neywa.
Back to ShiftFeed

ShiftFeed — Privacy policy

OpenShift & Kubernetes news, curated

Last updated: 2026-04-30 Effective: 2026-04-30

1 Introduction

ShiftFeed is an OpenShift and Kubernetes news aggregator developed by an independent developer based in the Czech Republic. It surfaces publicly available articles, GitHub release announcements, Red Hat security advisories, and an AI-generated daily briefing in a single feed.

The short version: ShiftFeed can be used fully anonymously — no account required to read the feed, receive broadcast push notifications, or submit a public link. An optional account (email magic link) unlocks cross-device bookmark sync. A paid Pro subscription additionally unlocks personalised features: custom alert rules, custom RSS feeds, a scheduled personalised daily briefing, and per-device targeted push notifications. We collect only what those optional features require. No analytics, no advertising, no tracking SDKs, no device or advertising IDs.

By using the app you agree to the practices described in this policy.

2 Data the App Does Not Collect

ShiftFeed does not collect, store, or transmit any of the following, regardless of whether you are signed in or not:

  • Location data
  • Device or advertising IDs
  • Usage analytics
  • Crash reports
  • Contacts or microphone
  • Camera or photos
  • Browsing history
  • Biometric data
  • Marketing communications
  • Payment instruments

Signed-in users do have an email address and a Supabase user UUID stored — see Section 3. Everything else on the list above is never collected, even with an account.

3 Data the App Does Handle

Article Content Anonymous

The app fetches publicly available article metadata — title, URL, source name, summary, tags, and publication date — along with AI-generated daily briefings from a Supabase-hosted database. This content is identical for every reader and contains no user data.

Any user, signed in or not, can submit a public URL via the Submit a Link form. The URL is stored in a submissions table for editorial review. If you are not signed in, no identity is attached to the submission. If you are signed in, your user UUID is associated with the submission for editorial purposes only.

Authentication Signed-in

Sign-in is via Supabase magic link — no password. You enter your email address; Supabase sends a one-time sign-in link; tapping it opens the app and establishes a session via a custom URL scheme (shiftfeed://auth-callback). This is not a system permission; it is a deep-link handled by the app.

We store: your email address, a Supabase-issued user UUID, and standard auth metadata (created at, last sign-in timestamp). Your email is used only to deliver the magic link and as the account identifier. We do not send marketing email.

Bookmarks Signed-in

When signed in, bookmarks sync across your devices via a user_bookmarks table keyed to your user UUID. Anonymous users’ bookmarks are stored locally on-device only and are never transmitted.

Push Notifications

Push notifications operate in two distinct modes depending on sign-in status:

  • Broadcast topics Anonymous — on Android and iOS, the device subscribes to all (daily briefing), security (CVE alerts), and releases (software release alerts) via Firebase Cloud Messaging. These are broadcast to every subscribed device; no identity is attached and no token is stored by the developer.
  • Per-device targeted push Pro — for signed-in Pro users, the device’s FCM registration token is stored in a user_device_tokens table linked to your user UUID. This enables the backend to deliver alert-rule matches and personalised briefings directly to your device. Stale tokens are pruned automatically when FCM reports them invalid.

Pro Feature Data Pro

The following data is stored only for signed-in Pro users, each in its own Supabase table scoped to your user UUID:

  • Custom alert rules (user_alert_rules) — keyword filters, source category filters, and optional CVSS score thresholds you configure.
  • Custom RSS feeds (user_rss_sources) — RSS feed URLs you add. The backend fetches these on your behalf and writes resulting articles to the shared articles table tagged as user-submitted. Those articles are visible only to you, enforced by Supabase row-level security.
  • Personalised digest preferences (user_digest_prefs) — your chosen delivery hour and your device’s IANA timezone string (e.g. Europe/Prague), read from the operating system via the flutter_timezone plugin. We do not derive or store geolocation; the timezone is used only to schedule your briefing at roughly the right local time.

