Trust & Compliance

Privacy & Security

How Git2Docs protects your data and securely accesses your repositories.

Our Core Commitment: Your source code and private repository content are your crown jewels. We will never use your proprietary code or documents to train AI models, share them with third parties for commercial gain, or access them beyond what is strictly necessary to deliver the Service to you.

Contents

Privacy Policy
Security Practices

Privacy Policy

Effective Date: March 29, 2026 · Version 1.0

1. Introduction

Git2Docs ("we," "us," or "our") is committed to protecting the privacy, security, and confidentiality of the data you and your organization entrust to us. This Privacy Policy describes how we collect, use, store, and protect information when you access or use the Git2Docs platform, website, and related services (collectively, the "Service").

We understand that for many of our customers — particularly enterprises and security-sensitive organizations — the source code, documentation, and intellectual property processed through our Service may represent critical, high-value assets. This policy is written with that reality in mind.

2. Information We Collect

2.1 Account and Identity Information

When you register for Git2Docs, we collect:

Name and professional title
Business email address
Organization name and domain
Billing contact information and payment details (see Payment Processing below)
Authentication credentials (passwords are hashed and salted; we never store plaintext passwords)

2.1.1 Payment Processing and Credit Card Information

Git2Docs uses Stripe, an industry-leading PCI-DSS Level 1 certified payment processor, to handle all payment transactions. This means:

We never see your full credit card numbers. When you enter payment information, it goes directly to Stripe's secure servers via encrypted connection. Your card details never touch our servers.
We never store your credit card data. Stripe tokenizes your payment method and returns us only a secure token reference that cannot be reverse-engineered into card details.
We only store: the last 4 digits of your card (for display purposes in your billing dashboard), card brand (Visa, Mastercard, etc.), and expiration month/year — all provided by Stripe in a secure, PCI-compliant manner.
All payment processing happens on Stripe's infrastructure, which maintains the highest level of payment security certification (PCI-DSS Level 1) and is audited regularly by independent security assessors.

Zero Credit Card Exposure: Git2Docs operates a "zero-touch" payment architecture. Your sensitive payment information is handled entirely by Stripe's secure infrastructure. In the event of a data breach affecting Git2Docs, your credit card information would not be at risk because we never possessed it in the first place.

2.2 Code and Repository Content

When you connect a repository or upload files for documentation generation, we process the content solely to perform the requested transformation. This includes source code files, configuration files, README files, comments, and any other content you explicitly submit. We treat all such content as confidential by default.

Private Repository Guarantee: Git2Docs personnel do not access the contents of your private repositories except: (a) with your explicit written consent to resolve a support issue you have opened; (b) to investigate a security incident affecting our platform; or (c) where required by a valid legal obligation, in which case we will notify you promptly unless prohibited by law.

2.3 Information We Do NOT Collect

Git2Docs is designed with data minimization as a core principle. We explicitly do not:

Scan, index, or retain source code beyond the session required to generate your documentation
Train AI or machine learning models on your proprietary code or documents
Collect biometric data, health information, or personal financial records
Track user activity across third-party websites

3. How We Use Your Information

We use the data we collect for the following purposes only:

Service Delivery: To generate documentation, process repository inputs, and return outputs to you.
Authentication & Security: To verify your identity, detect unauthorized access, and protect against abuse or fraud.
Service Improvement: To diagnose errors, optimize performance, and develop new features, using aggregated, de-identified usage data only.
Communications: To send transactional emails (e.g., receipts, alerts, onboarding), and — with your consent — product updates and announcements.
Legal Compliance: To meet our obligations under applicable law and respond to lawful requests from public authorities.

We do not use your data for advertising, and we do not sell, rent, or broker personal data to third parties.

4. How We Share Your Information

We share your data only in the following circumstances:

Service Providers: Carefully vetted subprocessors (e.g., cloud hosting, payment processing, error logging) who are contractually bound to confidentiality obligations at least as stringent as this policy.
Legal Requirements: When required by law, court order, or valid governmental request. We will notify affected users unless legally prohibited.
Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may transfer as part of that transaction. We will provide 30 days' advance notice.
With Your Consent: For any other purpose disclosed at the time of collection and only with your explicit approval.

No Third-Party AI Training: Git2Docs does not share your source code, documentation inputs, or repository content with any third-party AI model provider for training purposes. This applies to all customers, including free-tier users, and is not subject to opt-out requirements — it is a blanket prohibition.

