Legal
Privacy Policy
Last updated: March 1, 2026
1. Introduction
This Privacy Policy describes how Ovvoc ("we," "us," or "our") collects, uses, discloses, and protects personal information when you access or use our automated dependency update platform and related services (collectively, the "Service"). Ovvoc is an automated dependency update SaaS that monitors, updates, and maintains software dependencies for customer projects.
Ovvoc is the data controller for the personal data processed through the Service. We are responsible for determining the purposes and means of processing your personal data. This Privacy Policy applies to all users of the Service, including visitors to our website, registered account holders, and any individuals whose personal data we process in connection with the Service.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect information depending on the registration method you choose:
- GitHub OAuth: GitHub user ID, username, email address (if public or authorized), and GitHub App installation details (repository access permissions).
- Google OAuth: Google account ID, display name, and email address as authorized through Google's consent flow.
- Email and Password Registration: Email address and a password, which is hashed using Argon2id before storage. We never store plaintext passwords.
If you register through multiple methods using the same verified email address, we may link those accounts automatically to provide a unified experience.
2.2 Repository Data
When processing dependency update jobs, we temporarily access:
- Repository source code (cloned into ephemeral Docker containers)
- Package manifests (
package.json, lock files, workspace configuration files) - Build output and test results
- Dependency metadata retrieved from public and private package registries
- Repository configuration files (e.g.,
.nvmrc,Ovvoc.yml)
Repository data is processed exclusively within isolated, ephemeral containers. We do not persistently store your source code. See Section 5 for detailed information about our ephemeral processing architecture.
2.3 Usage Data
We collect operational and diagnostic data, including:
- Job execution history (timestamps, status, duration, update categories applied)
- Update success and failure rates
- API request logs (IP address, user agent string, request timestamps, request identifiers)
- Billing events and payment history
- Dashboard interactions and feature usage patterns
- Error reports and diagnostic information
2.4 Cookies and Similar Technologies
We use a minimal set of cookies strictly necessary to operate the Service. We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies for behavioral profiling. See Section 17 for a detailed cookie table.
3. Legal Basis for Processing (GDPR Article 6)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data only when we have a valid legal basis under the General Data Protection Regulation (GDPR). The following table maps each category of data to its applicable legal basis:
| Data Category | Legal Basis | Explanation |
|---|---|---|
| Account information | Contract performance (Art. 6(1)(b)) | Necessary to create and manage your account and provide the Service |
| Repository data (ephemeral processing) | Contract performance (Art. 6(1)(b)) | Necessary to perform the dependency update service you have subscribed to |
| Billing and payment data | Contract performance (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)) | Necessary to process payments and comply with tax and financial record-keeping laws |
| Usage data and API logs | Legitimate interest (Art. 6(1)(f)) | Necessary for security monitoring, abuse prevention, service improvement, and debugging |
| Code snippets sent to AI | Consent (Art. 6(1)(a)) | You consent to AI-assisted code transformation when enabling the Service for your repositories. You may withdraw consent at any time by disabling AI processing in your account settings |
| Essential cookies | Legitimate interest (Art. 6(1)(f)) | Strictly necessary for authentication and security of the Service |
| Email notifications | Contract performance (Art. 6(1)(b)) and Consent (Art. 6(1)(a)) | Transactional emails are necessary for the Service; marketing communications require your consent |
| Audit logs | Legitimate interest (Art. 6(1)(f)) and Legal obligation (Art. 6(1)(c)) | Necessary for security auditing, incident response, and regulatory compliance |
Where we rely on legitimate interest, we have conducted balancing tests to ensure that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us at [email protected].
4. How We Use Your Information
We use the information we collect for the following purposes:
- To provide, operate, and maintain the Service, including cloning repositories, updating dependencies, building, testing, and opening pull requests on your behalf
- To authenticate your identity, manage your account, and enforce access controls
- To process payments, manage subscriptions, and maintain billing records through our payment processor (Paddle)
- To generate pull requests, failure reports, and update summaries for your repositories
- To perform AI-assisted code transformations when deterministic rules are insufficient to resolve complex breaking changes
- To send transactional emails, including job notifications, weekly digests, security alerts, and account-related communications
- To monitor, detect, and prevent security threats, fraud, abuse, and unauthorized access
- To debug issues, analyze error reports, and improve the reliability and performance of the Service
- To improve the Service through aggregated, anonymized usage analytics
- To comply with applicable laws, regulations, legal processes, and enforceable governmental requests
- To enforce our Terms of Service and protect the rights, property, and safety of Ovvoc, our users, and the public
5. Code Processing and Ephemeral Containers
Your source code is processed exclusively within ephemeral Docker containers that are purpose-built for security and data isolation. This architecture ensures that your code is never persistently stored on our infrastructure. Each container is configured with the following security controls:
- Customer Isolation: Every job runs in its own dedicated container with no shared state, memory, or filesystem access to any other customer's data. Containers are created on-demand and scoped to a single job execution.
