GitHits Privacy Policy

Effective date: February 23, 2026 | Last updated: March 10, 2026

This Privacy Policy explains how GitHits, Inc. (“GitHits,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal data when you access or use our Service (web app, MCP server, CLI, and APIs).

This Privacy Policy forms part of the GitHits Legal Framework and you should read it together with the GitHits Terms of Service, the Cookie Policy, the Data Processing Agreement (DPA), and the Subprocessor List.

If you have questions or requests about this Privacy Policy, contact us at support@githits.com.

This Privacy Policy applies when GitHits acts as a data controller (for example, when we manage your account and billing, operate our website, and run our own analytics).

If you use GitHits in a business context where GitHits processes personal data on behalf of an organization (for example, your employer), our Data Processing Agreement (DPA) may apply, and GitHits may act as a processor for that organization.

We collect account information such as your name, email address, and role (and similar profile fields you choose to provide). We collect support communications, meaning information you include in messages you send to our support (such as Intercom chats and emails). We collect Inputs and Outputs, meaning the query or prompt you submit, any context you include, and the Outputs that the Service generates.

We collect usage data such as events and metrics about how you use the Service (for example, feature usage, clicks, and performance). We collect device and log data such as IP address, device identifiers, browser type, operating system, timestamps, and error logs. We collect MCP/API logs, meaning request metadata and logs we associate with your use of our MCP server and APIs.

Our payment processor (such as Stripe) processes all payments. We receive limited billing details such as subscription status and payment confirmations. We do not store full payment card numbers.

If you sign in using GitHub or Supabase authentication, we receive information we need to authenticate you (such as an OAuth identifier and basic profile information consistent with the scopes you authorize). We may also retrieve open-source code examples and metadata (such as repository URLs and license information) from sources such as GitHub Search API and our own search index.

When you use the GitHits MCP server (for example, within a host application), the server collects only the data strictly necessary to perform the requested search or query. The MCP server does not collect extraneous conversation data, access the host application’s memory or chat history, read conversation summaries, or access user-generated or uploaded files beyond the Input you explicitly provide, even for logging purposes.

We provide the Service by operating the web app, MCP server, CLI, and APIs, processing Inputs, generating Outputs, and storing user settings. We manage billing and accounts by creating and administering accounts, subscriptions, and payments. We provide support by responding to inquiries and providing customer support. We protect security and prevent abuse by protecting the Service, preventing fraud, detecting and investigating misuse, and enforcing our Terms. We conduct analytics and improvement by understanding usage, troubleshooting, and improving performance and features.  If you opt in, we may use de-identified queries and related Outputs to improve GitHits and related models, as we describe in Section 5 (training, opt-in only). We may also create and publish anonymized, aggregated statistics derived from usage data (such as trending programming languages, popular query categories, and general usage volumes). Because this data is fully anonymized and cannot be used to identify any individual, it does not constitute personal data under the GDPR.

We do not use personal data for user profiling, advertising, data selling or brokering, or cross-context behavioral advertising. Publication of anonymized, aggregated statistics as described in Section 3.1 does not involve personal data and is not subject to these restrictions.

Where the GDPR or similar laws apply, we process personal data under one or more of the following legal bases.

We rely on contract performance to provide the Service you request, manage your account, process billing, and provide support (Section 3.1: providing the Service, billing, account management, and support).

We rely on legitimate interests to secure, monitor, and improve the Service (Section 3.1: security and abuse prevention, analytics, and improvement).

We rely on consent for optional analytics cookies and optional training if you opt in (Section 3.1: training; Cookie Policy Section 2.3).

We rely on legal obligation to comply with applicable laws, respond to legal requests, and fulfil tax requirements.

To provide AI features (such as semantic search, reranking, and summaries), GitHits may send your Input (the query or prompt and any context you provide) and relevant open-source code examples and metadata (such as repository links and license identifiers) to one or more model providers or AI infrastructure providers strictly to generate Outputs for you. For a current list of these providers and links to their privacy policies, see our Subprocessor List.

We do not send your account profile fields (such as email) unless security, billing, or operational reasons require it.

