Privacy Policy for OctoStats

1. Introduction

OctoStats ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service that allows you to generate and display GitHub statistics widgets.

2. Information We Collect

Personal Information

We collect the following personal information:

• GitHub username and user ID (which serves as your account identifier)
• Email address (as provided by GitHub)
• GitHub access tokens and refresh tokens (which are encrypted in our database)
• GitHub profile information including avatar URL, name, company, blog URL, location, bio, Twitter username, number of public repositories, followers, and following count

Usage Information

We collect information about your use of OctoStats, including:

• GitHub statistics including contributions, repositories, languages, and commit history
• API calls to GitHub made on your behalf
• Any errors encountered during data retrieval or widget generation
• System-generated identifiers associated with your account

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contractual Necessity: Processing is necessary to provide you with our service as requested.
• Consent: You have explicitly agreed to the processing of your data for specific purposes.
• Legitimate Interests: Processing is necessary for our legitimate interests, such as improving our service, ensuring security, and preventing fraud.
• Legal Obligation: Processing is necessary to comply with legal requirements applicable to our operations.

4. How We Use Your Information

We use your personal information for the following purposes:

• To create and maintain your account
• To provide our core service of generating GitHub statistics widgets
• To authenticate with GitHub's API on your behalf
• To troubleshoot and resolve widget generation issues
• To improve and optimize our service
• To communicate with you about your account or our services
• To comply with legal obligations

5. Data Storage, Security, and International Transfers

Your information is stored in our database powered by Supabase, which is hosted in Frankfurt, Germany.

For users in the European Economic Area (EEA), United Kingdom, or other regions with data protection laws that require specific mechanisms for international data transfers, we rely on standard contractual clauses and other legally approved mechanisms to transfer your data.

We implement appropriate security measures to protect your personal information, including:

• Data encryption during transmission using HTTPS protocol
• Encryption of GitHub access tokens and refresh tokens in our database
• Database-level security controls that ensure users can only access their own data after authentication
• Regular security assessments and updates
• Access controls limiting staff access to user data

6. Third-Party Services

When you sign in using GitHub, their privacy policy will apply to the information you provide through their authentication service. We recommend reviewing GitHub's Privacy Statement.

GitHub API Usage

We use GitHub's API to retrieve your GitHub statistics and data. Our access to your GitHub data is determined by the permissions you grant when authenticating with GitHub. OctoStats will only access repositories and data that you have explicitly granted permission to access.

Analytics and Performance

We use the following analytics tools to improve your experience and our service:

PostHog Analytics

We use PostHog to collect anonymous usage data about how our application is used. Unlike traditional analytics tools, our PostHog implementation uses in-memory storage and does not use cookies or persistent identifiers to track individual users. We collect page views and general usage patterns to help us understand how users interact with our service. No personally identifiable information is collected through PostHog.

Google Analytics

We use Google Analytics to collect information about how visitors use our website. Google Analytics uses cookies to collect information and report website usage statistics. This information is used to evaluate visitors' use of the website and to compile statistical reports on website activity. For more information about Google's privacy practices, please visit the Google Privacy & Terms.

Microsoft Clarity

We use Microsoft Clarity to collect information about how users interact with our website. Clarity uses cookies and similar tracking technologies to collect data about user behavior, including mouse movements, clicks, and scrolls. This may include session recordings that capture how users navigate through pages. This information helps us identify user experience issues and improve our service. For more information, please review the Microsoft Clarity Terms of Service.

Your Choices Regarding Analytics

You can opt out of these analytics tools by:

• Using our cookie consent banner to adjust your preferences
• Installing the Google Analytics Opt-out Browser Add-on
• Enabling "Do Not Track" in your browser settings

7. Data Retention

We retain your personal information for as long as your account remains active or as needed to provide you services. If you wish to delete your account, please contact us at support@mondov.dev, and we will delete your personal information unless we are legally required to retain certain information.

8. Your Rights

Depending on your location, you may have rights regarding your personal data, including:

• The right to access the personal information we hold about you
• The right to request correction of inaccurate information
• The right to request deletion of your personal information
• The right to restrict or object to processing of your personal information
• The right to data portability

To exercise these rights, please contact us using the information provided below.

9. GDPR-Specific Rights

If you are in the European Economic Area (EEA) or United Kingdom, you have specific rights under the General Data Protection Regulation (GDPR):

• Withdrawal of Consent: Where we process data based on consent, you can withdraw that consent at any time.
• Complaints to Supervisory Authorities: You have the right to lodge a complaint with your local data protection supervisory authority.
• Timely Response: We'll respond to all legitimate GDPR requests within 30 days. If more time is needed, we'll notify you.

For data portability requests, we will provide your personal data in a structured, commonly used, and machine-readable format to enable transfer to another controller when technically feasible.

10. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:

• Right to Know: You can request information about the personal data we've collected about you in the past 12 months, including categories of information, sources, purposes, and third parties with whom we've shared it.
• Right to Delete: You can request deletion of personal information we've collected from you, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

While OctoStats does not sell personal information as defined by the CCPA, we do share data with service providers as described in this policy. To exercise your CCPA rights, please contact us using the information below. We will respond to verifiable consumer requests within 45 days.

Categories of Information Collected

In the past 12 months, we have collected these categories of personal information:

• Identifiers (GitHub username, GitHub ID, email address)
• Authentication information (encrypted GitHub tokens)
• GitHub profile and usage data

11. Data Breach Notification

In the event of a data breach that may compromise your personal information, we will notify you via email without undue delay and within 72 hours of discovery when possible. This notification will include information about the nature of the breach, the data affected, and steps we're taking to address the situation.

12. Compliance with Privacy Regulations

OctoStats is committed to complying with applicable data protection laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other regional privacy regulations.

We implement privacy by design principles by limiting data collection to what's necessary, securing data through encryption and access controls, and maintaining records of our processing activities. We have also established procedures to handle data subject requests promptly and accurately.

We have appropriate Data Processing Agreements (DPAs) in place with our service providers to ensure your data is protected throughout its lifecycle.

13. Children's Privacy

OctoStats is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

14. Local Storage and Cookies

We use cookies for the following purposes:

• Essential cookies: Required for authentication and service functionality.
• Analytics cookies: Used by Google Analytics and Microsoft Clarity to collect information about how you interact with our website, helping us improve our service.

You can control your cookie preferences through our consent banner or your browser settings. Note that blocking certain cookies may affect your experience on our site and the services we can offer.

Note that our PostHog analytics implementation does not use cookies and instead relies on in-memory storage that does not persist between sessions.

15. Governing Law

This Privacy Policy is governed by the laws of Slovakia, without regard to its conflict of law principles. However, this does not affect your statutory rights based on the laws of your country of residence.

16. Data Protection Contact

While OctoStats does not require a formal Data Protection Officer under GDPR criteria, for any privacy-related inquiries or to exercise your data protection rights, please contact:support@mondov.dev

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on our website and updating the "Last Updated" date. For significant changes, we will make reasonable efforts to notify you directly, such as through email if we have your contact information.

18. Contact Information

If you have questions or concerns about this Privacy Policy, please contact us at: support@mondov.dev