Full House
Get started

Security & Privacy

Full House holds a personal access token (PAT) on your behalf so it can talk to YouTrack. Here's exactly how we protect it, what we log, and what your options are.

How your token is stored

When you sign in with a YouTrack PAT, the token is encrypted with AES-256-GCM using a server-held master key. The encrypted bytes go into our database; the master key never leaves the application server.

  • Algorithm: AES-256-GCM with a 12-byte random IV per token.
  • Master key: 32 bytes, held in the deployment's secret store (Vercel env).
  • Token is decrypted only at the moment a YouTrack API call needs to run, then discarded.
  • Tokens are never logged, never sent to analytics, and never visible in error messages.

Password protection (optional)

You can opt in to encrypting your token with a password we never see. When enabled, your token is encrypted in your browser with a key derived from your password (PBKDF2-SHA256, 600,000 iterations, AES-256-GCM). We store only the ciphertext and a random salt. Without your password, even an attacker with full database + server-secret access cannot decrypt your token.

The trade-offs:

  • You must enter your password to sign in each time.
  • If you forget your password, you must revoke your PAT in YouTrack and sign up again — there is no recovery.
  • Real-time sessions you already have open keep working until you close the tab; the decrypted token lives only in browser sessionStorage.

Toggle this from Settings → Token encryption after signing in.

What we store about you

  • Your YouTrack user ID, login, display name, email, and avatar URL (fetched from /users/me).
  • Your workspace URL (so we know which YouTrack to talk to).
  • Your encrypted PAT.
  • Session data: votes, estimates, comments — tied to your YouTrack identity.

We do not store the plaintext of any YouTrack issue body beyond what's needed to display it in the room.

What we send to third parties

  • YouTrack — the workspace you signed in with. Standard REST API calls authenticated by your PAT.
  • Pusher Channels — real-time room events (who voted, when, what they cast). Pusher's privacy policy applies; no PATs cross this boundary.
  • Vercel Analytics & Speed Insights — privacy-friendly, cookieless usage and performance metrics: page views, referrer, country, device and browser type, and Web Vitals. Data is aggregated and anonymous, with no cookies and no cross-site tracking. No PATs or personal YouTrack data cross this boundary.
  • No advertising networks, no cross-site trackers, no cookies.

Your options

  • Revoke your PAT in YouTrack at any time (Profile → Account Security). The next call from Full House will fail with 401.
  • Sign out — clears your session cookie. Your encrypted token stays in our database until you delete it.
  • Delete your account from settings — removes your token row and all rooms you created. Sessions you joined as a voter stay anonymized.
  • Enable password protection from Settings to make your token un-decryptable without your password (details above).

Reporting issues

Found a vulnerability? Open a private security advisory in our GitHub repo or email the maintainer. We take responsible disclosure seriously.