Privacy for humans
Understand how we keep your data safe and private.
At Codereader, we take the security and privacy of our users very seriously. We understand that you trust us with your data, and we‘re committed to protecting it. Codereader works on top of your Github repos, so the first point we‘re going to discuss is the permissions our Github App requests.
Data from Github
When installing our GitHub App, you may be wondering what kind of access we need. Rest assured that we only require read permissions on the repository contents. This means that we can‘t modify or delete any of your code without your explicit consent. A github App is the preferred way to connect a third-party app to your github account. From Githubs docs:
In general, GitHub Apps are preferred to OAuth apps because they use fine-grained permissions, give more control over which repositories the app can access, and use short-lived tokens.
With our GitHub App, you can choose which repos to give access to, and we can request permissions only for what we need. We used to have an OAuth app, but it could only grant read and write permissions for all of the content of the repo. So, we migrated to GitHub Apps in order to only ask for read permissions on the repo contents.
Token storage and security
GitHub Apps provide both an access token and a refresh token. Both of these tokens expire with limits set by GitHub. These tokens are not stored on our backend, although they do transit there. All communications from GitHub and then from our backend to the clients is through HTTPS encrypted requests. These tokens are then stored on device with EncryptedSharedPreferences on Android and with Keychain on iOS.
Once the tokens arrive on your device, they never leave to another server apart from GitHub‘s. The data you request with them does not pass through Codereader‘s servers; it gets straight to the client. This is a feature of OAuth since with the access token and refresh token, you can refresh for a long period without the need of a secret behind a server.
Reviewing your installation
You can always review your Github App installation here. You can widen or limit access to repos and organizations too.
Data generated in Codereader
The notes you write in Codereader are local-only. We don‘t have any kind of backup or sync service for them. This means that they only live in your device. If you lose that SQLite file, you lose your notes but there‘s no way for them to be accessed by third parties outside from your device. We do plan to offer a sync service in the future, which we‘ll disclose here when ready.
Other data like pinned repos, preffered editor options, which branch are you on and mre ui related state is stored only on device. This data never leaves your device.
Third parties
These are the third parties Codereader relies on and for what purposes:- Posthog to track usage analytics and improve the product. Linked to identity, no user content (like file names or elese) is sent.
- Revenuecat for billing pursposes. Data is linked to identity.
- Apple app store for error reporting and distribution. Data not linked to identity
- Google Play store for error reporting and distribution. Data not linked to identity.
If you have more doubts feel free to reach out to me at matias@codereader.dev