ShiftFeed is an OpenShift and Kubernetes news aggregator developed by an independent developer based in the Czech Republic. It surfaces publicly available articles, GitHub release announcements, Red Hat security advisories, and an AI-generated daily briefing in a single feed.
By using the app you agree to the practices described in this policy.
ShiftFeed does not collect, store, or transmit any of the following, regardless of whether you are signed in or not:
Signed-in users do have an email address and a Supabase user UUID stored — see Section 3. Everything else on the list above is never collected, even with an account.
The app fetches publicly available article metadata — title, URL, source name, summary, tags, and publication date — along with AI-generated daily briefings from a Supabase-hosted database. This content is identical for every reader and contains no user data.
Any user, signed in or not, can submit a public URL via the Submit a Link form. The URL is stored in a submissions table for editorial review. If you are not signed in, no identity is attached to the submission. If you are signed in, your user UUID is associated with the submission for editorial purposes only.
Sign-in is via Supabase magic link — no password. You enter your email address; Supabase sends a one-time sign-in link; tapping it opens the app and establishes a session via a custom URL scheme (shiftfeed://auth-callback). This is not a system permission; it is a deep-link handled by the app.
We store: your email address, a Supabase-issued user UUID, and standard auth metadata (created at, last sign-in timestamp). Your email is used only to deliver the magic link and as the account identifier. We do not send marketing email.
When signed in, bookmarks sync across your devices via a user_bookmarks table keyed to your user UUID. Anonymous users' bookmarks are stored locally on-device only and are never transmitted.
Push notifications operate in two distinct modes depending on sign-in status:
all (daily briefing), security (CVE alerts), and releases (software release alerts) via Firebase Cloud Messaging. These are broadcast to every subscribed device; no identity is attached and no token is stored by the developer.user_device_tokens table linked to your user UUID. This enables the backend to deliver alert-rule matches and personalised briefings directly to your device. Stale tokens are pruned automatically when FCM reports them invalid.The following data is stored only for signed-in Pro users, each in its own Supabase table scoped to your user UUID:
user_alert_rules) — keyword filters, source category filters, and optional CVSS score thresholds you configure.user_rss_sources) — RSS feed URLs you add. The backend fetches these on your behalf and writes resulting articles to the shared articles table tagged as user-submitted. Those articles are visible only to you, enforced by Supabase row-level security.user_digest_prefs) — your chosen delivery hour and your device's IANA timezone string (e.g. Europe/Prague), read from the operating system via the flutter_timezone plugin. We do not derive or store geolocation; the timezone is used only to schedule your briefing at roughly the right local time.Billing is handled entirely by Apple App Store or Google Play. ShiftFeed never sees your card details or payment instrument. Subscription state is managed by RevenueCat, which receives your Supabase user UUID and standard purchase metadata (product ID, store, status) from the platform after sign-in. RevenueCat uses the UUID to link entitlements to your account across devices. No payment data is transmitted to or stored by the developer.
On Android and iOS, tapping an article opens it in an embedded WebView. On web and desktop, it opens in your external browser. Destination websites (Red Hat Blog, Kubernetes Blog, GitHub, etc.) may set their own cookies and log your visit per their own privacy policies. ShiftFeed does not inject scripts, intercept content, or collect anything from these browsing sessions.
Light/dark theme, trial-banner-dismissed state, and similar transient UI flags are stored on-device only using standard platform local storage. They are never transmitted.
Every per-user Supabase table uses auth.uid() = user_id row-level security policies. A signed-in user can only read and write their own rows. The backend ingestion job uses a separate service-role key to write public article rows; that key never ships in the app binary.
shiftfeed://auth-callback scheme to return you to the app after tapping the sign-in link in your email. This is not a system permission; it is registered in the app's manifest and does not require user approval.shiftfeed://auth-callback is registered as a URL scheme in the app's Info.plist. No user approval required.No special permissions are requested. The web version runs as a static site and makes anonymous read requests to the backend database, and also fetches font files from Google's servers (see Section 5). Account features and the Pro tier are not available on web or desktop.
ShiftFeed relies on the following third-party services. No other SDKs, analytics tools, or advertising networks are included.
Article metadata, AI briefings, and — for signed-in users — account credentials and per-user feature data (bookmarks, alert rules, custom RSS sources, digest preferences, device tokens) are stored in a Supabase-hosted PostgreSQL database running on AWS infrastructure. All per-user data is scoped by row-level security to the owning account. Anonymous requests use a public publishable key; authenticated requests use a session JWT issued by Supabase Auth.
