Garry Tan
5a7e1bcb4b
Covers data sent during /gstack-submit (user-initiated, user-approved), transcript reading privacy model (local-only, grep-matched excerpts, never transmitted), and what never gets sent (raw code, raw transcripts, credentials). Renumbers sections 5-9. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
7.7 KiB
Privacy Policy
Last updated: 2026-03-26
gstack is an open-source CLI tool. This policy explains what data gstack collects, why, and how you control it.
The short version
- Telemetry is off by default. Nothing is sent unless you say yes.
- We never collect your code, file paths, repo names, prompts, or any content you write.
- You can change your mind anytime:
gstack-config set telemetry off - Screenshots you upload are yours. You can delete them anytime.
1. Telemetry
What we collect (if you opt in)
gstack has four data tiers:
| Tier | What's sent | Identifier |
|---|---|---|
| Off (default) | Nothing | None |
| Anonymous | Skill name, duration, success/fail, gstack version, OS | None — no way to connect sessions |
| Community | Same as anonymous | Random UUID (~/.gstack/.install-id) — connects sessions from one device |
| Logged in | Same as community, plus screenshots tied to your account | Email address + GitHub username (via OAuth) |
The first three tiers are chosen during first run. The logged in tier applies when you sign in to gstack.gg to use features like PR screenshots. Your email and GitHub username are associated with your uploaded screenshots and auth session. Logging in does not retroactively attach your identity to prior telemetry events.
What we never collect
- Source code or file contents
- File paths or directory structures
- Repository names or branch names
- Git commits, diffs, or history
- Prompts, questions, or conversations
- Usernames, hostnames, or IP addresses (not logged server-side)
- Any content you write or generate
How it works
- Events are logged locally to
~/.gstack/analytics/skill-usage.jsonl - A background sync (
gstack-telemetry-sync) sends unsent events to Supabase - Local-only fields (
repo,_branch,_repo_slug) are stripped before sending - Sync is rate-limited to once per 5 minutes, batched (max 100 events)
- If sync fails, events stay local — nothing is lost or retried aggressively
Update checks
gstack checks for updates by pinging our server with:
- Your gstack version
- Your OS (darwin/linux)
- A random device UUID
This happens regardless of telemetry tier because it's equivalent to what any package manager (Homebrew, npm) sends. No usage data is included. You can verify this in bin/gstack-update-check.
2. Screenshots (PR Screenshots feature)
When you use the PR Screenshots feature during /ship:
What's stored
- Screenshot images (PNGs) uploaded to a private Supabase Storage bucket
- Metadata: nanoid, your user ID, slugified repo name, slugified branch name, viewport size, timestamp
- Images are served through a proxy (
gstack.gg/i/{id}) that adds a watermark — raw images are never publicly accessible
What's NOT stored
- No source code or file contents
- No git history or commit data
- No prompt or conversation data
Your control
- You can delete your screenshots anytime (authenticated DELETE to the API)
- Orphan screenshots (no PR number after 24 hours) are automatically cleaned up
- Images are tied to your gstack.gg account — you own them
3. Authentication
gstack.gg supports two auth methods:
- GitHub OAuth — we receive your GitHub username and email. We don't access your repos, code, or any GitHub data beyond basic profile.
- Email OTP — we store your email address to send verification codes.
Auth tokens are stored locally at ~/.gstack/auth-token.json with file permissions 0600 (owner-only read/write). Tokens are standard Supabase JWT tokens and can be revoked by logging out (gstack-auth logout).
4. Data storage and security
All data is stored in Supabase (open-source Firebase alternative):
- Row-Level Security (RLS) on all tables — direct database access is denied even with the publishable API key
- Edge functions validate schema, enforce event type allowlists, and limit field lengths
- The Supabase publishable key in our repo is a public key (like a Firebase API key) — it cannot bypass RLS
- Screenshot storage bucket is private — images are only accessible through the watermark proxy using a service-role key
The full database schema is in supabase/migrations/ — you can verify exactly what's stored.
5. Showcase Submissions
When you run /gstack-submit, gstack helps you compose a submission for the gstack.gg showcase gallery. This is user-initiated and user-approved, different from telemetry (which runs in the background).
What gets sent (only after you preview and approve)
| Data | Source | You control it |
|---|---|---|
| Project title, tagline, description | AI-generated, you edit before sending | Yes, edit or cancel |
| Screenshot | Browse tool captures your deployed URL | Yes, you provide the URL |
| Build stats (commit count, LOC, skills used) | Local git + analytics files | Yes, preview before sending |
| Build story | AI-written from design docs + optionally transcripts | Yes, preview before sending |
| Repo URL | Your git remote | Yes, can omit |
What never gets sent
- Raw source code or file contents
- Claude Code transcripts (read locally, never transmitted, only the AI-generated summary)
- Private URLs or credentials found in local files
Transcript reading (opt-in)
If you choose to let gstack read your Claude Code transcripts for a richer build story:
- Transcripts are read locally only, never sent to any server
- Only pattern-matched excerpts (decision moments, skill usage) are read, not full conversations
- The AI writes a narrative summary; the raw transcript text is never included in the submission
- You preview the full build story before it's sent anywhere
6. Data retention
| Data type | Retention |
|---|---|
| Telemetry events | Indefinite (aggregated, no PII) |
| Update check pings | Indefinite (version + OS only) |
| Device codes (auth) | Deleted 15 minutes after expiry |
| Orphan screenshots | Deleted 24 hours after upload if no PR is created |
| Active screenshots | Retained until you delete them |
7. Your rights
- Access: Run
gstack-analyticsto see all your local telemetry data. The JSONL file at~/.gstack/analytics/skill-usage.jsonlis plain text — you can read it directly. - Opt out:
gstack-config set telemetry off— stops all collection and syncing instantly. - Delete local data: Remove
~/.gstack/analytics/to clear all local telemetry. - Delete screenshots: Authenticated DELETE request to the upload API, or contact us.
- Delete account: Contact us at the email below to deactivate your account. You will lose access to your data, including uploaded screenshots and account features. Previously collected telemetry and usage data may be retained and used by GStack, the GStack core team, or Y Combinator to improve the product.
8. Data ownership and use
GStack is owned by Garry Tan via copyright. Telemetry data collected through GStack may be used by Garry Tan, the GStack core team, or Y Combinator to improve GStack. We will never sell your data.
Third-party services
- Supabase hosts our database and storage (their privacy policy: https://supabase.com/privacy)
- Vercel hosts gstack.gg (their privacy policy: https://vercel.com/legal/privacy-policy)
- GitHub provides OAuth authentication
9. Changes
We'll update this policy as gstack evolves. Material changes will be noted in the CHANGELOG. The "Last updated" date at the top always reflects the current version.
Contact
Questions about privacy? Open an issue at https://github.com/garrytan/gstack/issues or email privacy@gstack.gg.