PRFlow

Privacy Policy

Last updated: July 13, 2026

1. Introduction

PRFlow ("we", "our", or "the Service") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our service, which delivers GitLab merge request and GitHub pull request notifications to Slack.

2. Information We Collect

We collect the following types of information:

Account Information

  • GitLab username and email address
  • GitLab OAuth tokens (encrypted)
  • GitHub organization or account name and GitHub App installation identifiers
  • Slack workspace and channel information
  • Slack OAuth tokens (encrypted)

GitLab Project and Merge Request Data

Received from your GitLab instance via webhooks, and retrieved from the GitLab API on your behalf:

  • Merge request metadata (title, author, status, URL, branch names, approval and discussion counts)
  • Project names and identifiers
  • Pipeline status information
  • Comment content (for notification delivery only — see Section 5)

GitHub Repository and Pull Request Data

Received from GitHub via webhooks when you install the PRFlow GitHub App, and retrieved from the GitHub API on your behalf. The App's permissions are read-only (pull requests, checks, and repository metadata); it has no access to repository contents, so PRFlow cannot read your source code:

  • Pull request metadata (title, author, status, URL, branch names, review and check status)
  • Repository names and identifiers
  • Check run and CI status information
  • Comment content (for notification delivery only — see Section 5)

Usage Data

  • Service usage statistics
  • Error logs for troubleshooting

3. How We Use Your Information

We use the collected information to:

  • Deliver merge request and pull request notifications to your Slack channels
  • Display pipeline, check, and CI status in notifications
  • Sync comments from GitLab and GitHub to Slack threads
  • Authenticate and authorize your account
  • Improve and maintain the Service
  • Respond to support requests

We do not sell your data. We use the GitLab and GitHub data we receive solely to provide the notification features you have configured. We do not modify its content, disclose it to third parties (beyond delivering it to the Slack workspace you configure), or use it for any other purpose without your consent.

4. Data Storage and Security

We take the security of your data seriously:

  • OAuth tokens are encrypted at rest using industry-standard encryption
  • All data is transmitted over HTTPS
  • Raw webhook payloads are processed in real time and not permanently stored
  • We use secure cloud infrastructure with regular security updates

We handle personal data in accordance with applicable privacy and data-protection laws and regulations.

5. Data Retention

What we store, and for how long:

  • Account information and encrypted OAuth tokens — retained while your account is active. Disconnecting an integration deletes its stored tokens.
  • Merge request and pull request metadata (title, author, status, URL, branch names, pipeline and check status) and references to the Slack messages we post — retained while your account is active so we can keep existing Slack messages up to date as merge requests and pull requests change.
  • Comment content — passed through to Slack for delivery and not stored. We keep only a reference (comment ID and Slack message ID) so that edits update the right Slack message.
  • Raw webhook payloads — processed in real time and not retained.

You may request deletion of your account and associated data at any time.

6. Third-Party Services

PRFlow integrates with the following third-party services:

  • GitLab - For authentication, receiving webhook events, and retrieving merge request data via the GitLab API
  • GitHub - For receiving webhook events from the PRFlow GitHub App and retrieving pull request data via the GitHub API
  • Slack - For delivering notifications to your workspace

We also rely on the following sub-processors to operate the Service: Railway (hosting and database), Clerk (authentication), Polar (billing), and Sentry (error monitoring). These providers may process data in the United States.

When you connect PRFlow, merge request and project data is retrieved from your GitLab instance and transmitted to the Slack workspace and channels you configure. This means this data is transmitted to systems outside the GitLab platform. GitLab is not responsible for the privacy, security, or integrity of data once it has left the GitLab platform.

Likewise, when you install the PRFlow GitHub App, pull request and repository data received from GitHub is transmitted to the Slack workspace and channels you configure.

Your use of these services is governed by their respective privacy policies.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Disconnect your GitLab, GitHub, or Slack integrations at any time
  • Export your configuration data

8. Cookies

PRFlow uses essential cookies for authentication and session management. We do not use tracking cookies or third-party analytics that track you across websites.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of any material changes by posting the new policy on this page and updating the "Last updated" date.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at hello@prflow.dev.