Privacy Policy

Last updated: July 2026 — Effective immediately upon publication

1. Who we are

DiscoverGit (discovergit.app) is an AI-powered open source intelligence platform. The service is operated as a sole-trader project based in Italy. For any privacy-related request, contact us at staff@discovergit.app.

2. Data we collect

2a. Account registration

  • Email address (required)
  • Username (required)
  • Password (stored as bcrypt hash — we never store your plaintext password)
  • GitHub or Google account ID and public profile data (only if you use OAuth login)
  • Technology stack preferences (languages, topics) — you provide these voluntarily during onboarding

2b. Newsletter subscribers

Email address and digest frequency preference. Nothing else.

2c. Usage data

We use Google Analytics 4 (Google LLC, USA) to measure page views, sessions, and user engagement. Google Analytics sets cookies (see section 8) and may transfer data to Google servers in the USA under Standard Contractual Clauses. You can opt out via the Google Analytics opt-out browser add-on.

We log your IP address in our server access logs. Logs are rotated every 14 days and then deleted. We do not use your IP to build a profile or track you across sessions.

When you click on a repository card, we record an anonymous interaction event (repository ID, section, position in the list, and timestamp). If you are logged in, your user ID is included so we can personalise your feed. We do not share this data with third parties and do not use it for advertising purposes.

3. Why we collect it (legal basis)

  • Contract performance — to provide the service you signed up for (account, digest, alerts)
  • Legitimate interest — aggregated analytics to improve the product
  • Consent — newsletter subscriptions; you can withdraw at any time

4. How we use your data

  • Send the weekly digest and onboarding emails (Resend API)
  • Personalise your homepage feed based on your stack preferences
  • Send alerts you explicitly activated on repository pages
  • Detect abuse and enforce rate limits (IP-based, temporary)

We never sell, rent, or share your personal data with third parties for marketing purposes.

5. Third-party processors

Processor Purpose Data shared
Hetzner Online GmbH (Germany) VPS hosting All data at rest on server
Resend Inc. (USA) Transactional email delivery Email address, name
Plausible Analytics (EU) Privacy-first analytics Anonymised page view data (no cookies)
OpenRouter Inc. (USA) AI API routing (intermediary to Anthropic / OpenAI) Repository metadata (public data only — no user data)
Anthropic / OpenAI (USA) AI analysis generation (via OpenRouter) Repository metadata (public data only — no user data)
GitHub Inc. (USA) OAuth login (optional) Public GitHub profile (if you use GitHub login)
Google LLC (USA) OAuth login (optional) Public Google profile (if you use Google login)
Google LLC (USA) Google Analytics 4 — usage analytics Page views, session data, browser/device info (via cookies)

6. Data retention

  • Account data: retained until you delete your account
  • Newsletter subscription: retained until you unsubscribe
  • Server access logs (nginx): 14-day rolling window, then automatically deleted
  • Application logs (errors, enrichment, cron): 30-day rolling window. These logs may contain repository names and job metadata but do not contain personal data unless an error trace includes a user ID.
  • AI-generated analyses: public content, retained indefinitely as part of the service

7. Your rights (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access — download a full copy of your data from Account → Export data
  • Erasure — delete your account and all associated data from Account → Delete account
  • Rectification — update your email, username and preferences from your profile
  • Portability — your export includes all data in JSON format
  • Objection / restriction — contact us at staff@discovergit.app

We respond to all privacy requests within 30 days. If you believe we have mishandled your data, you have the right to lodge a complaint with your national Data Protection Authority (e.g. the Italian Garante).

8. Cookies

We use one session cookie (PHPSESSID) to keep you logged in. We use one preference cookie (nl_modal_shown) to remember that you dismissed the newsletter popup — it expires after 7 days.

Google Analytics 4 sets the following analytics cookies: _ga (expires 2 years — distinguishes users), _ga_XXXXXXXXX (expires 2 years — maintains session state). These cookies are set by googletagmanager.com and are subject to Google's Privacy Policy. We do not set advertising or retargeting cookies.

We also store one item in your browser's localStorage (dg_font_size) to remember your font size preference. This data never leaves your device and is not accessible to us.

9. Security

All data is transmitted over HTTPS (TLS 1.2+). Passwords are hashed with bcrypt (cost 12). We apply rate limiting on authentication endpoints. Server access is restricted to SSH key auth. We perform regular DB backups stored encrypted on a separate storage node.

10. Changes to this policy

We will notify registered users by email of any material changes at least 14 days before they take effect. The "Last updated" date at the top of this page will reflect the most recent revision.

11. Contact

DiscoverGit
Email: staff@discovergit.app