Billing is handled entirely by Apple App Store or Google Play. ShiftFeed never sees your card details or payment instrument. Subscription state is managed by RevenueCat, which receives your Supabase user UUID and standard purchase metadata (product ID, store, status) from the platform after sign-in. RevenueCat uses the UUID to link entitlements to your account across devices. No payment data is transmitted to or stored by the developer.

In-App Browser

On Android and iOS, tapping an article opens it in an embedded WebView. On web and desktop, it opens in your external browser. Destination websites (Red Hat Blog, Kubernetes Blog, GitHub, etc.) may set their own cookies and log your visit per their own privacy policies. ShiftFeed does not inject scripts, intercept content, or collect anything from these browsing sessions.

Local-Only Preferences

Light/dark theme, trial-banner-dismissed state, and similar transient UI flags are stored on-device only using standard platform local storage. They are never transmitted.

Row-Level Security

Every per-user Supabase table uses auth.uid() = user_id row-level security policies. A signed-in user can only read and write their own rows. The backend ingestion job uses a separate service-role key to write public article rows; that key never ships in the app binary.

4 Device Permissions

Android

  • INTERNET — required to fetch articles and briefings from the backend database.
  • POST_NOTIFICATIONS — requested at runtime on Android 13 and above to deliver push notifications. You can deny or revoke this at any time in system settings; the rest of the app continues to function normally.
  • Deep-link URL scheme — the magic-link sign-in flow uses the shiftfeed://auth-callback scheme to return you to the app after tapping the sign-in link in your email. This is not a system permission; it is registered in the app’s manifest and does not require user approval.

iOS

  • Notifications — requested at runtime to deliver push notifications. You can deny or revoke at any time in system settings.
  • Deep-link URL scheme — same as Android above; shiftfeed://auth-callback is registered as a URL scheme in the app’s Info.plist. No user approval required.

Web and Desktop

No special permissions are requested. The web version runs as a static site and makes only anonymous read requests to the backend database. Account features and the Pro tier are not available on web or desktop.

5 Third-Party Services

ShiftFeed relies on the following third-party services. No other SDKs, analytics tools, or advertising networks are included.

Supabase (database and authentication backend)

Article metadata, AI briefings, and — for signed-in users — account credentials and per-user feature data (bookmarks, alert rules, custom RSS sources, digest preferences, device tokens) are stored in a Supabase-hosted PostgreSQL database running on AWS infrastructure. All per-user data is scoped by row-level security to the owning account. Anonymous requests use a public publishable key; authenticated requests use a session JWT issued by Supabase Auth.

Supabase privacy policy: supabase.com/privacy

Google Firebase Cloud Messaging

Used to deliver push notifications on Android and iOS. All users receive broadcast topic notifications; no identity is attached. For signed-in Pro users, the device’s FCM registration token is additionally stored server-side to enable targeted push for alert rules and personalised briefings. Subject to Google’s privacy practices.

Google privacy policy: policies.google.com/privacy

RevenueCat (subscription management) — mobile only

Manages Pro subscription entitlements on Android and iOS. After sign-in, the app sends your Supabase user UUID and standard purchase metadata (product ID, store, subscription status) to RevenueCat so your Pro entitlements follow your account across devices. RevenueCat does not receive payment instrument details. Not used on web or desktop.

RevenueCat privacy policy: revenuecat.com/privacy

Apple App Store / Google Play (payment processing) — mobile only

All payment processing for Pro subscriptions is handled entirely by Apple or Google. ShiftFeed never receives or stores card details or payment instruments. Purchases are subject to Apple’s and Google’s respective terms and privacy policies.

Apple privacy policy: apple.com/legal/privacy  ·  Google privacy policy: policies.google.com/privacy

Anthropic Claude (AI briefing generation — server-side only)

The Claude API is used server-side to generate both the curated daily briefing (broadcast to all users) and personalised briefings for Pro users with digest scheduling enabled. The personalised prompt includes the user’s category filter preferences and a list of public article summaries already stored in the database. No email address, user UUID, or other identifying data is included in prompts sent to Anthropic. Users do not interact with Claude directly.

