Privacy Policy
Last updated: July 5, 2026
1. Overview
Gitset stores the minimum it needs to work and nothing it doesn't. There is no advertising, no third-party analytics, and no tracking. This page lists exactly what is collected, where it goes, and how to delete it.
Gitset is open source under the MPL-2.0 license, so every claim on this page can be checked against the code.
2. What we store
When you sign in with GitHub and use the web app, Gitset stores:
- Your GitHub profile basics from OAuth: username, email address, and avatar.
- The GitHub access token that lets Gitset read repository context and publish what you approve.
- Your own AI provider keys, encrypted at rest with AES-256-GCM. They are never sent to your browser and never written to logs.
- Your tool settings and templates (for example, your saved commit format or label pack).
- The drafts you generate and their version history, so you can switch between versions.
- Operational logs for security and debugging, with secrets redacted before anything is written.
3. What we never store
Your source code is read transiently to build a draft and is not retained. Gitset does not train models on your data, does not sell or share data with third parties for their own purposes, and does not embed advertising or analytics services.
4. Where your data goes
Gitset sends data only to the services required to do what you asked:
- GitHub — to read repository context and to publish issues, pull requests, releases, labels, and metadata you explicitly approve. GitHub's Privacy Statement applies.
- Your AI provider — the one you chose and configured with your own key (Anthropic, OpenAI, Google Gemini, OpenRouter, or a compatible endpoint). The content needed to draft (diffs, file excerpts, your instructions) is sent to them under their privacy policy. Gitset has no relationship with your provider and never sees your bill.
- Turso — the database where account data, settings, encrypted keys, and drafts are stored.
- Google Cloud — where the service is hosted.
5. Cookies
Gitset uses exactly two cookies: a session cookie that keeps you signed in, and a short-lived state cookie that protects the OAuth sign-in flow. Your theme preference is kept in your browser's local storage. There are no advertising or tracking cookies.
6. The CLI
The Gitset CLI collects nothing. It has no account, sends no telemetry, and never contacts a Gitset server. Your provider keys and configuration live in ~/.gitset on your machine with owner-only permissions, and your repository content goes directly from your machine to your AI provider — nowhere else.
7. Retention and deletion
Your data is retained while your account exists. You can delete your account at any time from the dashboard — this permanently removes your account and associated data. You can also revoke Gitset's GitHub access at any time from your GitHub settings (Settings → Applications → Authorized OAuth Apps), which immediately disables repository access.
For any deletion request or question, write to support@gitset.dev.
8. Security
Provider keys are encrypted at rest with AES-256-GCM. All traffic uses TLS. GitHub access is requested with the narrowest scopes the features need, and repository writes happen only on your explicit confirmation. The code that implements all of this is public.
No system is perfectly secure. If a breach affecting your data ever occurs, you will be notified with what happened and what it affects.
9. Changes to this policy
Updates to this policy are published on this page with an updated date. Material changes will be highlighted.
10. Contact
Privacy questions: support@gitset.dev.