Privacy Policy

This policy covers personal data processed by the GitShipt service at gitshipt.com and its subdomains, including the public site, the dashboard, the admin console, and any GitShipt-operated webhook receivers or background workflows.

It does not cover third-party services (GitHub, Bags.fm, Helius, Vercel, Neon) which have their own policies that apply to data they process on our behalf.

The complete list of personal data GitShipt stores:

• GitHub identity: your GitHub user ID, username, avatar URL, primary public email, and the OAuth refresh token returned by GitHub at sign-in.
• Linked wallets: Solana wallet addresses (base58 public keys) you link via Sign-In With Solana.
• Contributor scoring inputs: aggregates derived from public GitHub data — commit counts, merged PR counts, review counts, file paths touched, and timestamps — for the repositories linked to launches.
• Audit log:records of administrative actions (launches, payouts, kill switch toggles, fee changes, role grants), each tagged with the actor's identifier, the action, the affected resource, and a timestamp.
• Operational telemetry: request logs and rate-limit counters retained for a short window for abuse prevention and debugging.

GitShipt does not collect payment instruments, banking information, off-chain financial data, government identifiers, Social Security numbers, biometrics, precise geolocation, or contents of private repositories. We do not run KYC or identity verification.

We use the data above to operate the leaderboard, compute contributor scores, dispatch on-chain payouts to the correct wallets, authenticate sessions, prevent abuse via rate limiting and audit review, and respond to support requests. We do not use your data for advertising or profiling, and we do not sell it.

GitShipt shares the minimum required data with the following processors:

• Bags.fm: token metadata, launch parameters, and royalty splits including recipient wallet addresses.
• Helius (Solana RPC): wallet addresses and transaction signatures for chain reads and submissions.
• GitHub: the GitShipt GitHub App reads public repository metadata for indexing under the scopes you grant.
• Vercel and Neon: hosting and database infrastructure that processes data in transit and at rest under their respective DPAs.

We do not run third-party advertising networks, social pixels, or behavioral analytics trackers.

The audit log is append-only and retained indefinitely for security, integrity, and regulatory traceability. We cannot edit or delete individual audit entries.

All other personal data — GitHub identifiers, linked wallets, scoring inputs — is deletable on request through account closure. On-chain transactions, including past payouts, remain on the Solana blockchain and cannot be removed by GitShipt.

You may request access to, export of, or deletion of your personal data by emailing the address in the contact section below. We will respond within thirty days. If you are in a jurisdiction with formal privacy rights (EU, UK, California, etc.), those rights apply to the extent required by law.

GitShipt applies the following controls: HMAC verification on all inbound webhooks, single-use SIWS nonces with short TTL, MFA prompts on destructive admin actions, append-only audit logging, per-route rate limiting via Upstash, Zod validation on every external API response, least-privilege role checks via a permissions layer, and cold separation of treasury keys (cold keys never enter Vercel).

No system is perfectly secure. Report suspected vulnerabilities to the contact address below; we prioritize security reports.

GitShipt sets one strictly necessary cookie: an authenticated session cookie issued by our auth layer. We do not use analytics cookies, advertising cookies, or third-party trackers. No consent banner is required for strictly necessary session cookies in most jurisdictions.

GitShipt infrastructure is hosted in the United States (Vercel and Neon, US-East regions). If you access the service from outside the United States, you consent to the transfer of your data to and processing in the United States.

We may revise this policy from time to time. Material changes will be announced in the product or via the public repository at least seven days before they take effect. Non-material clarifications take effect on the date noted at the top of this page.

Privacy requests, deletion requests, and security reports: privacy@gitshipt.com. Public discussion and code-level issues: github.com/SYMBaiEX/gitshipt.