GitHits does not use your Inputs and Outputs for training by default. We may offer an opt-in setting that permits us to use de-identified queries and related Outputs to improve GitHits and related models.

If you opt in, we will take reasonable steps to remove direct identifiers and avoid using information intended to identify you, and we will use the data to improve quality, safety, and performance. Once we have completed the de-identification process, the resulting data no longer constitutes personal data within the meaning of the GDPR and is not subject to the retention periods in Section 8.

You may change your training preference at any time (once the setting becomes available). Opt-in applies going forward.

Even if you do not opt in, we may process Inputs and Outputs for security, abuse prevention, and policy enforcement, including investigating reports, detecting fraud, and responding to legal requests.

We disclose personal data to the following recipients.

We disclose personal data to vendors and service providers that help us operate the Service (such as hosting, analytics, payment processing, and support tools). See our Subprocessor List for a current list.

We disclose Inputs and related data to model providers and AI infrastructure to process Inputs and generate Outputs (see Section 5).

We disclose personal data to professional advisors (such as legal and accounting advisors) as needed.

We disclose personal data to authorities and others when the law requires it, to protect rights and safety, or to enforce our Terms.

We may disclose personal data to acquiring or merging entities in connection with mergers, acquisitions, or similar transactions.

We do not sell or share personal data for cross-context behavioral advertising. If applicable law defines “sell” or “share” broadly, we will provide the required disclosures and controls.

We use cookies and similar technologies to operate the Service and for analytics (such as Datadog RUM/APM and PostHog). See our Cookie Policy for details and controls.

We retain personal data for as long as reasonably necessary to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, and serve legitimate business purposes. The following category-level retention periods apply.

We retain account data for the duration of your account plus 90 days after deletion. We retain Queries (Inputs) and Outputs for 90 days for service delivery and troubleshooting. If you opt in to training use under Section 5.2, we de-identify the data, after which it is no longer personal data, and these retention limits do not apply. We retain MCP/API request logs for 30 days. We retain support communications for 12 months after resolution. We retain billing records as applicable tax and accounting laws require (typically 7 years).

Where feasible, we will offer self-serve deletion and account closure features.

GitHits operates from the United States. We also operate infrastructure in the European Union (such as Sweden) for certain workloads. We may process your information in the United States, the EU, and other locations where our vendors operate.

When the law requires it, we use appropriate safeguards for international transfers (such as Standard Contractual Clauses). For details, see our Data Processing Agreement.

We use reasonable administrative, technical, and organizational measures designed to protect personal data. However, no method of transmission or storage provides complete security.

The Service uses AI models to generate search results, rankings, and summaries (Outputs). This processing assists you in finding relevant code examples and does not produce decisions with legal or similarly significant effects on you within the meaning of GDPR Article 22. You bear responsibility for evaluating and independently verifying all Outputs before relying on them.

Depending on where you live, you may have rights to access, correct, or delete your personal data, object to or restrict certain processing, request portability, withdraw consent (where we base processing on consent), and appeal or lodge a complaint with a supervisory authority.

You may have additional rights under the CCPA, including the right to know what personal data we collect, to request deletion, and to opt out of the “sale” or “sharing” of personal data. As we describe above, we do not sell or share your personal data for cross-context behavioral advertising. To exercise CCPA rights, contact us at the address below.

We will respond to verified data subject requests within one month of receipt. If a request proves complex or we receive a high volume of requests, we may extend this period by up to two additional months, in which case we will notify you of the extension and the reasons for it.

To exercise rights, contact us at support@githits.com. We may verify your identity before responding.

GitHits has appointed Jaakko Timonen as its representative in the European Union pursuant to Article 27 of the GDPR. Contact: jack@githits.com. If GitHits has not yet appointed a representative at the time you read this policy, please contact us at support@githits.com.

We do not direct the Service to children under 18, and we do not knowingly collect personal data from children under 18.

We may update this Privacy Policy from time to time. If we make material changes, we will provide appropriate notice and update the effective date above.

1604 Philadelphia Pike, Suite 150, Wilmington, DE, 19809, US

Email: support@githits.com