Privacy Policy
Last updated: April 21, 2026
PRFlow is local-first: your GitHub token and all PR data stay on your device. We use Supabase only to sign you in with GitHub and to check your subscription status. No analytics, no tracking, no ads.
01 — Overview
What this policy covers
PRFlow is a Chrome extension that displays your GitHub Pull Requests in the browser's side panel. This policy explains what data the extension accesses, how it's used, and where it's stored.
02 — Data we access
Only what's needed to sign you in and show your queue
PRFlow accesses only what's needed to sign you in, display your PR queue, and verify your plan:
| Data | Purpose | Stored |
|---|---|---|
| GitHub Personal Access Token (PAT) | Authenticate requests to the GitHub REST API | Local only |
| PR metadata (title, author, status, labels, repo) | Display your PR list | Local only |
| GitHub notifications | Show PR-related notifications and unread count | Local only |
| GitHub username & avatar URL | Identify PR authors and display your profile | Local only |
| Filter & display preferences | Remember your settings | Local only |
| Supabase session (access & refresh tokens) | Keep you signed in between sessions | Local only |
| Supabase user ID & subscription status | Unlock Pro/Trial features | Supabase |
03 — Third-party services
Three external services, nothing else
PRFlow communicates with three external services. No other network calls are made:
| Service | Purpose | What's sent |
|---|---|---|
GitHub API (api.github.com) | Fetch your PRs and notifications | Your GitHub PAT and search queries |
| Supabase | GitHub OAuth sign-in and subscription lookup | OAuth code, user ID, anon API key |
| Polar (via Supabase Edge Function) | Process Pro subscription checkout | Your user ID; payment data is handled by Polar |
04 — Data we don't collect
What never leaves your device
Beyond what's listed above, PRFlow does not collect, transmit, or store anything. Specifically:
- No personal information is sold, shared, or transferred for marketing
- No source code, diffs, or repository file contents are read
- No writes to your repositories or PRs — PRFlow is read-only on GitHub (aside from marking a notification read at your request)
05 — How it works
Sign-in, PR access, subscription, caching
Sign-in. PRFlow signs you in with GitHub through Supabase using the OAuth 2.0 PKCE flow (chrome.identity.launchWebAuthFlow). Supabase returns a session that is stored locally in chrome.storage.local. We do not retain your GitHub OAuth provider token.
PR access. To fetch your PRs, PRFlow uses a GitHub Personal Access Token (PAT) that you generate and paste into the extension. The PAT is validated against GitHub, then stored locally in chrome.storage.local. It never leaves your device except in requests to api.github.com. Required scopes: repo, notifications, read:org.
Subscription. Your subscription status (free, trial, or pro) is read from Supabase using your session. Paid checkout is handled by Polar via a Supabase Edge Function; PRFlow never sees your payment details.
Caching. PRs, notifications, and preferences are cached locally to reduce redundant requests. They are cleared on sign-out or uninstall.
06 — Permissions explained
Why each permission is requested
| Permission | Why it's needed |
|---|---|
sidePanel | Display the PR list in Chrome's side panel |
storage | Store your PAT, session, cached PRs, and preferences locally |
alarms | Schedule periodic PR and notification refreshes |
identity | Launch the GitHub OAuth sign-in flow via Chrome's identity API |
api.github.com/* | Fetch PRs and notifications from the GitHub REST API |
*.supabase.co/* | Sign in and read your subscription status |
07 — Data retention
On your device and on Supabase
On your device. Cached PRs, notifications, your PAT, and your Supabase session are refreshed or replaced as you use the extension. All local data is deleted when you sign out, uninstall the extension, or clear your browser data.
On Supabase. We retain only what's required to maintain your account: a user record linked to your GitHub identity and a subscription record. To delete your account and associated records, contact us at the address below.
08 — Security
HTTPS, strict CSP, read-only
All network requests are made over HTTPS. The extension enforces a strict Content Security Policy that restricts connections to api.github.com and *.supabase.co, and images to avatars.githubusercontent.com. No external scripts are loaded. PRFlow is read-only on GitHub — it never writes to your repositories or opens PRs on your behalf.
09 — Children's privacy
Not directed at children under 13
PRFlow is a developer tool and is not directed at children under 13. We do not knowingly collect data from children.
10 — Changes to this policy
Updates are published here
If we update this policy, the revised version will be published here with an updated date. Continued use of the extension after changes constitutes acceptance of the revised policy.
11 — Contact
Questions about this policy?
Reach out at [email protected].
This website uses Cloudflare Web Analytics — cookieless, no personal data collected. The PRFlow extension itself collects zero telemetry.