Heliostat.
Privacy

Privacy Policy

Effective April 17, 2026

This policy explains what information Heliostat (operated by REEDSTER LLC, "we", "us") collects when you use the service at heliostat.dev, why we collect it, and what choices you have.

1. Who we are

Heliostat is a planning tool for solo developers practicing Shape Up. The service is operated by REEDSTER LLC, a Washington limited liability company. For privacy questions, write to [email protected].

2. What we collect

Account information (from the GitHub App)

Heliostat does not use email/password sign-in. You sign in and connect repositories through the Heliostat GitHub App. The App has a narrow, fixed permission set that applies only to the repositories you choose to install it on:

  • Repository: Metadata (read-only) — the identity of the repo (name, ID, visibility). Granted automatically to any GitHub App.
  • Repository: Contents (read-only) — required by GitHub for push events to be delivered (the event payload includes the branch and commit metadata we ingest). Although the permission would technically allow file reads via the API, Heliostat does not call those endpoints; we read only what the push webhook sends us.
  • Account: Email addresses (read) — your primary email, used as your account identifier in Heliostat.
  • Subscribed events: push, installation, installation_repositories.

From GitHub itself we receive, at sign-in time: your GitHub user ID, username, display name, avatar URL, and email. A short-lived user-to-server access token is stored encrypted at rest so we can identify you on return visits.

Authentication metadata

To protect your account, we record sign-in counts, sign-in timestamps, and the IP addresses associated with your most recent and current sessions. This is standard Devise "trackable" data.

Content you create in Heliostat

The product is a workspace for your own planning content. We store the pitches, scopes, hill check-ins, daily check-ins, cooldown ideas, retrospective notes, lessons, unplanned-work entries, and any other text you write inside the app.

The mind-map workspace ("Think") stores additional content: map notes (title, body, position, folder, tags), edges between notes, version history of each note, image attachments uploaded to a note, and image comments. Notes you choose to share publicly also store a public-share id and key pair so the share URL can be resolved without authentication.

Push notifications

If you opt in to browser push notifications, we store the push subscription endpoint and keys your browser provides so we can deliver digest and reminder notifications to that device. You can revoke push notifications from your browser or from in-app settings; revoking deletes the subscription record.

Third-party access tokens we issue

If you connect Heliostat to an external client (for example, an MCP-compatible AI client) via the OAuth 2.1 authorization endpoint, we store the registered client record and the access and refresh tokens we issue, so we can authenticate that client on subsequent requests. You can revoke any client from in-app settings.

Repository activity (from the GitHub App)

When you install the Heliostat GitHub App on a repository, GitHub sends push events to our App-wide webhook endpoint. We store, per commit: the commit SHA and URL, the commit message, the branch name, the timestamp, and the author object provided by GitHub (which includes the author's name, email, and GitHub username). When commits are authored by collaborators other than you, that collaborator's name, email, and username are also stored as part of the commit record. We use this data only to associate work with your scopes and to surface it back to you in the app. Uninstalling the Heliostat GitHub App from a repository stops all new data from arriving.

AI-powered features

Heliostat sends content to OpenAI to power several optional features. We persist any conversation history we generate in your database so you can return to it, and you can clear it from inside the app:

  • "The Senior" — pitch-writing assistant. We send the pitch's title, t-shirt size, problem, solution, rabbit holes, no-gos, self-test, and the running conversation history (capped at 20 messages).
  • Retro Coach — cooldown-phase retrospective conversation. We send your cycle summary, scope outcomes, hill positions, and the running conversation history.
  • Daily digest — if you have an active cycle, a scheduled job assembles a context summary about your cycle, scopes, hill positions, and recent commits and sends it to OpenAI so it can generate a digest email. The digest text is stored as a notification in your account.
  • Pitch extraction from notes — when you select a cluster of map notes and turn it into a pitch, we send those notes to OpenAI so it can summarize them into a pitch draft.
  • Public submission moderation — if you accept anonymous pitch submissions to your public link, each submission is screened by OpenAI before it lands in your inbox.

