Privacy Policy

Handshake ("we", "our", "us") operates the Handshake API contract testing platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

We collect information in the following categories:

• GitHub OAuth data — When you sign in with GitHub, we receive your GitHub user ID, username, email address, and avatar URL. We do not request access to your private repositories.
• Usage data — We collect information about how you interact with the platform, including pages visited, features used, and timestamps.
• API contract specifications — When you upload OpenAPI specifications, we store them to provide contract validation, mock server generation, and diff analysis services.
• CI validation results — We store the results of contract validation runs including endpoint status, response schemas, and validation errors.

We use the information we collect to:

• Provide, operate, and maintain the Handshake platform
• Authenticate your identity via GitHub OAuth
• Validate API contracts against your specifications
• Generate mock servers from your contract definitions
• Display CI validation results and contract history
• Enforce plan-based usage limits and quotas
• Send essential service communications (e.g., security alerts)

We do not sell your personal information. We may share data only in these circumstances:

• Team members — Contract specifications and CI results are visible to members of your team based on their role.
• Service providers — We use third-party infrastructure providers (hosting, database, caching) to operate the platform. These providers process data on our behalf under strict agreements.
• Legal requirements — We may disclose information if required by law, regulation, or legal process.

We implement industry-standard security measures to protect your data, including:

• HTTPS encryption for all data in transit
• Bcrypt hashing for API keys (raw keys are never stored)
• HTTP-only cookies for authentication tokens
• Security headers via Helmet on all API services
• Rate limiting to prevent abuse
• Tenant isolation — all data is scoped by team

Handshake uses the following cookies for authentication and session management only. We do not use tracking or advertising cookies.

• hs-access-token — JWT access token (HTTP-only, session-scoped, 15-minute expiry)
• hs-refresh-token — JWT refresh token (HTTP-only, session-scoped, 7-day expiry)
• hs-user — Serialized user display info (session-scoped)
• hs-current-team — Current team selection (session-scoped)

We retain your data for as long as your account is active. Contract specifications, CI run history, and team data are retained until you delete them or close your account. Upon account deletion, we remove your personal data within 30 days.

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your contract specifications
• Withdraw consent for data processing

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date.

If you have questions about this Privacy Policy, contact us at privacy@handshake.dev.

Read our Terms of Service →