# legal

Privacy Policy

Last updated: 2026-07-05 · git-to-x.com, operated by Manoj Surya

The short version

git-to-x reads commit metadata from your GitHub repo and uses it to generate a stat card that posts to your X account. We never read your source code, never sell your data, and never post without your explicit connection and consent. You can delete everything by disconnecting.

What we collect

GitHub account basics

When you sign in with GitHub, we receive your GitHub user ID, display name, email address, and profile image via OAuth. This is standard OAuth — the same information any "Sign in with GitHub" integration receives.

Repository metadata — commit stats only

We access your repository through a read-only GitHub App installation. For each posting window we fetch: commit count, commit messages, additions count, deletions count, files-changed count, and committer timestamps. We do not read file contents, diff text, or any other repository data. These aggregate numbers are stored in your post history as JSON stats.

X account tokens

When you connect X we store your X user ID, X handle, and OAuth 2.0 access and refresh tokens. Tokens are encrypted at rest using libsodium sealed boxes (curve25519xsalsa20poly1305) before being written to the database. The decryption key never leaves the server environment.

Rendered card images

Each post generates a 1600 × 900 PNG card from your commit stats. Cards are stored on Vercel Blob and linked in your post history. They contain only your public stats — no code, no secrets.

Post history and usage counts

We store a record for every post attempt: date, status (posted / skipped / failed), the tweet ID, the card image URL, the stats JSON, and any error message. We also track your monthly post count to enforce plan limits.

Settings and preferences

Posting mode (auto / manual / custom), post time, timezone, card template choice, and recap toggles.

Email address (optional)

From your GitHub OAuth profile. Used only for transactional emails (e.g. "X reconnect required", "post failed") and, if you opt in, the waitlist newsletter. We never send marketing email without your opt-in.

What we never do

  • ×Read or store your source code, file contents, or diff text.
  • ×Post to X without an active connection and your explicit setup.
  • ×Sell, rent, or share your data with third parties for advertising.
  • ×Write to or modify your GitHub repository in any way.
  • ×Store X or GitHub tokens in plaintext.

Third-party processors

Running a hosted service means data passes through infrastructure providers. Here is who they are and what they touch:

Vercel

Web app hosting + Vercel Blob (rendered card image storage)

Railway

Worker compute + PostgreSQL database (all user data)

X / Twitter API

Posting tweets and media on your behalf, using your OAuth tokens

GitHub API

Reading commit metadata from your chosen repository

Resend

Transactional email delivery (reconnect / failure alerts)

DodoPayments

Payment processing for paid plans — we never see your card number

Cookies and tracking

We use a single session cookie to keep you logged in (managed by Auth.js). There are no ad-tracking cookies, third-party analytics cookies, or persistent identifiers beyond your session token. If you do not sign in, no cookies are set.

Data deletion

You can disconnect GitHub or X at any time from Settings. Disconnecting X immediately revokes our access and deletes your stored tokens. Deleting your account removes all associated data from our database — tokens, post history, settings, and rendered cards — within 30 days.

To request full deletion, email hello@git-to-x.com. We will confirm and complete the deletion within 7 days.

Security

OAuth tokens are encrypted at rest using libsodium sealed boxes before database storage. The database (Railway Postgres) is not publicly accessible. TLS is enforced on all connections. We follow the principle of least privilege for all API scopes — the GitHub App requests read-only access to contents and metadata; the X OAuth scope is limited to what is needed to read and post tweets.

Changes to this policy

Material changes will be announced via the email on your account and noted with an updated date at the top. Continued use after the effective date constitutes acceptance.

Contact

Questions about this policy: hello@git-to-x.com

© 2026 git-to-x · Terms · Home