- Ephemeral Lifecycle: Containers are destroyed immediately upon job completion, regardless of whether the job succeeded or failed. All source code, build artifacts, and intermediate files are permanently deleted with the container.
- Network Restriction: Container network access is limited strictly to necessary outbound connections: public and private package registries (e.g., npm) and the GitHub API. No inbound connections are permitted.
- Read-Only Filesystem: The container filesystem is mounted as read-only, except for a designated temporary workspace directory used exclusively for the current job.
- Resource Limits: CPU, memory, and disk usage are capped per container to prevent resource exhaustion and side-channel attacks.
- No Persistent Storage: We do not copy, cache, or archive your source code outside the ephemeral container. No source code is written to persistent storage at any point during processing.
Build artifacts, test output logs, and transformation metadata may be retained temporarily (up to 30 days) for debugging and job reporting purposes. These logs do not contain your source code in full; they contain only build and test output, error messages, and summary information about changes made.
6. AI Data Processing
For complex dependency updates that cannot be resolved by deterministic transformation rules, Ovvoc may use artificial intelligence to analyze and generate code modifications. This section describes how AI is used and what data is shared with AI providers.
What Data Is Sent to AI
When AI-assisted transformation is required, we send the following to the AI provider:
- Targeted code snippets from the specific files that require modification (not entire repositories or codebases)
- Relevant dependency changelog entries and migration guide excerpts
- The specific update category and transformation instructions
- Abstract syntax tree (AST) context for the affected code sections
Minimum Context Guarantee
We apply a strict minimum-context principle: only the smallest code snippet necessary to perform the specific transformation is sent to the AI provider. We do not send entire files, entire repositories, environment variables, secrets, credentials, or any data unrelated to the specific code transformation task.
AI Provider Data Handling
Our current AI provider is Google Gemini, accessed through their API. Under our API terms of service with Google, code snippets submitted through the Gemini API are not used to train or improve Google's AI models. Data submitted through the API is processed solely for the purpose of generating the requested response and is not retained by Google beyond the duration of the API request.
User Consent
By enabling Ovvoc for your repositories, you consent to AI-assisted code transformation as part of the Service. You may withdraw this consent at any time by disabling monitoring for your repositories or by contacting us at [email protected]. Withdrawing consent may limit the Service's ability to resolve certain complex dependency updates that require AI-assisted transformations.
7. Third-Party Services and Subprocessors
We share personal data with the following third-party service providers (subprocessors), each of which is bound by contractual obligations to protect your data. We have assessed each subprocessor's data protection practices and maintain data processing agreements where required.
| Subprocessor | Location | Purpose | Data Shared |
|---|---|---|---|
| GitHub (Microsoft) | United States | Source code access, pull request creation, OAuth authentication | Repository contents (ephemeral), user identity, commit data |
| Paddle | United Kingdom | Merchant of Record for payment processing, subscription management, tax compliance | Email address, account identifier, billing information |
| Google (Gemini API) | United States | AI-assisted code transformation for complex dependency updates | Targeted code snippets, transformation context (minimum necessary) |
| Resend | United States | Transactional email delivery (job notifications, weekly digests, account alerts) | Email address, email content |
| Cloudflare | United States | CDN, DDoS protection, DNS, and secure tunnel infrastructure | IP address, request metadata (processed in transit) |
Each subprocessor processes data in accordance with their own privacy policies:
- GitHub Privacy Statement
- Paddle Privacy Policy
- Google Privacy Policy
- Resend Privacy Policy
- Cloudflare Privacy Policy
We do not sell, rent, or trade your personal information to any third party. Data is shared with subprocessors only to the extent necessary to provide the Service.
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. The following table details our retention periods for each category of data:
| Data Type | Retention Period | Justification |
|---|---|---|
| Source code | Duration of job only (ephemeral) | Destroyed with container upon job completion |
| Build and test logs | 30 days | Debugging, job reporting, and failure analysis |
| Job history and metadata | Duration of account | Dashboard visibility and historical reporting |
| Account information | Duration of account + 30 days after deletion | Grace period for account recovery |
| Billing records | 7 years after transaction | Tax law and financial record-keeping obligations |
| Audit logs | 90 days | Security monitoring and incident response |
| AI processing logs | 7 days | Transformation debugging and quality assurance |
| API request logs | 30 days | Security analysis and abuse detection |
Upon account deletion, we will delete or anonymize your personal data within the retention periods specified above. Data required for legal compliance (such as billing records) will be retained for the legally mandated period and then deleted.
