Ravenstash
Legal

Privacy Policy

This policy explains what Ravenstash collects, how we use it, how we share it, and the choices available to people who use the website, app, APIs, registry endpoints, and developer tooling.

Effective date: July 6, 2026

1. Scope and roles

This Privacy Policy applies to Ravenstash's public website, hosted app, developer API, registry upload and download endpoints, documentation, support interactions, and related services. Ravenstash Ltd. Liability Co., a Wyoming limited liability company, provides the service from the United States.

For account, website, billing, security, and product operations, Ravenstash acts as the business or controller of personal information. For package content and workspace data that a customer uploads, configures, caches, or makes available to its team, the customer generally controls that data and Ravenstash acts as a service provider or processor under the customer's instructions.

If your employer, client, or another organization invited you to Ravenstash, that organization may control repositories, team membership, package data, token metadata, usage information, and related activity in its workspace.

2. Information we collect

We collect information directly from you, from workspace administrators and team members, from your package clients and automation systems, from OAuth and payment providers, from public package registries when you configure upstream features, and from service providers that help us operate Ravenstash.

CategoryExamples
Account and profile informationName, email address, password authentication data, email verification status, account settings, team invitations, linked OAuth identifiers, and passkey credential metadata.
Authentication and security informationLogin events, session identifiers, refresh-cookie state, device-login approvals, active rvn device sessions, API token metadata, token rotation and revocation records, IP addresses, user agents, and security logs.
Repository and package informationRepository names, registry kind, package names, versions, artifacts, checksums, metadata, yanked or deleted states, upstream settings, cached upstream metadata and artifacts, download activity, and storage activity.
Usage, diagnostics, and telemetryPages visited, API and registry requests, upload and download events, bandwidth and storage measurements, error reports, performance data, rate-limit events, timestamps, device/browser details, and approximate location derived from IP address.
Billing and commercial informationBilling contact details, subscription records, invoices, tax information, transaction metadata, plan choices, and limited payment metadata handled with payment processors.
Support and communicationsMessages you send us, contact details, screenshots, diagnostic data, abuse reports, security reports, rights requests, and support history.

Package artifacts may contain source code, compiled code, build outputs, documentation, dependency metadata, or other materials chosen by the customer. Customers are responsible for deciding what to upload, publish, cache, or disclose through repositories.

3. How we use information and legal bases

We use information for the purposes below. Where GDPR or similar laws apply, our legal bases may include performance of a contract, legitimate interests, consent, and compliance with legal obligations.

PurposeExamplesLegal bases where applicable
Provide the serviceCreate accounts, authenticate users, operate repositories, publish packages, serve downloads, cache configured upstream packages, and manage teams.Performance of a contract; legitimate interests.
Secure RavenstashDetect abuse, investigate incidents, enforce rate limits, verify tokens, revoke sessions, prevent fraud, and protect package ecosystems.Legitimate interests; legal obligations.
Support and communicateRespond to support requests, send service notices, process privacy requests, and communicate about product or policy changes.Performance of a contract; legitimate interests; legal obligations.
Billing and administrationProcess subscriptions, invoices, taxes, payments, refunds, chargebacks, and accounting records.Performance of a contract; legal obligations; legitimate interests.
Improve RavenstashAnalyze reliability, product usage, performance, errors, package workflows, and operational health.Legitimate interests; consent where required.

4. Cookies and similar technologies

Ravenstash uses cookies and similar browser storage for authentication, session restoration, security, preferences, fraud prevention, and product functionality. The hosted app uses an HttpOnly refresh-cookie flow to restore signed-in sessions.

The public website is designed to be static and crawlable. We do not use customer package content for targeted advertising, and we do not sell personal information. If we use analytics or marketing cookies that require consent, we will provide appropriate controls.

5. How we share information

We share information only as needed for the purposes described in this policy.

Service providers and subprocessors

We use service providers and infrastructure partners for cloud hosting, object storage, database hosting, secret management, content delivery, transactional email, payment processing, error monitoring, security, identity, support, and related operations. These providers process information on our behalf and are expected to protect it according to their agreements with us.

Service categories include providers such as Cloudflare for edge delivery and object storage, Neon or PostgreSQL-compatible database hosting, Infisical for managed secrets, GlitchTip/Sentry-compatible telemetry, payment processors, transactional email providers, and Google or GitHub when you choose OAuth login. Business customers may request additional subprocessor information through support@ravenstash.com.

Workspace administrators and members

Team administrators and authorized team members may see account, repository, package, token metadata, usage, invitation, and activity information associated with their team workspace.

Third-party registries and identity providers

If you enable upstream read-through, Ravenstash may request package metadata or artifacts from public registries. If you sign in with Google or GitHub, the selected identity provider processes information according to its own policies.

Legal, safety, and business transfers

We may disclose information if we believe it is necessary to comply with law, respond to legal requests, enforce our Terms, investigate abuse, protect rights and safety, or complete a merger, acquisition, financing, reorganization, or sale of assets.

6. International transfers

Ravenstash is based in the United States, and information may be processed in the United States and other countries where we or our providers operate. Those countries may have privacy laws different from the laws where you live.

Where required, we use appropriate transfer mechanisms for international transfers, which may include standard contractual clauses, the UK international data transfer addendum, adequacy decisions, data processing terms, and providers' Data Privacy Framework certifications.

7. Retention

We keep information for as long as needed to provide Ravenstash, comply with legal obligations, resolve disputes, secure the service, maintain backups, enforce agreements, process payments, support customers, and meet legitimate operational needs.

Repository and package deletions are intended to remove active access promptly. Unless a plan, order, or separate agreement says otherwise, deleted repository and package artifacts may remain recoverable for up to seven days before purge from active object storage. Related records may remain for a limited time in backups, logs, security records, caches, metrics, payment records, legal records, or recovery workflows. Token metadata, audit-style records, and security logs may be retained after token revocation or account closure when needed for security and compliance.

8. Security

Ravenstash uses technical and organizational measures intended to protect information, including authenticated access, token controls, passkey support, private package routes, short-lived browser download links, logging, monitoring, provider controls, and infrastructure security practices.

No system is perfectly secure. You should protect your login, passkeys, device sessions, package-client configuration, CI secrets, and API tokens.

9. Privacy rights and choices

You can update account information, manage linked accounts, revoke tokens, revoke device sessions, and manage team membership through Ravenstash account and workspace controls.

Depending on where you live, you may have rights to access, know, correct, delete, export, restrict, object to, or opt out of certain processing of personal information. You may also have the right to limit use of sensitive personal information, withdraw consent where processing is based on consent, and appeal a privacy request decision.

Ravenstash does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are commonly used in California privacy law. We will not discriminate against you for exercising privacy rights.

To make a privacy request, contact support@ravenstash.com. We may need to verify your identity and may direct requests about team workspace data to the customer that controls the workspace.

10. Children

Ravenstash is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to Ravenstash, contact us.

11. Third-party websites and package ecosystems

Ravenstash may link to third-party websites, documentation, package managers, public registries, identity providers, and payment processors. Their privacy practices are governed by their own policies.

12. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will provide reasonable notice through the website, app, email, or another appropriate channel. The updated policy will state its effective date.

13. Contact

Questions or privacy requests can be sent to support@ravenstash.com.

Need to manage your account instead? Open the dashboard.