GitBlixt

Privacy Policy

Effective date: April 14, 2026

This Privacy Policy explains how GitBlixt ("we", "us", "our") collects, uses, and protects your information when you use the hosted GitBlixt service at gitblixt.com ("the Service").

Self-Hosted Instances

If you are running a self-hosted GitBlixt instance, this Privacy Policy does not apply to your instance. Your data stays entirely on your own infrastructure. GitBlixt (the project) does not receive any telemetry, usage data, or personal information from self-hosted instances. You are responsible for your own privacy practices and for informing your users accordingly.

The remainder of this policy applies only to the hosted Service.

1. Information We Collect

Information You Provide

  • Account information: username, email address, and password when you register. Optionally: display name, bio, avatar, and social links.
  • Content: code, files, issues, merge requests, comments, wiki pages, snippets, and any other materials you upload or create on the Service.
  • SSH keys: public keys you add for Git access. We store the key and its fingerprint.
  • Personal access tokens: token names and scopes. Token values are hashed and cannot be viewed after creation.
  • AI credentials: if you use the AI assistant, your Anthropic API key or OAuth token. These are encrypted at rest with AES-256-GCM and never stored in plaintext.
  • Deployment configuration: domains, environment variables, and secrets you configure for app deployment. Environment variables are encrypted at rest.
  • Import credentials: OAuth tokens for GitHub or GitLab used during repository import. These are stored encrypted and used only for the import process.

Information Collected Automatically

  • Server logs: IP address, browser user agent, pages visited, and timestamps. These are standard web server logs used for security and debugging.
  • Git activity: push, pull, and clone events, including timestamps and IP addresses.
  • Application logs: if you use the PaaS deployment feature, your application's stdout/stderr output is captured and stored.

Information We Do Not Collect

  • We do not use third-party analytics or tracking services
  • We do not use advertising cookies or tracking pixels
  • We do not sell or share your information with data brokers
  • We do not process the contents of your private Repositories for any purpose other than providing the Service

2. How We Use Your Information

  • Providing the Service: storing and serving your repositories, processing Git operations, rendering the web interface, running CI/CD pipelines, deploying applications, delivering notifications.
  • Account management: authentication, authorization, session management, password resets, and email confirmations.
  • Security: detecting and preventing abuse, unauthorized access, spam, and other malicious activity.
  • Communication: sending you notifications you have opted into (e.g. issue updates, merge request activity). We do not send marketing emails.
  • Maintenance: debugging, performance monitoring, and infrastructure management.

3. Repository Data

Private Repositories

We treat the contents of private Repositories as confidential. Our personnel do not access private Repository contents except:

  • When required by law or legal process
  • When you have explicitly authorized access (e.g. by enabling the AI assistant)
  • When necessary to maintain the security and integrity of the Service
  • When providing support you have requested

Public Repositories

Content in public Repositories is visible to anyone, including non-registered visitors. If you make a Repository public, its contents, issues, merge requests, and other associated data become publicly accessible.

Forked and Cloned Repositories

If another User forks or clones your public Repository, that copy is controlled by them. Deleting your original Repository does not delete existing forks or clones.

4. AI Feature Data Handling

When you use the AI assistant (Fix with AI, Review with AI), the following data is sent to Anthropic's API:

  • Repository source code relevant to the task
  • Issue or merge request content (title, description, comments)
  • Diff content for code reviews

This data is sent using your API key or OAuth token, not ours. We do not have access to your Anthropic account or billing. Please review Anthropic's Privacy Policy for details on how they handle data sent to their API.

AI job logs (the output of Claude Code running in a container) are stored on the Service and visible to you in the web interface.

5. Backups

We perform regular backups of the database, Git repositories, and uploaded files to ensure data durability. Backups may be stored on local disk or in cloud storage (e.g. Amazon S3). Backup data is subject to the same access controls and confidentiality protections as live data.

6. Data Sharing

We do not sell your personal information. We may share data in these limited circumstances:

  • With your consent: when you explicitly authorize sharing (e.g. making a Repository public, connecting an OAuth provider).
  • Service providers: we may use third-party infrastructure providers (hosting, email delivery, cloud storage) who process data on our behalf under contractual obligations to protect it.
  • Legal requirements: we may disclose information if required by law, regulation, or legal process.
  • Safety: we may disclose information if we believe in good faith that it is necessary to prevent harm to individuals or the public.

7. Data Retention

  • Account data: retained as long as your Account is active. When you delete your Account, we delete your personal information, private Repositories, and associated data within 30 days.
  • Public contributions: issues, comments, and merge request activity you contributed to other Users' Repositories may be retained but attributed to a placeholder account after your Account is deleted.
  • Server logs: retained for up to 90 days, then deleted.
  • Application logs: retained for the lifetime of the deployment environment, or until you delete them.
  • Backups: may contain your data for the backup retention period (typically 30 days for automated backups).

8. Data Security

We protect your data through:

  • Encryption at rest: sensitive data (API keys, OAuth tokens, environment variables, app secrets) is encrypted with AES-256-GCM.
  • Encryption in transit: all connections use HTTPS/TLS. SSH connections use standard SSH encryption.
  • Access controls: repository access is enforced through role-based permissions (owner, maintainer, developer, reporter, guest).
  • Password hashing: passwords are hashed with bcrypt and never stored in plaintext.
  • Token hashing: personal access tokens are hashed after creation and cannot be retrieved.
  • Isolation: AI assistant jobs run in isolated Docker containers with no access to other Repositories.

No system is perfectly secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

9. Cookies

The Service uses cookies only for essential functionality:

  • Session cookie: maintains your login session. This is a first-party, HTTP-only, secure cookie that expires when you log out or after the session timeout.
  • CSRF token: protects against cross-site request forgery attacks.

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: request a copy of the data we hold about you
  • Correction: update inaccurate information
  • Deletion: request deletion of your Account and data
  • Portability: export your data (you can clone your Repositories and download your data at any time)
  • Objection: object to certain processing of your data

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

11. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it promptly.

12. International Data Transfers

The Service is hosted in the European Union. If you access the Service from outside the EU, your data may be transferred to and processed in the EU. By using the Service, you consent to this transfer.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting a notice on the Service or sending an email at least 30 days before the changes take effect. The effective date at the top of this page indicates when the policy was last updated.

14. Contact

If you have questions about this Privacy Policy or our data practices, contact us at [email protected].