5. Data Retention and Deletion

Data Category	Retention Period
Source code / repo content	Session only (deleted upon job completion)
Generated documentation	90 days (configurable by org admin)
Account & profile data	Duration of account (deleted within 30 days of closure)
Audit logs (Enterprise)	12 months (exportable; extendable by contract)
Billing records	7 years (legal/tax compliance)

You may request deletion of your account and associated personal data at any time by contacting legal@git2docs.com or via the Account Settings panel.

6. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

Right to Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure: Request deletion of your personal data (subject to legal retention requirements).
Right to Portability: Receive your data in a structured, machine-readable format.
Right to Object: Object to certain uses of your data, including profiling.
Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact legal@git2docs.com. We will respond within 30 days.

7. Contact

Privacy Officer: legal@git2docs.com
Security Team: support@git2docs.com
Enterprise & DPA: contact@git2docs.com

Security Practices

Why GitHub Apps are the industry standard

When you install the Git2Docs GitHub App, you get a clear, auditable permission screen showing:

Exactly which repositories are being accessed (you choose — not us)
Exactly what permissions the app has on those repos
The install appears in your GitHub org's audit log
You can revoke access instantly from GitHub settings without touching our app

Compare that to a Personal Access Token: it's tied to one person's account, has no install audit trail, and typically gets broad repo scope because users don't know what minimum permissions to set.

Git2Docs requests read-only access to repository contents. We never write to your code, never store your source files, and you can revoke access at any time from your GitHub organization settings.

Our security practices

1. Minimum viable permissions

We only request Contents: Read and Metadata: Read. No write access, no pull requests, no issues. Every permission we don't request is a permission an auditor doesn't have to question.

2. Repo-scoped installation, not org-wide

During installation, GitHub asks: install on all repositories or select repositories. Our onboarding guides you toward select repositories — only the repos you actually want documented. We never encourage "all repositories."

3. Installation tokens, never stored tokens

The GitHub App private key lives only in our secure environment variables — never in the database, never in code. At runtime, our worker exchanges the installation ID for a short-lived token (valid 1 hour). That token is used once and discarded. Nothing sensitive ever touches our database.

Private key (secure env)
  → Sign JWT
  → Exchange for installation token (1hr TTL)
  → Clone/read repo
  → Token discarded

4. Webhook signature verification on every request

Every incoming GitHub webhook is verified against our webhook secret using HMAC-SHA256 before we process the payload. We reject anything that doesn't verify. This prevents spoofed webhook calls.

5. Complete audit trail

We log every webhook received, every installation event, and every documentation sync. When your security team asks "what did Git2Docs do with our repos?", we have a complete answer.

6. Encryption

All data transmitted to and from Git2Docs is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Encryption keys are managed through a dedicated key management service (KMS) with automatic rotation.

7. Payment Security and PCI Compliance

Git2Docs implements a zero-touch payment architecture that eliminates credit card data exposure:

Stripe Integration: All payment processing is handled by Stripe, a PCI-DSS Level 1 Service Provider — the highest certification available in the payments industry.
Direct-to-Stripe Flow: When you enter payment information, it's transmitted directly to Stripe's servers using Stripe Elements (embedded secure payment forms). Your card data never passes through our servers.
Tokenization: Stripe returns only secure, single-use tokens that we exchange for payment confirmations. These tokens cannot be reverse-engineered to obtain card details.
Reduced PCI Scope: Because we never handle raw card data, our PCI compliance burden is minimal (SAQ-A), and your payment information remains isolated from our infrastructure.
Industry-Standard Security: Stripe maintains SOC 1 Type 2, SOC 2 Type 2, and ISO 27001 certifications, undergoes annual third-party audits, and processes billions of dollars in payments annually for companies worldwide.

For enterprise customers requiring additional payment security controls (ACH transfers, wire payments, invoicing), please contact contact@git2docs.com.

Security review Q&A

Common questions from security teams:

Question	Our Answer
How do you access our code?	GitHub App, read-only, repo-scoped
Do you store our source code?	No — cloned temporarily to worker memory during generation, never persisted
Do you use our code to train AI?	Never. Blanket prohibition for all customers, including free tier.
How are credentials stored?	Installation ID only; tokens are short-lived, generated at runtime, never stored
How do we revoke access?	Uninstall the GitHub App from your org settings — immediate, no action needed from us
Is access logged?	Yes — every installation and sync event is logged with timestamp
How do you handle credit card information?	We never see or store it — all payment processing handled by Stripe (PCI-DSS Level 1). Card data goes directly to Stripe, never touches our servers.

Questions about our privacy or security practices?

We're happy to provide additional details for your security review.

Get Started