Privacy Policy
Last Updated: December 22, 2024
Overview
RunnerForge ("we", "our", or "us") is a CI/CD runner management platform. This privacy policy explains how we handle your information when you use RunnerForge.
Information We Collect
Authentication Data
When you sign in with GitHub or Google, we receive:
- •Your email address
- •Your display name
- •OAuth access tokens (stored securely, used only for API access)
GitHub Integration
When you connect your GitHub account, we access:
- •Repository names and metadata (to configure runners)
- •Workflow job information (to provision and manage runners)
- •Organization membership (to verify repository access)
We do not access your source code content.
Google Cloud Platform Integration
When you connect your Google account, we request the cloud-platform scope to:
- •List your GCP projects (to select where to provision runners)
- •Create a dedicated service account in your project for runner provisioning
- •Grant IAM roles to the service account (Compute Admin, Service Account User)
- •Create and manage Compute Engine VM instances for your runners
Why we need the cloud-platform scope:
RunnerForge provisions GitHub Actions self-hosted runners as VMs in your GCP project. To do this automatically when your workflows trigger (via webhooks), we need to create and use a service account with permissions to manage Compute Engine instances.
How we handle your GCP credentials:
- •Your Google OAuth tokens are stored in HTTP-only cookies (access token: 1 hour, refresh token: 7 days)
- •During setup, we create a dedicated service account in your GCP project
- •The service account key is encrypted (AES-256) and stored securely
- •This key enables us to provision VMs when webhooks arrive (you don't need to be logged in)
- •You can disconnect your GCP integration at any time, which deletes the stored credentials
Usage Data
We collect:
- •Runner provisioning and execution metrics (start time, duration, machine type)
- •Cost tracking data for billing and analytics
- •GitHub username associated with workflow runs
- •Error logs for debugging and platform improvement
How We Use Your Information
We use collected information to:
- •Authenticate you to the platform
- •Provision and manage self-hosted GitHub Actions runners
- •Display usage statistics and cost information
- •Improve platform reliability and performance
Data Storage
Your data is stored securely in our infrastructure:
- •PostgreSQL database (runner configurations, usage records)
- •Encrypted storage for GCP service account keys (AES-256)
- •Your browser (HTTP-only cookies for OAuth tokens)
We communicate with external services only as needed:
- •GitHub API (for authentication, repository access, and runner management)
- •Google Cloud API (for project listing, service account creation, and VM provisioning)
Data Retention
- Google OAuth tokens:Access token expires after 1 hour; refresh token expires after 7 days
- GitHub OAuth tokens:Login session managed by NextAuth; repository token expires after 7 days
- GCP service account keys:Stored (encrypted) until you disconnect your GCP integration or delete the runner configuration
- Runner configurations:Retained until you delete them
- Usage records:Retained for 90 days for billing and analytics
Third-Party Services
RunnerForge integrates with:
- •GitHub: For authentication and repository access (GitHub Privacy Policy)
- •Google Cloud Platform: For VM provisioning (Google Privacy Policy)
Your Rights
You have the right to:
- •Disconnect your GitHub and Google integrations at any time
- •Delete your runner configurations and associated data
- •Revoke OAuth access via GitHub/Google account settings
- •Request information about what data we store about you
- •Request deletion of your account and all associated data
Security
We implement security measures including:
- •HTTPS encryption for all connections
- •HTTP-only cookies for OAuth tokens (prevents JavaScript access)
- •AES-256 encryption for stored GCP service account keys
- •Short-lived access tokens (1 hour for Google)
- •Secure cookie attributes in production (Secure, SameSite)
Changes to This Policy
We may update this policy occasionally. Changes will be posted on this page with an updated date.
Contact
For privacy questions or concerns, contact us at support@runnerforge.com
This privacy policy applies to the RunnerForge platform.