# legal
Privacy Policy
Last updated: 2026-07-05 · git-to-x.com, operated by Manoj Surya
The short version
git-to-x reads commit metadata from your GitHub repo and uses it to generate a stat card that posts to your X account. We never read your source code, never sell your data, and never post without your explicit connection and consent. You can delete everything by disconnecting.
What we collect
GitHub account basics
When you sign in with GitHub, we receive your GitHub user ID, display name, email address, and profile image via OAuth. This is standard OAuth — the same information any "Sign in with GitHub" integration receives.
Repository metadata — commit stats only
We access your repository through a read-only GitHub App installation. For each posting window we fetch: commit count, commit messages, additions count, deletions count, files-changed count, and committer timestamps. We do not read file contents, diff text, or any other repository data. These aggregate numbers are stored in your post history as JSON stats.
X account tokens
When you connect X we store your X user ID, X handle, and OAuth 2.0 access and refresh tokens. Tokens are encrypted at rest using libsodium sealed boxes (curve25519xsalsa20poly1305) before being written to the database. The decryption key never leaves the server environment.
Rendered card images
Each post generates a 1600 × 900 PNG card from your commit stats. Cards are stored on Vercel Blob and linked in your post history. They contain only your public stats — no code, no secrets.
Post history and usage counts
We store a record for every post attempt: date, status (posted / skipped / failed), the tweet ID, the card image URL, the stats JSON, and any error message. We also track your monthly post count to enforce plan limits.
Settings and preferences
Posting mode (auto / manual / custom), post time, timezone, card template choice, and recap toggles.
Email address (optional)
From your GitHub OAuth profile. Used only for transactional emails (e.g. "X reconnect required", "post failed") and, if you opt in, the waitlist newsletter. We never send marketing email without your opt-in.
What we never do
- ×Read or store your source code, file contents, or diff text.
- ×Post to X without an active connection and your explicit setup.
- ×Sell, rent, or share your data with third parties for advertising.
- ×Write to or modify your GitHub repository in any way.
- ×Store X or GitHub tokens in plaintext.
Third-party processors
Running a hosted service means data passes through infrastructure providers. Here is who they are and what they touch:
Web app hosting + Vercel Blob (rendered card image storage)
Worker compute + PostgreSQL database (all user data)
Posting tweets and media on your behalf, using your OAuth tokens
Reading commit metadata from your chosen repository
Transactional email delivery (reconnect / failure alerts)
Payment processing for paid plans — we never see your card number
Cookies and tracking
We use a single session cookie to keep you logged in (managed by Auth.js). There are no ad-tracking cookies, third-party analytics cookies, or persistent identifiers beyond your session token. If you do not sign in, no cookies are set.
Data deletion
You can disconnect GitHub or X at any time from Settings. Disconnecting X immediately revokes our access and deletes your stored tokens. Deleting your account removes all associated data from our database — tokens, post history, settings, and rendered cards — within 30 days.
To request full deletion, email hello@git-to-x.com. We will confirm and complete the deletion within 7 days.
Security
OAuth tokens are encrypted at rest using libsodium sealed boxes before database storage. The database (Railway Postgres) is not publicly accessible. TLS is enforced on all connections. We follow the principle of least privilege for all API scopes — the GitHub App requests read-only access to contents and metadata; the X OAuth scope is limited to what is needed to read and post tweets.
Changes to this policy
Material changes will be announced via the email on your account and noted with an updated date at the top. Continued use after the effective date constitutes acceptance.
Contact
Questions about this policy: hello@git-to-x.com