EndGit Logoendgit.

PRIVACY POLICY

This Privacy Policy describes how EndGit ("we", "us", or "our") collects, uses, and protects your personal information when you use our website endgit.dev (the "Site") and related services. By using the Site, you agree to the collection and use of information in accordance with this policy.

INFORMATION WE COLLECT

Account Information

When you sign in through GitHub OAuth, we collect the following information from your GitHub account:

  • GitHub username and numeric ID
  • Display name
  • Email address
  • Avatar URL
  • Bio
  • OAuth access token and related credentials

Content You Provide

We collect content you voluntarily submit to the platform:

  • Plugin metadata: name, description, keywords, categories, license, repository URL, icon
  • Version information: version numbers, changelogs
  • Ratings and review comments
  • Notes to reviewers during plugin submission
  • Producer attribution (GitHub usernames and roles)

Automatically Collected Information

  • IP address (used temporarily in Redis for download deduplication, not persisted in our database)
  • Page views and Web Vitals metrics (via Vercel Analytics and Speed Insights)
  • Plugin download counts and view counts (aggregated daily)
  • CI/CD build logs and artifacts generated by the platform

HOW WE USE YOUR INFORMATION

We use the information we collect to:

  • Authenticate your account and manage your session via GitHub OAuth
  • Operate and maintain the plugin marketplace, including listing, searching, and downloading plugins
  • Process CI/CD builds triggered by your GitHub repositories and store build artifacts
  • Send transactional email notifications about plugin approval, rejection, and status changes
  • Calculate trust levels and quality scores for plugins and users to maintain marketplace integrity
  • Monitor platform performance, diagnose technical issues, and prevent abuse through rate limiting
  • Generate aggregate analytics for plugin downloads and page views

THIRD-PARTY SERVICES

We rely on the following third-party services to operate the platform. Each service has its own privacy policy governing how they handle data.

GitHub

We use GitHub for OAuth authentication, repository access, webhook integration, and CI/CD workflows. We access your GitHub profile, email, repositories, and organizations as authorized during the OAuth flow. GitHub's privacy policy applies to data held by GitHub. We create webhooks on your repositories only when you explicitly enable CI/CD for them.

Vercel

The Site is hosted on Vercel. We use Vercel Analytics to collect anonymized page view data and Vercel Speed Insights to collect Core Web Vitals performance metrics. Vercel's privacy policy governs the handling of data processed through their infrastructure and analytics services.

Cloudflare R2 (S3-Compatible Storage)

Plugin build artifacts (binary files) are stored in Cloudflare R2, an S3-compatible object storage service. Files are served via presigned URLs with a one-hour expiry. Cloudflare's privacy policy applies to data stored in their infrastructure.

Discord

We send automated notifications to Discord channels for operational events such as build completions, plugin submissions, approvals, new ratings, and moderation actions. No personal user data is sent to Discord beyond publicly visible plugin and build information.

Spacemail (Email Service)

We use Spacemail SMTP to send transactional emails to plugin authors regarding approval and rejection of their submissions. Emails are sent to the address associated with your GitHub account.

COOKIES AND SESSION MANAGEMENT

We use the following cookies and storage mechanisms:

  • NextAuth session cookie — A secure, HTTP-only JWT cookie that maintains your authenticated session. It contains your user ID, username, trust level, and an API token. This cookie expires after 7 days and is refreshed automatically.
  • NextAuth CSRF token cookie — Used to protect against cross-site request forgery attacks during authentication flows.
  • localStorage (theme) — We store your light/dark theme preference in your browser's localStorage. This data never leaves your device.

We do not use third-party advertising cookies, tracking pixels, or cross-site tracking technologies.

DATA STORAGE AND SECURITY

Your data is stored in PostgreSQL (relational database) and Redis (session cache and job queues). We implement the following security measures:

  • All passwords and tokens are stored securely; OAuth tokens are obtained from GitHub and stored encrypted in our database
  • JWT tokens are signed with a secret key and have a one-hour expiry
  • Refresh tokens are stored in Redis with a 30-day TTL and are single-use (rotating)
  • API rate limiting is enforced: 100 requests per 15 minutes for public endpoints, stricter limits for authenticated and write operations
  • HTTPS is enforced for all communications
  • Webhook signatures are verified using HMAC-SHA256 with timing-safe comparison
  • Security headers are set via Helmet (Content Security Policy, etc.)

DATA RETENTION

  • Account data — Retained as long as your account exists. You may request deletion at any time.
  • Plugin data — Plugin metadata, versions, and associated build artifacts are retained for the lifetime of the plugin on the marketplace.
  • Build logs — CI/CD build logs are retained indefinitely as part of the build history.
  • Analytics — Daily aggregated download and view counts are retained indefinitely for historical reporting.
  • Session tokens — JWT tokens expire after 1 hour. Refresh tokens expire after 30 days and are deleted on use.
  • IP addresses — Temporarily stored in Redis for 24 hours for download deduplication, then automatically discarded. IPs are never persisted to our database.
  • Moderation logs — Audit records of administrative actions are retained indefinitely for accountability.

YOUR RIGHTS

You have the right to:

  • Access — Request a copy of the personal data we hold about you.
  • Correction — Request correction of inaccurate personal data.
  • Deletion — Request deletion of your account and associated personal data. Publicly submitted content (plugins, ratings) may be anonymized rather than deleted to maintain marketplace integrity.
  • Revoke access — Revoke our GitHub App installation at any time through your GitHub settings, which will revoke our access to your repositories.
  • Data portability — Request your data in a machine-readable format.

To exercise any of these rights, contact us at two-tech-dev@proton.me.

CHILDREN'S PRIVACY

The Site is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us so we can delete it.

INTERNATIONAL DATA TRANSFERS

Your data may be processed and stored in servers located outside your country of residence. Our infrastructure providers (Vercel, Cloudflare) operate globally. By using the Site, you consent to the transfer of your data to these facilities.

CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page with an updated "last updated" date. You are advised to review this policy periodically for any changes.

CONTACT US

If you have any questions about this Privacy Policy or our data practices, please contact us at two-tech-dev@proton.me or via our GitHub repository.

Last updated: May 19, 2026