Privacy

Privacy Policy

Effective April 17, 2026

This policy explains what information Heliostat (operated by REEDSTER LLC, "we", "us") collects when you use the service at heliostat.dev, why we collect it, and what choices you have.

1. Who we are

Heliostat is a planning tool for solo developers practicing Shape Up. The service is operated by REEDSTER LLC, a Washington limited liability company. For privacy questions, write to [email protected].

2. What we collect

Account information (from the GitHub App)

Heliostat does not use email/password sign-in. You sign in and connect repositories through the Heliostat GitHub App. The App has a narrow, fixed permission set that applies only to the repositories you choose to install it on:

  • Repository: Metadata (read-only) — the identity of the repo (name, ID, visibility). Granted automatically to any GitHub App.
  • Repository: Webhooks (read & write) — so the App can deliver push events to us. We never read code, issues, PRs, statuses, or deployments.
  • Account: Email addresses (read) — your primary email, used as your account identifier in Heliostat.
  • Subscribed events: push, installation, installation_repositories.

From GitHub itself we receive, at sign-in time: your GitHub user ID, username, display name, avatar URL, and email. A short-lived user-to-server access token is stored encrypted at rest so we can identify you on return visits.

Authentication metadata

To protect your account, we record sign-in counts, sign-in timestamps, and the IP addresses associated with your most recent and current sessions. This is standard Devise "trackable" data.

Content you create in Heliostat

The product is a workspace for your own planning content. We store the pitches, scopes, hill check-ins, daily check-ins, cooldown ideas, retrospective notes, and any other text you write inside the app.

Repository activity (from the GitHub App)

When you install the Heliostat GitHub App on a repository, GitHub sends push events to our App-wide webhook endpoint. We store, per commit: the commit SHA and URL, the commit message, the branch name, the timestamp, and the author object provided by GitHub (which includes the author's name, email, and GitHub username). When commits are authored by collaborators other than you, that collaborator's name, email, and username are also stored as part of the commit record. We use this data only to associate work with your scopes and to surface it back to you in the app. Uninstalling the Heliostat GitHub App from a repository stops all new data from arriving.

"The Senior" — AI conversation data

Heliostat includes an LLM-powered assistant, "The Senior," which helps you write pitches. When you ask The Senior a question we send the following to OpenAI: the relevant pitch's title, t-shirt size, problem, solution, rabbit holes, no-gos, self-test, and the running conversation history (capped at 20 messages). We persist that conversation in our database so you can return to it. You can clear a pitch's Senior conversation at any time from inside the app.

Daily digest data

If you have an active cycle, a scheduled job assembles a context summary about your cycle, scopes, hill positions, and recent commits, and sends it to OpenAI so it can generate a digest email. The digest text is stored as a notification in your account.

Cookies and similar technologies

See Cookies below.

3. How we use your information

  • To authenticate you and keep your session active.
  • To deliver the core features of the product: drafting pitches, tracking cycles, ingesting commits, generating digests, and sending transactional email.
  • To prevent abuse, debug errors, and maintain the service.
  • To communicate with you about your account, billing, and service-related events. We do not use your information for marketing emails.

4. Third-party processors

We rely on a small set of vendors to operate Heliostat. Each receives only the data needed for its function:

  • GitHub — authentication, repository metadata, and push webhooks. Subject to GitHub's Privacy Statement.
  • OpenAI — receives the pitch and cycle context described above for "The Senior" and daily digest features. Subject to OpenAI's Privacy Policy and their API data-usage terms.
  • Resend — sends our transactional email (confirmation, digest, and billing-related notices). Receives recipient email addresses and the email contents.
  • Sentry — receives error reports from our production servers. We have disabled the default PII forwarding, but error context (URLs, controller actions, framework breadcrumbs) may incidentally include identifiers.
  • Stripe — currently reserved for future billing. The product schema includes Stripe customer ID and plan fields, but no billing UI is enabled. If we begin charging for the product, we will update this policy and notify you before processing any payments through Stripe.

We do not use third-party advertising, analytics (Google Analytics, Mixpanel, PostHog, Plausible, etc.), or tracking pixels.

5. Cookies

Heliostat uses a small number of first-party cookies. We do not set third-party advertising or analytics cookies.

  • _heliograph_session (essential) — Rails session cookie. Required for login and CSRF protection. Marked HttpOnly and SameSite=Lax.
  • remember_user_token (functional) — Devise "remember me" cookie, set only if you explicitly stay signed in. Cleared when you sign out.
  • browser_tz (functional) — stores your IANA timezone (e.g. America/New_York) so dates render in your local time. One-year lifetime.
  • cookie_consent (functional) — records that you have dismissed the cookie notice so it isn't shown again. One-year lifetime.

Visiting GitHub during the OAuth handshake may cause GitHub to set its own cookies; those are governed by GitHub's privacy policy.

6. Data retention

We keep your data for as long as your account is active. If your account is deleted, the cascade removes your projects, cycles, pitches, scopes, hill positions, daily check-ins, Senior conversations, GitHub webhook events, and notifications.

7. Your rights and requests

Depending on where you live (e.g. the EU/UK under GDPR, California under CCPA), you may have rights to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing.

Heliostat does not yet provide a self-service export or delete tool. While we build that out, you can email [email protected] and we will fulfill verified requests manually within a reasonable period (typically within 30 days).

8. Security

OAuth access tokens and webhook secrets are encrypted at rest. The application uses HTTPS in production, signed session cookies, CSRF protection on state-changing requests, and Sidekiq job queues are gated behind admin-only authentication. No system is perfectly secure; please report any suspected vulnerability to [email protected].

9. International transfers

Our infrastructure and our subprocessors (GitHub, OpenAI, Resend, Sentry) operate primarily from the United States. If you access Heliostat from outside the United States, your information will be transferred to and processed there.

10. Children

Heliostat is not directed to anyone under 16 and we do not knowingly collect personal information from children.

11. Changes to this policy

We will update the "Effective" date above whenever we revise this policy. Material changes will be communicated by email to active accounts before they take effect.

12. Contact

REEDSTER LLC — [email protected]

🍪

Cookies

Heliostat uses a few essential and functional cookies (sign-in, timezone, this notice) and no analytics or ad trackers. Details in our Privacy Policy.

Privacy