9. Data Security
We implement technical and organizational security measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at Rest: Sensitive data stored in our database, including private registry credentials, is encrypted using AES-256-GCM.
- Password Hashing: Account passwords are hashed using Argon2id, a memory-hard hashing algorithm resistant to GPU and ASIC brute-force attacks. We never store plaintext passwords.
- Session Security: Authentication tokens are stored in HttpOnly, Secure, SameSite cookies that cannot be accessed by client-side JavaScript, mitigating cross-site scripting (XSS) and cross-site request forgery (CSRF) risks.
- Token Lifecycle: Access tokens expire after 15 minutes. Refresh tokens are rotated on every use and expire after 7 days. GitHub installation tokens are short-lived (1 hour) and scoped to minimum required permissions.
- Container Isolation: Each customer's code is processed in an isolated, ephemeral container with no cross-customer access, read-only filesystem, network restrictions, and resource limits.
- Brute-Force Protection: Login attempts are rate-limited (5 attempts per email address and 20 attempts per IP address per 15-minute window) to prevent credential-stuffing attacks.
- Infrastructure Security: Our infrastructure is protected by Cloudflare's DDoS mitigation, Web Application Firewall (WAF), and DNS security services.
While we take commercially reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
10. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) with respect to your personal data:
- Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
- Right to Rectification (Article 16): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to Erasure (Article 17): You have the right to request the deletion of your personal data, subject to certain legal exceptions (e.g., data required for legal compliance).
- Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
- Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
- Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds.
- Right to Withdraw Consent (Article 7): Where processing is based on consent (e.g., AI code transformation), you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state where you reside, work, or where the alleged infringement occurred.
To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, in which case we will notify you of the extension and the reasons for the delay within the initial 30-day period.
We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive. We may request verification of your identity before fulfilling your request.
11. Your Rights Under CCPA/CPRA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information. This section describes those rights and how to exercise them.
Categories of Personal Information Collected
In the preceding twelve (12) months, we have collected the following categories of personal information:
| Category (per Cal. Civ. Code 1798.140) | Examples | Source | Business Purpose |
|---|---|---|---|
| Identifiers | Name, email address, account ID, GitHub/Google user ID, IP address | Directly from you; OAuth providers | Account management, authentication |
| Commercial information | Subscription plan, billing history, payment records | Paddle (payment processor) | Payment processing, subscription management |
| Internet or network activity | API request logs, user agent, pages visited, feature usage | Automatically collected | Security, debugging, service improvement |
| Geolocation data | Approximate location derived from IP address (country/region level) | Automatically collected | Security monitoring, abuse detection |
| Professional or employment-related information | GitHub organization membership, repository access | GitHub OAuth | Service functionality (repository access) |
Your California Privacy Rights
- Right to Know (Section 1798.100): You have the right to request that we disclose the categories of personal information we have collected, the categories of sources, the business purpose for collecting the information, the categories of third parties with whom we share the information, and the specific pieces of personal information we have collected about you.
- Right to Delete (Section 1798.105): You have the right to request that we delete any personal information we have collected about you, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
- Right to Correct (Section 1798.106): You have the right to request that we correct inaccurate personal information we maintain about you.
- Right to Opt-Out of Sale or Sharing (Section 1798.120): We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, there is no need to opt out; however, you may still submit an opt-out request and we will confirm our practices.
- Right to Limit Use of Sensitive Personal Information (Section 1798.121): We do not process sensitive personal information for purposes beyond those necessary to provide the Service.
- Right to Non-Discrimination (Section 1798.125): We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you the Service, charge you different prices, provide a different level of service, or suggest that you will receive a different level of service for exercising your rights.
Authorized Agent
You may designate an authorized agent to submit a request on your behalf. To do so, you must provide the authorized agent with written permission and verify your identity directly with us. We may deny a request from an agent if the agent cannot provide proof of authorization.
How to Exercise Your California Rights
To exercise any of these rights, contact us at:
- Email: [email protected]
- Toll-free: 1-800-OVVOC-PP (1-800-688-6277) (to be activated)
We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days. If we require additional time, we will notify you of the extension (up to an additional 45 days) and the reason for the delay.
12. Automated Decision-Making
Ovvoc uses automated systems, including artificial intelligence, to make decisions about how to update your software dependencies. These automated decisions include:
- Categorizing dependency updates by complexity and risk level
- Selecting appropriate transformation strategies (deterministic rules vs. AI-assisted)
- Determining whether a code change is safe to propose in a pull request
- Deciding whether to open a pull request or file a failure report based on build and test results
These automated decisions relate solely to code transformation tasks and do not produce legal effects or similarly significant effects on you as an individual. All changes proposed by Ovvoc are delivered as pull requests, which require human review and explicit approval before being merged into your codebase. You retain full control over whether to accept, modify, or reject any proposed change.
