes constitutes your acceptance of the updated Privacy Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@noship.io

Security issues: security@noship.io