Privacy Policy
Last updated: June 2026
This Privacy Policy explains how Branchless ("we", "us") collects, uses, and protects your personal data when you use the Branchless website, web dashboard, API, and desktop application (together, the "Service"). We are the data controller for the personal data described here. We are committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR), the Serbian Law on Personal Data Protection, and other applicable law including the EU Artificial Intelligence Act (AI Act). We have appointed a Data Protection Officer (DPO) to oversee our data protection practices (see section 8).
1. Data We Collect
- Account data: your name, email address, and avatar, provided either through Google or GitHub sign-in (we receive your provider account ID) or when you register with an email and password. Passwords are never stored in plain text; they are salted and hashed.
- Authentication data: a session token stored in a strictly necessary cookie (
bl_session) to keep you signed in. - Subscription & billing data: your plan, subscription status, billing period, and the identifiers our payment provider assigns to your subscription. We never receive or store your card details. Payments are handled entirely by Lemon Squeezy.
- Service metadata: session names, repository paths, and branch names registered by the desktop app, used to enforce plan limits.
- Technical data: request logs (such as IP address and user agent) kept for security, abuse prevention, and debugging.
2. What We Do Not Collect
We do not access, read, or store the contents of your code, files, or git history. Your repositories and worktrees stay on your machine. We do not sell your personal data, and we do not use it for advertising or profiling.
3. How We Use Your Data & Legal Bases
We process your personal data on the following legal bases under Article 6 GDPR:
- Performance of a contract: to create and operate your account, authenticate you, provide the Service, and enforce plan limits.
- Performance of a contract / legal obligation: to process payments, manage subscriptions, and issue invoices.
- Legitimate interests: to secure the Service, prevent abuse, debug issues, and communicate essential service or account information. Where we send transactional emails (e.g. email verification, password reset), this is necessary to operate your account.
- Consent: where required for any optional communications; you may withdraw consent at any time.
4. Service Providers (Processors)
We share personal data only with the providers needed to run the Service, each acting under their own privacy terms:
- Cloudflare: hosting, edge delivery, and database (Cloudflare D1) where your account and subscription data are stored.
- Lemon Squeezy: our payment provider and Merchant of Record. Lemon Squeezy processes your payment, handles applicable sales tax/VAT, and issues your receipt.
- Resend: delivery of transactional emails (verification, password reset, account notices).
- Google / GitHub: only if you choose to sign in with them, to authenticate you and provide your basic profile.
5. International Transfers
Some of our providers are located outside Serbia and the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision, as offered by those providers.
6. Data Retention
We retain your account and subscription data for as long as your account is active. Service metadata is kept until you delete the relevant session or your account. Technical logs are kept only for a limited period for security and debugging. When you delete your account, we delete your associated personal data, except where we must retain certain records (e.g. billing records) to comply with legal obligations.
7. Your Rights
Under the GDPR and Serbian data protection law, you have the right to:
- access the personal data we hold about you;
- rectify inaccurate or incomplete data;
- erase your data ("right to be forgotten"): you can delete your account at any time, which removes your associated data;
- restrict or object to certain processing;
- data portability;
- withdraw consent where processing is based on consent.
To exercise these rights, contact us at branchlessdev@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority. In Serbia, the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik), or your local Data Protection Authority within the EU.
8. Data Protection Officer
We have appointed a Data Protection Officer (DPO) responsible for overseeing compliance with this policy and applicable data protection law, and for handling your privacy enquiries and rights requests. You can reach our DPO at branchlessdev@gmail.com.
9. AI Features and the EU AI Act
Branchless includes AI-assisted features. We are committed to using AI responsibly and in accordance with applicable law, including the EU Artificial Intelligence Act. We aim to be transparent about when you are interacting with AI-generated output, we do not use your personal data to train third-party foundation models without a lawful basis, and we do not use the Service for prohibited AI practices. AI suggestions may be imperfect and should be reviewed by you before you rely on them.
10. Cookies
We use only strictly necessary cookies to keep you signed in. We do not use advertising or tracking cookies. See our Cookie Policy for details.
11. Security
We use industry-standard safeguards including encrypted connections (HTTPS), salted-and-hashed passwords, signed session tokens, and access controls. No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.
12. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.
13. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by email or via the Service. The "Last updated" date above reflects the latest revision.
14. Contact
Privacy questions or requests? Contact us (or our Data Protection Officer) at branchlessdev@gmail.com.