Privacy Policy
Last updated: June 4, 2026
Thank you for using GitCMS ("we," "us," or "our"). This Privacy Policy outlines how we collect, use, and protect your personal and non-personal information when you use our website at gitcms.dev. By using GitCMS, you agree to the terms of this Privacy Policy.
1. Information We Collect
1.1 Personal Data
We collect the following personal information:
- Name and email: Collected via Google or GitHub OAuth to identify your account and communicate with you.
- OAuth profile data: We may store your avatar, provider account ID, and provider name for supported sign-in providers such as Google and GitHub.
- Payment information: Collected to process your one-time license purchase securely. We use a third-party payment processor — we don't store your card details.
- GitHub repository access data: Collected to enable read/write access to repositories you explicitly connect through our GitHub App.
- MCP personal access token metadata: When you create an MCP personal access token, we store metadata such as its label, prefix, scopes, expiration, last-used timestamp, and revocation status. We store token hashes, not raw tokens. Raw tokens are shown only once when created.
1.2 Non-Personal Data
We use cookies and basic analytics to collect non-personal information such as page views, feature usage, and error logs. This helps us improve the service and fix bugs. We do not track you across other websites.
2. Purpose of Data Collection
We collect and use your data to:
- Authenticate you via Google or GitHub OAuth and maintain your session.
- Operate the service — read and write files in repositories you've connected, manage workspaces and team access.
- Operate MCP access — authenticate supported MCP clients through OAuth or personal access tokens.
- Process payments for site license purchases.
- Communicate with you — send transactional emails like workspace invitations and account notifications. We only send important product updates. You can unsubscribe from updates anytime.
- Improve the service — analyze aggregate usage patterns and fix bugs.
3. What We Don't Do
- We don't sell your data. Ever.
- We don't train AI on your content. Your repository files are yours.
- We don't share data with advertisers. There are no ads.
- We don't read your content beyond what's needed to render the editor and execute your saves.
4. AI and MCP Features
GitCMS offers an MCP server that lets AI tools interact with your content. Your AI client connects to our MCP server — we don't send your content to any AI provider. MCP clients can authenticate with OAuth or with a GitCMS personal access token. We don't log or store MCP request data beyond what's needed to process requests, enforce access, and keep basic token metadata such as last-used timestamps.
5. Third-Party Services
We use the following third-party services:
- Google — authentication when you choose Google sign-in.
- GitHub — authentication when you choose GitHub sign-in, and repository access through the GitCMS GitHub App.
- Payment processor — to handle license purchases securely. We don't store your payment details.
- Hosting provider — infrastructure for the application (encrypted data).
- Analytics — anonymized usage metrics to improve the product.
We do not share your repository content with any third party.
6. Data Sharing
We do not share your personal data with any other parties except as required to operate the service (e.g., GitHub for repository access, payment processor for purchases). We will only share data if required by law.
7. Cookies
We use minimal, functional cookies:
- Session cookie — keeps you logged in.
- Theme preference — remembers your light/dark mode choice.
No tracking cookies. No advertising cookies.
8. Data Retention
- Account data is retained while your account is active. Delete your account and we remove your data within 30 days.
- Repository content is not stored persistently — it's fetched from GitHub on demand during your session.
- MCP token metadata is retained until the token is revoked, expires, or your account is deleted. Raw token values are not retained.
- Usage analytics are aggregated and anonymized. Individual-level data is not retained beyond 90 days.
9. Data Protection
We take the protection of your data seriously. OAuth credentials and service credentials are protected using industry-standard protocols both in transit and at rest. MCP personal access tokens are stored as hashes, not raw token values. All connections use TLS encryption. While we implement commercially acceptable security measures, no method of transmission over the Internet is 100% secure — we cannot guarantee absolute security.
10. Your Rights
You can access, correct, or delete your personal data at any time. Your content already lives in your Git repository — git clone is your export button. For account data, contact us and we'll handle it.
11. Children's Privacy
GitCMS is not intended for children under 16, and we do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.
12. Updates to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the service. The "Last updated" date at the top indicates the latest revision.
13. Contact
If you have any questions or concerns about this Privacy Policy, contact us at help@gitcms.dev.