Back to Home

Privacy Policy

Last updated: May 12, 2026

Introduction

Frost (operated by Infinitlab; "we," "our," or "us") provides incident-aware merge protection for GitHub repositories. This Privacy Policy explains what data we collect, how we use it, and the choices you have.

Information We Collect

From GitHub (when you sign in or install the GitHub App)

  • GitHub user ID, login (username), and avatar URL
  • Email address, if provided by GitHub during OAuth
  • Organization memberships and roles
  • Repository metadata (ID, name, default branch, visibility, owner) for repos where Frost is installed
  • Pull request metadata (number, title, author, head/base branch names, head commit SHA)
  • Check run state created by Frost on your repositories

Frost does not store GitHub user OAuth tokens. Authentication is verified at sign-in, and only your GitHub user ID and login are persisted. All GitHub API calls use short-lived installation tokens generated on demand from the GitHub App's private key.

From connected incident management providers (PagerDuty, incident.io, generic webhooks)

  • Incident metadata: external ID, severity, status, title, html_url, triggered/acknowledged/resolved timestamps
  • Service mappings (which external services map to which repositories in your account)

From Slack (when you connect a workspace)

  • Slack team ID, name, and domain
  • Slack user mappings (Slack user IDs paired with Frost users for direct-message notifications)
  • Channel subscriptions you select for protection notifications

Slack OAuth bot tokens are encrypted at rest.

From GitHub Marketplace (when you subscribe to a paid plan)

  • GitHub account ID, login, and account type (organization or user)
  • Plan ID, billing cycle, next billing date, and free trial status

Frost does not collect or store payment card information. All billing is processed by GitHub.

Generated by your use of Frost

  • Protection configuration (scheduled freezes, daily windows, incident rules, override labels, branch settings)
  • Audit logs of configuration and protection events
  • Notification preferences

Information We Do NOT Collect

  • Source code, file contents, or commit diffs
  • Build logs, test results, or CI artifacts
  • Browsing activity outside of Frost
  • Personal data unrelated to your GitHub usage

We do not sell, rent, or share your data with third parties for marketing purposes.

How We Use Your Information

  • Provide incident-aware merge protection on your repositories
  • Create and update GitHub status checks on pull requests
  • React to incident events from connected providers and apply your configured protection rules
  • Send notifications to Slack channels you have subscribed
  • Display your repositories, organizations, and incidents in the Frost dashboard
  • Authenticate you when signing in
  • Maintain audit logs for security and post-incident review
  • Process subscription state from GitHub Marketplace and gate features by plan tier

Data Storage and Security

  • All data is stored on servers managed by Hatchbox.io in the United States.
  • Sensitive credentials (incident webhook secrets, Slack OAuth bot tokens) are encrypted at rest using Rails 8 encrypted attributes.
  • All traffic uses HTTPS/TLS.
  • Every inbound webhook (GitHub, PagerDuty, incident.io, Slack) verifies HMAC-SHA256 signatures before processing.
  • Frost requests only the GitHub permissions required to manage check runs and read pull request metadata.

Data Retention

  • Account-level data (organizations, repositories, configurations) is retained for the lifetime of your account.
  • Audit logs are retained while the account is active. Retention windows may vary by plan tier.
  • Upon account deletion or uninstallation, all customer data is permanently removed within 90 days.

Sub-processors and Third-Party Services

We use the following sub-processors to operate the Service:

  • Hatchbox.io — application hosting (United States)
  • Cloudflare — edge, DNS, and object storage (R2)
  • Bugsnag — error monitoring
  • Slack — notification delivery (when notifications are enabled)

Customer-initiated integrations (data flows from these to Frost when you connect them):

  • PagerDuty
  • incident.io

Each provider has its own privacy policy governing their use of your data.

Your Rights (GDPR / CCPA)

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Withdraw consent for optional integrations (PagerDuty, incident.io, Slack)
  • Uninstall the Frost GitHub App at any time from your GitHub settings
  • Opt out of email or Slack notifications

To exercise any of these rights, contact us at [email protected].

Data Residency

All Frost data is stored and processed in the United States. If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with data transfer restrictions, your data may be transferred to and processed in the United States.

Children's Privacy

Frost is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

[email protected]

Frost Frost
Terms of Service