Privacy Policy
Last updated: May 2026
What we collect
- Account data — email, name, hashed password, and GitHub OAuth metadata. GitHub sign-in requests the read:user, user:email, and repo scopes; the repo scope is what lets Windcraft create the branches, pull requests, and webhooks that repo sync needs on your public and private repositories. The token is used only for those operations — your source code is processed locally and is never stored on our servers.
- Project metadata — design tokens, component contracts, rule configurations, sync events. We do not store your source code.
- Billing — handled by Paddle as Merchant of Record. We never see your card.
- Sync events — when the CLI syncs, it records the result (status, token version, and the number of files written) against your project so you can see sync history in the dashboard. No source code or command arguments are sent. Disable by setting
WINDCRAFT_TELEMETRY=0.
How we use it
To run the product. We do not sell your data, and we share it only with the subprocessors listed below to operate the service.
Storage
- Postgres for account, project, and session data
- Redis for webhook idempotency
- API keys hashed with bcrypt cost 12
Subprocessors
We use a small set of third parties to run the product. Each receives only the data it needs:
- Paddle — payments, tax, and invoicing as Merchant of Record
- GitHub — OAuth sign-in and (when you connect a repo) branch / PR / webhook operations
- Resend — transactional email (verification, magic links, receipts)
- Sentry — error monitoring (may include request context such as IP)
GDPR
Export your data any time from /account. Delete your account from the same page — projects soft-delete immediately, and all rows are purged about 30 days after deletion.
Data controller & contact
Windcraft is operated by Alican Başak (sole operator), the data controller for personal data described here. Questions or data requests: hello@windcraft.io