Legal

Privacy

Last updated 2026-04-25

This page describes what we collect when you use githosted, why we collect it, where it lives, and how to get it deleted. We try to keep it short. If something is unclear, email support@githosted.dev.

Who we are

githosted is operated by Push Steady AB (556988-4074), a Swedish limited company. We are the data controller for the personal data described below.

What we collect

When you sign in via GitHub or Google OAuth we receive:

• Your name and email address from the OAuth provider
• A stable provider-specific user ID, so we can link future sign-ins to the same account
• Your avatar URL (used in the web admin sidebar — never copied or stored as a file)

When you push code or write files we store:

• The full content of your repositories (this is the service)
• Author name and email on each commit (Git puts these in commit metadata; we don't add them)

When you call our API we record short-lived request logs containing:

• Request path, HTTP status, duration, client IP, request ID
• The token ID used (not the token value — we never log secrets)

Logs are retained for 14 days for debugging and abuse handling, then deleted automatically.

What we don't collect

• We don't run third-party analytics or advertising trackers on the marketing site or the web admin
• We don't read your repository contents to train models or for any purpose other than serving them back to you
• We don't sell your data, and we don't share it with anyone except the sub-processors listed below

Where it lives

• Repository content and metadata: AWS, Stockholm region (eu-north-1)
• Request logs: AWS CloudWatch in the same region, 14-day retention
• Marketing site and web admin assets: Cloudflare's global edge

Sub-processors

The third parties we rely on to deliver the service:

• Amazon Web Services — hosting (compute, storage, logs)
• Cloudflare — DNS, edge caching, marketing-site hosting, web-admin hosting
• GitHub — OAuth login if you choose it
• Google — OAuth login if you choose it

We add new sub-processors only when we need them. If we add one that handles personal data, we'll update this page.

How long we keep things

• Account record: as long as your account exists
• Repository content: as long as the repo exists. Free-plan repos may be removed after extended inactivity — we'll notify you before this happens
• Request logs: 14 days
• Audit / security events: 1 year

Your rights

If you're in the EU/EEA, UK, or another jurisdiction with similar laws, you have the right to:

• Get a copy of the personal data we hold about you
• Correct it if it's wrong
• Have it deleted (this also deletes your repos)
• Object to processing or restrict it
• Lodge a complaint with your local data-protection authority

To exercise any of these, email support@githosted.dev from the address on your account. We'll get back to you within 30 days.

Security

• All traffic is HTTPS-only with TLS terminated at the edge
• Repository content is encrypted at rest
• Tokens are stored as HMAC digests — we cannot recover the original value, only verify it
• Access to production is gated through AWS IAM Identity Center with MFA required

To report a vulnerability, email security@githosted.dev.

Changes to this policy

We'll update the date at the top whenever we change this policy. For material changes affecting how we process personal data we'll notify active users by email at least 14 days before the change takes effect.

Contact

Privacy questions: support@githosted.dev

Security reports: security@githosted.dev