Cookies and similar technologies

See Cookies below.

3. How we use your information

  • To authenticate you and keep your session active.
  • To deliver the core features of the product: drafting pitches, tracking cycles, ingesting commits, generating digests, and sending transactional email.
  • To prevent abuse, debug errors, and maintain the service.
  • To communicate with you about your account, billing, and service-related events. We do not use your information for marketing emails.

4. Third-party processors

We rely on a small set of vendors to operate Heliostat. Each receives only the data needed for its function:

  • GitHub — authentication, repository metadata, and push webhooks. Subject to GitHub's Privacy Statement.
  • OpenAI — receives the pitch and cycle context described above for "The Senior" and daily digest features. Subject to OpenAI's Privacy Policy and their API data-usage terms.
  • Resend — sends our transactional email (confirmation, digest, and billing-related notices). Receives recipient email addresses and the email contents.
  • Sentry — receives error reports from our production servers. We have disabled the default PII forwarding, but error context (URLs, controller actions, framework breadcrumbs) may incidentally include identifiers.
  • Stripe — processes payments for paid plans. When you subscribe, your card details are entered on a Stripe-hosted Checkout page; we never see or store card numbers. Stripe returns a customer id, subscription id, and plan/period metadata which we store on your account. Subject to Stripe's Privacy Policy.

We do not use third-party advertising, analytics (Google Analytics, Mixpanel, PostHog, Plausible, etc.), or tracking pixels.

5. Cookies

Heliostat uses a small number of first-party cookies. We do not set third-party advertising or analytics cookies.

  • _heliograph_session (essential) — Rails session cookie. Required for login and CSRF protection. Marked HttpOnly and SameSite=Lax.
  • remember_user_token (functional) — Devise "remember me" cookie, set only if you explicitly stay signed in. Cleared when you sign out.
  • browser_tz (functional) — stores your IANA timezone (e.g. America/New_York) so dates render in your local time. One-year lifetime.
  • cookie_consent (functional) — records that you have dismissed the cookie notice so it isn't shown again. One-year lifetime.

Visiting GitHub during the OAuth handshake may cause GitHub to set its own cookies; those are governed by GitHub's privacy policy.

6. Data retention

We keep your data for as long as your account is active. If your account is deleted, the cascade removes your projects, cycles, pitches, scopes, hill positions, daily check-ins, lessons, unplanned-work entries, Senior and Retro Coach conversations, map notes (including their version history, image attachments, and image comments), edges, push subscriptions, OAuth applications and tokens you've authorized, GitHub webhook events, and notifications.

7. Your rights and requests

Depending on where you live (e.g. the EU/UK under GDPR, California under CCPA), you may have rights to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing.

You can export every map note as a .tar.gz archive of .md files (one per note, folders preserved as directories) from the Think workspace. For other data — pitches, scopes, check-ins, conversations — or for full account deletion, email [email protected] and we will fulfill verified requests manually within a reasonable period (typically within 30 days).

8. Security

OAuth access tokens and webhook secrets are encrypted at rest. The application uses HTTPS in production, signed session cookies, CSRF protection on state-changing requests, and Sidekiq job queues are gated behind admin-only authentication. No system is perfectly secure; please report any suspected vulnerability to [email protected].

9. International transfers

Our infrastructure and our subprocessors (GitHub, OpenAI, Resend, Sentry) operate primarily from the United States. If you access Heliostat from outside the United States, your information will be transferred to and processed there.

10. Children

Heliostat is not directed to anyone under 16 and we do not knowingly collect personal information from children.

11. Changes to this policy

We will update the "Effective" date above whenever we revise this policy. Material changes will be communicated by email to active accounts before they take effect.

12. Contact

REEDSTER LLC — [email protected]

🍪

Cookies

Heliostat uses a few essential and functional cookies (sign-in, timezone, this notice) and no analytics or ad trackers. Details in our Privacy Policy.

Privacy