Security & Data Flow

Audience: Chrome Web Store reviewers, recruiter InfoSec teams, security researchers · Last reviewed 19 May 2026 · Version 1.0.1

TL;DR — DevHire is a read-only candidate-research overlay on PUBLIC github.com profile pages. It never touches LinkedIn, never scrapes private GitHub data, never sends cold emails on the user's behalf, and never transmits the user's GitHub PAT or BYOK Gemini key to our servers.

1. Single purpose statement

DevHire helps technical recruiters source software-engineering candidates from public GitHub profiles by overlaying an AI-generated candidate dossier and a personalised outreach-email draft on github.com/{user} pages. All other features (pipeline tracker, CSV export, status transitions) exist to support that single workflow.

2. What we read

The content script runs only on github.com, and only after the user explicitly grants the optional host permission via Chrome's standard runtime prompt.

Field	Source	Purpose
username, display name, bio, location, company	DOM (publicly visible)	Recruiter context
Public repo count, followers, following	DOM	Recruiter signal
Pinned repos: names, descriptions, languages, stars	DOM	Repo evidence for dossier
Contribution graph total	DOM	Activity signal
Top-3 README intros (≤1,200 chars each)	GitHub REST API `/repos/{owner}/{repo}/readme`	AI evidence

We never read: private repositories (PAT scope validation rejects repo), DMs, settings, non-github.com pages, the recruiter's own account, LinkedIn.

3. Permission justifications

`sidePanel`

Required to display Pipeline + Settings + License panels in Chrome's side panel. The side panel is the primary UI; the toolbar icon opens it.

`storage`

Required to persist saved candidates with status, notes, GitHub PAT, role brief, license tier, daily quota. All on the user's device via chrome.storage.local only. Nothing is synced.

`scripting`

Required to programmatically register the github.com content script after the user explicitly grants host permission. No auto-injection on install.

`optional_host_permissions: ://.github.com/*`

Marked optional. User must click "Allow" on Chrome's runtime prompt before the content script registers.

We do NOT request:

<all_urls> · *://*/* · tabs · activeTab · webNavigation · cookies · webRequest · nativeMessaging · proxy · clipboardWrite

4. What leaves your device

Trigger	Payload	Destination
Activate license	License key + random machine ID	Firebase Function `verifyLicense` (asia-south1)
AI Dossier (Solo / Team)	Candidate's PUBLIC GitHub data + license key	Firebase Function → Google Gemini API
AI Opener (Solo / Team)	Dossier JSON + your role brief + license key	Firebase Function → Google Gemini API
BYOK Agency path	Profile data + your own Gemini key	Google Gemini API directly — we never see it
Team-tier shared PAT call	Whitelisted endpoint path + license key	Firebase Function → GitHub API
Purchase	Email + payment	Lemon Squeezy (Merchant of Record)

We never:

Scrape LinkedIn (or anything except the github.com page you are viewing)
Send emails on your behalf — drafts only
Use proxy rotation or distributed fetching to bypass GitHub rate limits
Transmit your GitHub PAT or BYOK Gemini key to our servers
Use cookies, third-party analytics, or tracking pixels
Sell, share, rent, or otherwise monetise user data

5. PAT scope validation (defense in depth)

When you save a GitHub Personal Access Token in Settings, we validate it with a single GET /user probe and parse the X-OAuth-Scopes response header. We reject tokens with any of:

repo · admin:org · admin:repo_hook · admin:public_key · delete_repo · write:packages · admin:enterprise · site_admin

If a dangerous scope is present, we display an error and refuse to persist the token — even though it would still work for our use case. This protects users who paste an over-scoped token by accident.

6. Compliance posture

Standard	Posture
Chrome Web Store User Data Policy	Compliant — no broad host perms, no transmission of PATs/BYOK keys
GDPR (EU)	Compliant — Lemon Squeezy MoR; export/deletion endpoint
DPDP Act (India)	Compliant — data residency in Mumbai
CAN-SPAM / GDPR cold-email	Not applicable to us — we generate drafts; recruiter sends
GitHub Acceptable Use	Compliant — per-user rate-limited, no proxy rotation, no scraping of private data
LinkedIn ToS	Not applicable — we never touch LinkedIn

7. Local data lifecycle

Data	Retention	Deletion trigger
Saved candidates + notes + status	Until removed or uninstalled	Remove / bulk delete / uninstall
GitHub PAT	Until cleared or uninstalled	Settings clear / uninstall
BYOK Gemini key (Agency)	Same	Same
Daily quota counter	Auto-reset every UTC midnight	Date rollover
License key + tier	Until deactivated or uninstalled	Deactivation / cancellation via Lemon Squeezy

Uninstalling the Extension wipes everything from the user's machine. Server-side residue: license activation record (subscription lifetime + 90 days).

8. Subprocessors

Service	Purpose	Region
Firebase (Google)	Auth + Firestore + Cloud Functions	asia-south1 (Mumbai)
Google Gemini API	LLM inference (Solo/Team proxy; Agency BYOK direct)	Google global
GitHub REST API	Public profile + repo + README enrichment	github.com
Lemon Squeezy	Payments + Merchant of Record tax	US-based
Resend	Transactional email for licenses + team invites	EU

9. Reporting a security issue

Email yogesh@pixelforgehub.pro with [SECURITY] in the subject line. We respond within 24 hours IST. Responsible disclosure: please do not publish the issue until we have had 14 days to investigate and patch.

10. Open-source / inspection

Source code is available for inspection on request to verified Chrome Web Store reviewers, enterprise customers under NDA, and security researchers. Per-release SHA-256 manifest is published alongside each CWS submission.