Anthropic privacy policy: anthropic.com/legal/privacy

Resend (transactional email)

Magic-link sign-in emails are delivered via Resend, sent from noreply@shiftfeed.tech. Resend receives your email address solely to deliver the one-time sign-in link. No marketing email is sent through this service.

Resend privacy policy: resend.com/legal/privacy-policy

GitHub Pages (web hosting)

The web version of ShiftFeed is hosted as a static site on GitHub Pages. Visitors may be subject to GitHub’s privacy practices for static site visitors. Account and Pro features are not available on the web version.

GitHub privacy policy: GitHub Privacy Statement

6 International Data Transfers

The developer is based in the Czech Republic. For anonymous users, no personal data is collected or transferred. For signed-in users, limited personal data (email address, user UUID, and user-generated feature content) is stored in Supabase’s AWS-hosted infrastructure and may be processed in the United States or other countries.

The third-party services ShiftFeed relies on — Supabase, RevenueCat, Google Firebase, Anthropic, Apple, Resend, and GitHub — may process data in the US or elsewhere. Please refer to each provider’s privacy policy for details of their data transfer practices and applicable safeguards.

7 Data Retention

Retention depends on the type of data:

  • Account data (email, UUID, auth metadata) persists until you request account deletion.
  • Per-user feature data (bookmarks, alert rules, custom RSS sources, digest preferences, device tokens) is deleted automatically on account deletion via Supabase cascade delete.
  • Anonymous link submissions persist indefinitely as part of the public article catalog, with no user identity attached.
  • Stale FCM tokens are pruned automatically when the platform reports them invalid.
  • Local preferences (theme, UI flags) are removed when you uninstall the app.

Uninstalling the app does not delete your cloud account. To delete your account and all associated data, contact us at the address in Section 12.

8 Your Rights

Because ShiftFeed now holds limited personal data for signed-in users, standard data-subject rights apply. If you are located in the European Union (GDPR) or California (CCPA), you have the following rights:

Access & portability

Email us to request a copy of your data.

Rectification

Most feature data (alert rules, RSS feeds, digest prefs) is editable directly in the app.

Erasure

Request account deletion by email. All per-user data is cascade-deleted.

Withdraw consent

Sign out at any time. Revoke notification permission in OS settings. Cancel Pro via App Store or Google Play.

For anonymous users, data-subject rights are largely not applicable on the developer’s side — there is no personal data held to provide, correct, or delete. Your primary point of control is your device’s system settings.

To exercise any of these rights, contact us at the address in Section 12.

9 Children’s Privacy

ShiftFeed is aimed at software engineers, SREs, and DevOps professionals. Account creation requires an email address and is intended for adult professionals. The app is not directed at children under the age of 13 (or under 16 in jurisdictions where that threshold applies) and does not knowingly collect any data from children.

10 Security

We take reasonable steps to protect the data we do hold:

  • All data in transit between the app and Supabase is TLS-encrypted.
  • Authentication uses Supabase magic-link — no passwords are created or stored.
  • Per-user data is isolated at the database layer via Supabase row-level security policies.
  • The service-role key used by the backend ingestion job is held only server-side and never ships in the app binary.
  • Magic-link sign-in emails are delivered from a verified domain (shiftfeed.tech) with SPF, DKIM, and DMARC records configured.

We recommend keeping your device’s operating system up to date to benefit from the latest platform-level security protections.

11 Changes to This Policy

We may update this Privacy Policy as the app evolves or if legal requirements change. Any changes will be reflected on this page with an updated effective date.

We will not introduce data collection practices that are materially different from those described here without updating this document and, where required by law, obtaining your consent.

12 Contact

Questions, data access requests, or account deletion requests? Please get in touch:

neywa.blake@gmail.com

ShiftFeed  ·  OpenShift & Kubernetes Intelligence  ·  Independent developer  ·  Czech Republic

Web and desktop builds are anonymous read-only. Optional account and paid Pro tier available on Android and iOS.

This policy applies to the Android, iOS, web, and desktop versions of the app.