Supabase privacy policy: supabase.com/privacy
Used to deliver push notifications on Android and iOS. All users receive broadcast topic notifications; no identity is attached. For signed-in Pro users, the device's FCM registration token is additionally stored server-side to enable targeted push for alert rules and personalised briefings. Subject to Google's privacy practices.
Google privacy policy: policies.google.com/privacy
ShiftFeed uses the Google Fonts service for its typography. Font files (IBM Plex) are not bundled with the app; instead they are fetched at runtime from Google's servers (fonts.gstatic.com) on first launch. This happens on every platform — mobile, web, and desktop — whether or not you are signed in. Google receives the request's IP address and User-Agent in order to deliver the fonts. No account information or app data is sent.
Google privacy policy: policies.google.com/privacy
Manages Pro subscription entitlements on Android and iOS. The RevenueCat SDK initialises on every mobile (Android/iOS) app launch — before any sign-in — creating an anonymous, RevenueCat-generated app-user ID and contacting RevenueCat's backend. Once you sign in, that identity is associated with your Supabase user UUID, and standard purchase metadata (product ID, store, subscription status) is linked so your Pro entitlements follow your account across devices. RevenueCat does not receive payment instrument details. Not used on web or desktop.
RevenueCat privacy policy: revenuecat.com/privacy
All payment processing for Pro subscriptions is handled entirely by Apple or Google. ShiftFeed never receives or stores card details or payment instruments. Purchases are subject to Apple's and Google's respective terms and privacy policies.
Apple privacy policy: apple.com/legal/privacy · Google privacy policy: policies.google.com/privacy
The Claude API is used server-side to generate both the curated daily briefing (broadcast to all users) and personalised briefings for Pro users with digest scheduling enabled. The personalised prompt includes the user's category filter preferences and a list of public article summaries already stored in the database. No email address, user UUID, or other identifying data is included in prompts sent to Anthropic. Users do not interact with Claude directly.
Anthropic privacy policy: anthropic.com/legal/privacy
Magic-link sign-in emails are delivered via Resend, sent from noreply@shiftfeed.tech. Resend receives your email address solely to deliver the one-time sign-in link. No marketing email is sent through this service.
Resend privacy policy: resend.com/legal/privacy-policy
The web version of ShiftFeed is hosted as a static site on GitHub Pages. Visitors may be subject to GitHub's privacy practices for static site visitors. Account and Pro features are not available on the web version.
On all platforms, the app also makes an unauthenticated request to the public GitHub REST API (api.github.com) to read the timestamp of the last successful content update for the "feed freshness" indicator. No user data is transmitted.
GitHub privacy policy: GitHub Privacy Statement
The developer is based in the Czech Republic. For anonymous users, no personal data is collected or transferred. For signed-in users, limited personal data (email address, user UUID, and user-generated feature content) is stored in Supabase's AWS-hosted infrastructure and may be processed in the United States or other countries.
The third-party services ShiftFeed relies on — Supabase, RevenueCat, Google Firebase, Anthropic, Apple, Resend, and GitHub — may process data in the US or elsewhere. Please refer to each provider's privacy policy for details of their data transfer practices and applicable safeguards.
Retention depends on the type of data:
Uninstalling the app does not delete your cloud account. To delete your account and all associated data, contact us at the address in Section 12.
Because ShiftFeed now holds limited personal data for signed-in users, standard data-subject rights apply. If you are located in the European Union (GDPR) or California (CCPA), you have the following rights:
Email us to request a copy of your data.
Most feature data (alert rules, RSS feeds, digest prefs) is editable directly in the app.
Request account deletion by email. All per-user data is cascade-deleted.
Sign out at any time. Revoke notification permission in OS settings. Cancel Pro via App Store or Google Play.
For anonymous users, data-subject rights are largely not applicable on the developer's side — there is no personal data held to provide, correct, or delete. Your primary point of control is your device's system settings.
To exercise any of these rights, contact us at the address in Section 12.
ShiftFeed is aimed at software engineers, SREs, and DevOps professionals. Account creation requires an email address and is intended for adult professionals. The app is not directed at children under the age of 13 (or under 16 in jurisdictions where that threshold applies) and does not knowingly collect any data from children.
We take reasonable steps to protect the data we do hold:
shiftfeed.tech) with SPF, DKIM, and DMARC records configured.We recommend keeping your device's operating system up to date to benefit from the latest platform-level security protections.
We may update this Privacy Policy as the app evolves or if legal requirements change. Any changes will be reflected on this page with an updated effective date.
We will not introduce data collection practices that are materially different from those described here without updating this document and, where required by law, obtaining your consent.
Questions, data access requests, or account deletion requests? Please get in touch: