>_envshare.io

envshare.io legal

Privacy Policy

This policy describes how EnvShare handles account information, project metadata, encrypted environment variable records, invite emails, CLI sessions, audit events, and privacy requests.

Effective date: June 5, 2026

1. Scope

This Privacy Policy explains how envshare.io handles personal information, project metadata, encrypted secret material, CLI authentication records, invite records, access records, and audit records when you use the website, dashboard, hosted API, invite flow, CLI login flow, and @envshare/cli with the hosted service.

EnvShare is a developer tool for teams. It is not directed to children and is not intended for personal consumer recordkeeping, advertising profiles, or storage of regulated personal datasets.

2. Product security model

In the normal CLI workflow, secret values are encrypted locally before upload. EnvShare stores encrypted secret values, encryption metadata, and wrapped data keys, but it does not intentionally receive or store plaintext secret values. The dashboard displays metadata such as project names, file names, key names, versions, update times, members, invites, access grants, and audit events.

Environment variable names, repository metadata, recipient emails, project membership, audit summaries, and access records are not encrypted end-to-end in the same way as secret values. Treat key names and project metadata as visible to authorized project users and EnvShare service infrastructure.

3. Information we collect

  • Account and profile information from GitHub through Firebase, such as user id, email address, display name, GitHub login, and avatar URL when provided by the identity provider.
  • CLI device records, including device id, public key, label, owner user id, creation time, and last-seen time. Device private keys and plaintext local .env files remain on your device unless you separately disclose them.
  • Project and repository metadata, including repository owner, repository name, repository URL, default environment file name, project id, project role, timestamps, and project membership.
  • Encrypted secret records, including ciphertext, nonce, algorithm, authenticated metadata, file name, key name, version, update time, and updater profile.
  • Key envelope, invite, and access data, including wrapped data keys, recipient type, recipient id, invite recipient email, invite token hash, expiration time, acceptance time, revocation time, grant id, device id, and grant expiration.
  • Authentication and session data, including CLI login request records, code challenge data, redirect URI and state for loopback login, approval and consumption timestamps, hashed CLI session tokens, session expiration, and revocation timestamps.
  • Audit data, including project id, actor user id, actor device id, action type, timestamps, and limited metadata such as selected key names, invite email, message text provided with a push, secret ids, grant ids, and counts.
  • Communications you send to EnvShare, including privacy requests, support requests, security reports, and related contact information.
  • Technical and operational data processed by hosting, authentication, database, email, package registry, and security providers, such as IP address, user agent, request logs, error logs, delivery logs, and abuse-prevention signals.

4. Information we do not intentionally collect

  • EnvShare does not intentionally collect plaintext secret values through the normal push, pull, share, and accept workflows.
  • EnvShare does not intentionally collect device private keys. The CLI uses local device key material to decrypt assigned variables.
  • EnvShare does not intentionally collect payment card data, protected health information, government identifiers, biometric data, or consumer credit data.
  • EnvShare does not use advertising cookies, third-party ad pixels, or cross-context behavioral advertising in the current product.

5. How we use information

  • Authenticate users and CLI devices, approve browser-based CLI login, issue and revoke CLI sessions, and protect accounts from unauthorized access.
  • Create, update, delete, and display projects, encrypted variables, members, invites, access grants, and audit events.
  • Deliver invite emails that contain an expiring invite link or token and CLI instructions. Invite emails do not contain plaintext secret values.
  • Enforce role-based permissions, invite expiration, grant expiration, revocation, project limits, abuse controls, and security checks.
  • Operate, debug, secure, and improve EnvShare, including investigating failed requests, abuse, security reports, and service reliability issues.
  • Respond to privacy, support, security, legal, and administrative requests.
  • Comply with legal obligations, enforce the Terms of Service, and protect EnvShare, users, repository owners, and the public.

6. How we share information

EnvShare shares information with service providers that help operate the product. These may include GitHub for identity, Firebase or Google services for authentication, Supabase for database persistence, Resend for invite email delivery, Vercel for hosting, npm for CLI package distribution, and infrastructure providers used by those services.

Project information is shared with authorized users according to project roles, invite records, device envelopes, and access grants. Project owners and administrators may see member profiles, invite recipient emails, selected variable metadata, access grants, and audit records.

We may disclose information when required by law, legal process, or enforceable government request, or when necessary to protect EnvShare, users, repository owners, or the public from abuse, fraud, security threats, or legal claims. We do not sell personal information or share it for cross-context behavioral advertising.

7. International processing

EnvShare and its providers may process information in the United States, Australia, and other countries where the providers or their infrastructure operate. Data protection laws in those countries may differ from the laws where you live.

When international transfer rules apply, EnvShare relies on available legal mechanisms and provider commitments appropriate to the service, such as contractual safeguards, data processing terms, and security measures.

8. Retention and deletion

EnvShare keeps account, project, member, device, invite, access, encrypted secret, key envelope, session, and audit records for as long as needed to provide the service, maintain security, preserve auditability for project administrators, comply with law, resolve disputes, and enforce the Terms of Service.

Deleting selected variables removes their encrypted secret records and dependent key envelopes and grants from the active database. Deleting a project removes the project and dependent membership, encrypted secret, invite, key envelope, invite acceptance, access grant, and audit records from the active database through database relationships. Revoking an invite, access grant, or CLI session marks it revoked and blocks future use where supported.

Removing a member revokes that member's access grants for the project but does not automatically delete project data that belongs to the remaining project members. Already-pulled local .env files, local shell history, logs, copied values, downstream credentials, and third-party systems cannot be recalled by EnvShare. Rotate external credentials when deletion or revocation must invalidate a secret outside EnvShare.

Backups, provider logs, security logs, and transactional email records may persist for a limited period after active deletion. We may retain limited records where required for legal compliance, security, fraud prevention, dispute resolution, or enforcement.

9. Your choices and rights

You may request access to, correction of, deletion of, or export of personal information associated with your EnvShare account by contacting contact@netwitx.co. We may need to verify your identity and account authority before acting on a request.

Depending on where you live, you may also have rights to object to or restrict processing, withdraw consent where processing is based on consent, appeal or complain about a response, receive a portable copy of certain information, or avoid discrimination for exercising privacy rights. EnvShare will honor applicable privacy rights required by law.

California residents may request to know, access, delete, correct, and receive information about use and disclosure of personal information, and may exercise the right to non-discrimination. EnvShare does not sell personal information or share it for cross-context behavioral advertising, so it does not provide a separate sale/share opt-out flow in the current product.

European Economic Area, United Kingdom, and Swiss users may have rights of access, rectification, erasure, restriction, portability, objection, and complaint to a supervisory authority. EnvShare does not use personal information for automated decisions that produce legal or similarly significant effects.

10. Security

EnvShare uses technical and organizational measures designed for a developer secret-sharing product, including local encryption in the CLI workflow, token hashing, expiring login requests, PKCE verification for CLI browser login, scoped invites, access grants, revocation records, service-side authorization checks, and audit events.

No service is perfectly secure. You are responsible for protecting your GitHub account, CLI device, local credential store, local .env files, invite tokens, repository permissions, CI logs, shell history, and downstream credentials. Do not send plaintext secrets in support, privacy, or security emails.

11. Children

EnvShare is intended for developer teams and is not directed to children under 16. If you believe a child provided personal information to EnvShare, contact us so we can review and delete it where appropriate.

12. Changes and contact

We may update this Privacy Policy to reflect product, legal, operational, or security changes. The effective date at the top of the page shows when the current version took effect. If a change materially affects how EnvShare handles personal information, we will use reasonable product or email channels to provide notice when practical.

Privacy questions, access requests, correction requests, deletion requests, and complaints can be sent to contact@netwitx.co.