Privacy Policy
Last updated: July 2026 — Effective immediately upon publication
1. Who we are
DiscoverGit (discovergit.app) is an AI-powered open source intelligence platform. The service is operated as a sole-trader project based in Italy. For any privacy-related request, contact us at staff@discovergit.app.
2. Data we collect
2a. Account registration
- Email address (required)
- Username (required)
- Password (stored as bcrypt hash — we never store your plaintext password)
- GitHub or Google account ID and public profile data (only if you use OAuth login)
- Technology stack preferences (languages, topics) — you provide these voluntarily during onboarding
2b. Newsletter subscribers
Email address and digest frequency preference. Nothing else.
2c. Usage data
We use Google Analytics 4 (Google LLC, USA) to measure page views, sessions, and user engagement. Google Analytics sets cookies (see section 8) and may transfer data to Google servers in the USA under Standard Contractual Clauses. You can opt out via the Google Analytics opt-out browser add-on.
We log your IP address in our server access logs. Logs are rotated every 14 days and then deleted. We do not use your IP to build a profile or track you across sessions.
When you click on a repository card, we record an anonymous interaction event (repository ID, section, position in the list, and timestamp). If you are logged in, your user ID is included so we can personalise your feed. We do not share this data with third parties and do not use it for advertising purposes.
3. Why we collect it (legal basis)
- Contract performance — to provide the service you signed up for (account, digest, alerts)
- Legitimate interest — aggregated analytics to improve the product
- Consent — newsletter subscriptions; you can withdraw at any time
4. How we use your data
- Send the weekly digest and onboarding emails (Resend API)
- Personalise your homepage feed based on your stack preferences
- Send alerts you explicitly activated on repository pages
- Detect abuse and enforce rate limits (IP-based, temporary)
We never sell, rent, or share your personal data with third parties for marketing purposes.
5. Third-party processors
| Processor | Purpose | Data shared |
|---|---|---|
| Hetzner Online GmbH (Germany) | VPS hosting | All data at rest on server |
| Resend Inc. (USA) | Transactional email delivery | Email address, name |
| Plausible Analytics (EU) | Privacy-first analytics | Anonymised page view data (no cookies) |
| OpenRouter Inc. (USA) | AI API routing (intermediary to Anthropic / OpenAI) | Repository metadata (public data only — no user data) |
| Anthropic / OpenAI (USA) | AI analysis generation (via OpenRouter) | Repository metadata (public data only — no user data) |
| GitHub Inc. (USA) | OAuth login (optional) | Public GitHub profile (if you use GitHub login) |
| Google LLC (USA) | OAuth login (optional) | Public Google profile (if you use Google login) |
| Google LLC (USA) | Google Analytics 4 — usage analytics | Page views, session data, browser/device info (via cookies) |
6. Data retention
- Account data: retained until you delete your account
- Newsletter subscription: retained until you unsubscribe
- Server access logs (nginx): 14-day rolling window, then automatically deleted
- Application logs (errors, enrichment, cron): 30-day rolling window. These logs may contain repository names and job metadata but do not contain personal data unless an error trace includes a user ID.
- AI-generated analyses: public content, retained indefinitely as part of the service
7. Your rights (GDPR)
If you are in the EU/EEA, you have the right to:
- Access — download a full copy of your data from Account → Export data
- Erasure — delete your account and all associated data from Account → Delete account
- Rectification — update your email, username and preferences from your profile
- Portability — your export includes all data in JSON format
- Objection / restriction — contact us at staff@discovergit.app
We respond to all privacy requests within 30 days. If you believe we have mishandled your data, you have the right to lodge a complaint with your national Data Protection Authority (e.g. the Italian Garante).
8. Cookies
We use one session cookie (PHPSESSID) to keep you logged in.
We use one preference cookie (nl_modal_shown) to remember that
you dismissed the newsletter popup — it expires after 7 days.
Google Analytics 4 sets the following analytics cookies:
_ga (expires 2 years — distinguishes users),
_ga_XXXXXXXXX (expires 2 years — maintains session state).
These cookies are set by googletagmanager.com and are subject to
Google's Privacy Policy.
We do not set advertising or retargeting cookies.
We also store one item in your browser's localStorage
(dg_font_size) to remember your font size preference. This data never
leaves your device and is not accessible to us.
9. Security
All data is transmitted over HTTPS (TLS 1.2+). Passwords are hashed with bcrypt (cost 12). We apply rate limiting on authentication endpoints. Server access is restricted to SSH key auth. We perform regular DB backups stored encrypted on a separate storage node.
10. Changes to this policy
We will notify registered users by email of any material changes at least 14 days before they take effect. The "Last updated" date at the top of this page will reflect the most recent revision.
11. Contact
DiscoverGit
Email: staff@discovergit.app