How we handle your data.

Gitflow is a learning product. We store your email and chosen username so you can sign in, plus the lessons and scenarios you’ve completed so we can show your XP and progress. We don’t sell your data, we don’t run third-party trackers on this site, and you can delete your account at any time.

• Account data — your email address (from GitHub OAuth today, or from email sign-in once we enable it), an auto-generated username you can edit, and an optional display name, bio, and avatar.
• If you sign in with GitHub— your primary verified email, GitHub username, and avatar URL. That’s the entire OAuth scope we request. We do not read your repositories or any other data on your GitHub account.
• Progress data — which lessons and scenarios you completed, when, and the XP earned.
• Session cookies — required to keep you signed in. We do not use cookies for advertising or cross-site tracking.
• Server logs — IP address and request metadata held by our hosting providers (Vercel, Supabase) for short retention windows to protect against abuse.

• Payment information (Gitflow is free).
• Phone numbers.
• Behavioral tracking across other sites.
• The contents of your in-browser Git practice — that runs entirely in your browser via isomorphic-git and IndexedDB. Nothing about the repos you create in the sandbox is sent to us.

We use a small set of third-party processors. Your data is shared only as necessary for them to provide their service:

• Supabase — database + authentication. Hosts your account row and progress rows. Supabase Privacy.
• Vercel — application hosting. Serves the pages, runs server actions. Vercel Privacy.
• Transactional email provider — once email sign-in is enabled, a third-party SMTP service (e.g. Resend or SendGrid) delivers the magic-link and OTP emails. They see the recipient address. Not in use today.
• GitHub — only if you choose to sign in with GitHub. They follow their own policy. GitHub Privacy.

• Access — sign in and visit your profile to see your stored data.
• Correction — edit your display name, bio, and avatar from the profile page.
• Erasure — email privacy@gitflow.dev and we will delete your account and all related rows within 30 days. A self-service deletion button is on the roadmap.
• Portability — request a JSON export of your account and progress at the same email address.
• Objection / restriction— write to us and we’ll comply within applicable law (GDPR, CCPA, UK DPA).

We keep your account row and progress for as long as your account is active. Server logs are retained for at most 90 days by our hosting providers. Deleted accounts are purged within 30 days. We do not run our own backups today — when your row is deleted, it is gone.

We enforce row-level security in the database so users can only read their own progress, integrity triggers prevent fake XP awards, sensitive own-data tables are accessed only through SECURITY DEFINER functions, and content is served over HTTPS with HSTS and a strict Content-Security-Policy. Report vulnerabilities to security@gitflow.dev.

Gitflow is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has signed up, contact us and we’ll delete the account.

We’ll update this page when something material changes. The “Last updated” date at the top reflects the most recent revision.

Privacy questions: privacy@gitflow.dev. General: hello@gitflow.dev.