PRIVACY POLICY
Last updated: March 2026
1. Who we are
The data controller is Alex Price (individual), operating re:starred at restarred.dev.
Contact: privacy@digest.restarred.dev
2. Information we collect
We collect three categories of information:
Account data (from GitHub OAuth)
- GitHub user ID, username, display name, and email address
- GitHub access token (encrypted at rest using AES-256-GCM)
Starred repositories
- The repos you've starred on GitHub — name, description, language, star count, URL, when you starred it, and last activity date
Data we generate
- Consent records: what you consented to, when, your IP address and user agent at the time
- Session data: a hashed session identifier stored in our database
- Email verification records: temporary hashed PINs when you change your email (auto-expire after 24 hours)
- Event logs: anonymised usage events (e.g. "a user signed up", "a digest was sent") — these record event type and account role, not your identity
- Digest history: which repos were included in each weekly email we sent you
3. How we use your information
- To deliver your digest: we analyse your starred repos to find forgotten ones and email them to you weekly, on the day and time you choose
- To authenticate you: your GitHub OAuth token lets us verify your identity and fetch your stars
- To communicate: verification emails when you change your email address, and service notifications about significant changes
- To improve the service: anonymised, aggregate event data (not tied to your identity) helps us understand how the service is used
4. Legal basis for processing (GDPR)
- Consent: sending you digest emails — you explicitly opt in during signup and can withdraw anytime
- Legitimate interest: account authentication, session management, and anonymised analytics to improve the service
- Legal obligation: maintaining consent records (we're required to prove you consented)
5. Cookies
We use only essential cookies. No tracking, advertising, or analytics cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| session_id | Keeps you logged in | 30 days |
| github_oauth_state | Prevents CSRF during GitHub login | Deleted immediately after login |
6. Data sharing and third parties
We do not sell, trade, or share your personal information.
Two third parties process data on our behalf:
- GitHub (github.com) — we use their API to authenticate you and fetch your starred repositories. Their privacy policy applies to data you share with GitHub directly.
- Resend (resend.com) — delivers emails on our behalf. They process your email address solely for delivery. They do not retain or use it for other purposes.
No other third parties receive your data.
7. Data retention and deletion
- While your account is active: all data described in Section 2 is retained
- When you delete your account: your profile, stars, digest history, consent records, sessions, and email verifications are permanently deleted immediately. Your GitHub OAuth grant is also revoked.
- What remains: anonymised event logs (e.g. "a user signed up") are retained for aggregate analytics. These are not linked to your identity and cannot be used to identify you.
8. Your rights
Everyone
- Access your data via your account settings
- Delete your account and all associated data at any time
- Withdraw consent to emails by unsubscribing (via email link or account settings)
Under GDPR (UK/EU)
- Request a copy of your data in a portable format
- Request rectification of inaccurate data
- Object to processing based on legitimate interest
- Lodge a complaint with your local supervisory authority (e.g. the ICO in the UK)
Under CCPA (California)
- Know what personal information we collect and why
- Request deletion of your personal information
- We do not sell personal information, so the right to opt out of sale does not apply
For any of these requests, contact privacy@digest.restarred.dev.
9. International data transfers
Your data is stored on servers in the EU and US. If you are accessing the service from outside these regions, your data will be transferred internationally. We rely on standard contractual clauses and provider compliance frameworks to ensure adequate protection.
10. Age restriction
re:starred is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. For significant changes, we will notify you by email. The "last updated" date at the top will always reflect the current version.