We do not use automated decision-making or profiling for purposes that produce legal effects concerning you or that similarly significantly affect you (such as credit decisions, employment decisions, or insurance determinations).
Under GDPR Article 22, you have the right to request human intervention in any automated decision, to express your point of view, and to contest the decision. To exercise this right, contact us at [email protected].
13. International Data Transfers
Our Service is primarily hosted and operated in the United States. If you access the Service from outside the United States, including from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.
The United States may not provide the same level of data protection as your home jurisdiction. To ensure that your personal data receives an adequate level of protection when transferred internationally, we implement the following safeguards:
- Standard Contractual Clauses (SCCs): Where required, we enter into European Commission-approved Standard Contractual Clauses with our subprocessors to provide appropriate safeguards for the transfer of personal data outside the EEA.
- Supplementary Measures: In addition to SCCs, we implement technical measures (encryption in transit and at rest, pseudonymization, access controls) and organizational measures (data minimization, subprocessor assessments) to ensure the continued protection of your data.
- Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission recognizing that certain jurisdictions provide an adequate level of data protection.
Our subprocessors and their locations are listed in Section 7. By using the Service, you acknowledge that your data may be transferred to and processed in the United States and other jurisdictions where our subprocessors operate.
14. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will take the following actions:
GDPR Requirements
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- If the breach is likely to result in a high risk to your rights and freedoms, notify affected individuals without undue delay, as required by GDPR Article 34.
CCPA/CPRA Requirements
- Notify affected California residents in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach.
Notification Content
Our breach notifications will include:
- A description of the nature of the breach, including the categories and approximate number of individuals and data records concerned
- The name and contact details of our data protection contact point
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
Remediation
Upon discovering a breach, we will immediately take steps to contain and remediate the incident, including but not limited to: revoking compromised credentials, isolating affected systems, conducting a forensic investigation, and implementing measures to prevent recurrence. We maintain an incident response plan that is reviewed and tested regularly.
15. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect, solicit, or maintain personal information from children under 16 years of age. If we learn that we have collected personal information from a child under 16, we will take prompt steps to delete that information from our systems.
If you are a parent or guardian and you believe that your child under 16 has provided personal information to us, please contact us at [email protected] so that we can take appropriate action.
16. Do Not Track Signals
Ovvoc honors Do Not Track (DNT) browser signals where technically feasible. We do not engage in behavioral tracking or cross-site tracking of our users. We do not use third-party analytics, advertising networks, or social media tracking pixels. Because we do not track users across third-party websites or services, our practices are consistent with DNT signals by default.
17. Cookie Details
The following table describes all cookies used by the Service. We use only essential cookies that are strictly necessary for the operation of the Service. We do not use any non-essential, analytics, or advertising cookies.
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
Ovvoc_session | Stores the authenticated session token (JWT access token) used to identify your login session. Set with HttpOnly, Secure, and SameSite=Lax attributes. | Session (expires when browser is closed, or after 15 minutes of inactivity) | Essential (Strictly Necessary) |
Ovvoc_refresh | Stores the refresh token used to obtain a new session token without requiring re-authentication. Set with HttpOnly, Secure, and SameSite=Lax attributes. Path restricted to /api/v1/auth. | 7 days | Essential (Strictly Necessary) |
| Paddle checkout cookies | Set by Paddle (our payment processor) during the checkout overlay to facilitate payment processing. These cookies are managed by Paddle and are subject to Paddle's privacy policy. | Session | Essential (Strictly Necessary) |
Because all cookies used by the Service are strictly necessary for its operation (authentication and payment processing), no cookie consent banner is required. We do not use any cookies that require user consent under GDPR or the ePrivacy Directive.
18. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:
- Notify you via the email address associated with your account at least 30 days before the changes take effect
- Update the "Last updated" date at the top of this Privacy Policy
- Where required by law, obtain your consent to the changes before they take effect
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
19. Data Protection Contact
For any questions, concerns, or requests related to this Privacy Policy or our data processing practices, please contact us:
- Email: [email protected]
- General Inquiries: Contact Page
EU Representative
Pursuant to GDPR Article 27, as Ovvoc is not established in the European Union but offers services to individuals in the EU, we are in the process of appointing a representative in the European Union. Details of our EU representative will be published on this page and communicated to affected users once the appointment is finalized.
Response Commitment
We will acknowledge all privacy-related inquiries and data subject requests within 10 business days and provide a substantive response within 30 days. If we require additional time to process your request, we will notify you of the extension and the reason for the delay within the initial 30-day period.