tugtug is operated by Warped Puppy LLC, a company based in Maine, USA. tugtug is a code health dashboard: you connect a GitHub repository and we show you where the risk in your codebase lives. This policy explains how we handle personal data when you visit the site or use the product. Warped Puppy LLC is the data controller for the personal data described here.
This policy covers personal data. For a detailed breakdown of how we handle your source code and repository data specifically, see the Security & Privacy page — the short version is that we store derived metrics, never your source code.
When you sign in with GitHub, we receive and store your GitHub username, email address, avatar, and an encrypted GitHub access token used to read your repositories on your behalf.
The list of repositories you connect (owner, name, and a public/private flag) and derived numbers about them — file paths, complexity scores, churn counts, coupling pairs, and health history. When you load live GitHub stats, we may also cache contributor GitHub usernames, avatar URLs, commit totals, weekly activity counts, and pull request trend summaries. We do not store your source code, commit messages, or author email addresses. (Full detail on the Security & Privacy page.)
Aggregate, privacy-friendly usage data: page views, referring sites, and approximate location and device type derived from your IP address. This is collected without cookies (see "Cookies & Tracking" below) and is not used to build advertising profiles.
On the public repo checker, Cloudflare Turnstile processes your IP address and browser signals to confirm you are not a bot before an analysis runs.
If you email us or join the Team mailing list, we keep your email address and the contents of your message so we can respond and contact you.
If and when paid plans are active, payment is processed by Stripe. We do not see or store your full card details — Stripe does. We retain billing records (amounts, dates, customer ID) as required by law.
We do not sell your personal data, and we do not share it with third parties for their own marketing.
We keep cookies and tracking to the minimum needed to run the product.
We use a small number of strictly necessary cookies to keep you signed in and maintain your session (set by our authentication provider, Supabase). The site does not work without these, so they are not optional.
Our usage analytics (Vercel Web Analytics) is cookieless. It does not set tracking cookies, does not follow you across other websites, and does not build an advertising profile of you.
Your chosen color theme is stored locally in your browser (localStorage). It never leaves your device and is not transmitted to us.
We rely on a small set of trusted service providers to run tugtug. Each processes personal data only to provide its service to us, under its own data-protection terms.
| Provider | Purpose | Data |
|---|---|---|
| Vercel | Hosting & cookieless analytics | Requests, page views, IP-derived geo/device |
| Supabase | Database & authentication | Account data, metrics, session cookies |
| GitHub | OAuth sign-in & repo access | GitHub profile, repository contents (read in memory) |
| Cloudflare | Bot protection (Turnstile) | IP address, browser signals |
| Stripe | Payments (when paid plans are active) | Billing details, customer ID |
| Resend | Transactional & digest email | Email address, message content |
If you are in the EU/EEA or UK, we process your personal data under the following legal bases:
Providing the product to you — authentication, repository analysis, live GitHub stats, and account features.
Keeping the service secure and reliable, preventing abuse, and understanding aggregate usage. We balance these against your rights.
Sending mailing-list emails you signed up for. You can withdraw consent at any time by unsubscribing or emailing us.
Retaining billing and accounting records where the law requires it.
tugtug is operated from the United States, and our processors store and process data in the US. If you access tugtug from the EU/EEA or UK, your personal data is transferred to the US. Where required, our processors rely on recognized transfer mechanisms such as the EU–US Data Privacy Framework and/or Standard Contractual Clauses. EU data residency is not currently available.
We keep personal data only as long as we need it for the purposes above. Analysis metrics and health history are kept until you purge them; audit logs are kept for 90 days; billing records are kept for 7 years as required by law. A full retention table is on the Security & Privacy page.
Depending on where you live, you have rights over your personal data, including the right to access, correct, delete, or export it, to object to or restrict certain processing, and to withdraw consent. You can exercise most of these directly:
For any other request — or to ask us to act on your behalf — email privacy@tugtug.com. If you are in the EU/EEA or UK and believe we have mishandled your data, you also have the right to lodge a complaint with your local data protection authority.
tugtug is a tool for software developers and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
We may update this policy as the product evolves. When we do, we will revise the “Last updated” date above. Material changes will be communicated through the site.
Privacy & data requests: privacy@tugtug.com
Everything else: info@tugtug.com
Warped Puppy LLC · Maine, USA