Privacy & Data Handling

Version: 1.1

Effective date: June 7, 2026

Last updated: June 7, 2026

This Privacy & Data Handling page explains what data NobGit collects, why NobGit collects it, how the data is used, where it is processed, how backups work, and what choices users have.

NobGit is a Git hosting and code storage platform. By using NobGit, you understand that the service must process account, repository, authentication, security, and operational data to provide the platform.

1. Service Operator and Contact

NobGit is operated as the controller of the NobGit service unless another legal operator is published on this page.

This page should be updated if NobGit later becomes operated by a company, foundation, association, nonprofit, or other legal entity.

For privacy, account, or data handling questions, contact: support@nobgit.com

For security vulnerabilities, contact: security@nobgit.com

For abuse, copyright, phishing, malware, credential leaks, illegal content, harassment, or policy reports, use: https://abuse.nobgit.com or email abuse@nobgit.com .

2. Hosting and Traffic Flow

NobGit is hosted on an EU-Central Hetzner CPX22 Cloud Server.

NobGit uses Cloudflare for the domain, DNS, traffic handling, TLS termination or TLS-related traffic handling, proxying, security filtering, and Cloudflare Tunnel.

The normal public traffic path is:

World -> Cloudflare -> Cloudflare Tunnel -> Hetzner Server

This means Cloudflare may process connection data, request metadata, IP addresses, user-agent data, security signals, and routing data before traffic reaches the NobGit server.

Hetzner processes server-side data needed to host NobGit. This may include database data, repository data, Git objects, uploads, application files, server logs, backup data, and operational metadata.

NobGit is designed around EU-hosted server infrastructure, but internet routing and provider security systems may involve processing in multiple locations.

3. Data NobGit Collects

NobGit collects different types of data depending on how you use the service. Some data is required to create an account and use Git hosting. Other data exists only if you use optional features.

3.1 Account and Profile Data

NobGit may collect and store:

• Username.
• Email address.
• Display name.
• Optional phone number.
• Optional profile image, avatar, or uploaded profile image URL.
• Account ID and internal database identifiers.
• Account creation timestamp.
• Account update timestamp.
• Last login or activity-related timestamps, where available.
• Account status information, such as active, restricted, disabled, or suspended state.
• Profile fields shown on public or private profile pages, where available.

3.2 Authentication Data

NobGit may collect and store authentication data, including:

• Password hash.
• Legacy password hash data for migrated accounts, where applicable.
• Email verification data.
• Temporary verification code hashes.
• Password reset data, where available.
• Session identifiers and session state.
• Login state used to keep users signed in.
• Signup state used during account creation.
• Passkey challenge state used during passkey registration or login.
• OTP challenge state used during two-factor login.

NobGit does not need to store plaintext passwords. If password authentication is used, passwords should be stored as hashes.

3.3 Two-Factor, Passkey, SSH, and GPG Data

NobGit may collect and store security credential data, including:

• OTP authenticator enabled status.
• OTP secret.
• OTP setup or verification state.
• Passkey credential ID.
• Passkey public key.
• Passkey sign count.
• Passkey display name.
• Passkey creation timestamp.
• Passkey last used timestamp.
• SSH public keys.
• SSH key names.
• SSH key fingerprints.
• SSH key creation timestamp.
• SSH key last used timestamp.
• GPG public keys.
• GPG key IDs.
• GPG fingerprints.
• GPG key email addresses.
• GPG key verification state.
• Commit signature verification metadata.

Public SSH keys and public GPG keys are not passwords, but they can still identify an account or developer identity.

3.4 Access Tokens, OAuth, MCP, and Provider Metadata

NobGit may collect and store token and authorization data, including:

• Personal access token records.
• Personal access token hashes.
• Token names.
• Token scopes.
• Token expiration timestamps.
• Token revocation state.
• Token last used timestamps.
• OAuth client records.
• OAuth authorization records.
• OAuth access tokens, where OAuth features are used.
• OAuth refresh tokens, where OAuth features are used.
• OAuth authorization codes, where OAuth features are used.
• OAuth scopes.
• OAuth expiration and revocation metadata.
• MCP client records, where MCP features are used.
• MCP authorization records, where MCP features are used.
• Connected provider metadata from login, identity, or integration providers.
• Provider user IDs or provider account references, where connected login features are used.

Token values should be treated like passwords by users. If a token is exposed, the user should revoke it and create a new one.

3.5 Repository and Git Content

NobGit stores content users create, upload, push, import, mirror, or manage through the platform.

Repository and Git data may include:

• Repositories.
• Git objects.
• Git trees.
• Git blobs.
• Git commits.
• Git tags.
• Branches.
• Default branch settings.
• Repository names.
• Repository descriptions.
• Repository visibility settings.
• Repository settings.
• Repository files.
• Repository history.
• Commit messages.
• Commit author names.
• Commit author email addresses.
• Commit committer names.
• Commit committer email addresses.
• Commit timestamps.
• Commit signatures.
• Commit verification state.
• Git push and pull metadata.
• Repository clone, fetch, or access metadata, where logged.

Git history may contain personal data because commits commonly include names, email addresses, timestamps, messages, comments, and signatures.

3.6 Wiki, Issue, Merge Request, and Collaboration Content

NobGit may collect and store collaboration content, including:

• Wiki pages.
• Wiki history.
• Issue titles.
• Issue descriptions.
• Issue comments.
• Issue labels.
• Issue milestones.
• Issue assignments.
• Issue status fields.
• Merge request titles.
• Merge request descriptions.
• Merge request comments.
• Merge request review data.
• Merge request state and metadata.
• Fork requests.
• Fork metadata.
• Stars.
• Follows.
• Repository activity records.
• Notifications and notification state, where available.

Public issues, public wikis, public merge requests, public comments, and public repository activity may be visible to anyone.

3.7 Organization, Team, and Permission Data

NobGit may collect and store organization and access-control data, including:

• Organization names.
• Organization descriptions.
• Organization settings.
• Organization ownership data.
• Organization membership records.
• Organization roles.
• Team names.
• Team descriptions.
• Team membership records.
• Team permissions.
• Repository collaborator records.
• Repository permission levels.
• Invitations.
• Access grants.
• Role changes.
• Access history, where logged.

3.8 Uploads and Files

NobGit may collect and store uploaded files, including:

• Profile images.
• Avatars.
• Repository-related uploads.
• Issue attachments, where supported.
• Wiki attachments, where supported.
• Images embedded or uploaded through platform features.
• File metadata such as names, paths, MIME types, sizes, and timestamps.

3.9 Operational, Log, Security, and Abuse Data

NobGit may collect operational data needed to run, protect, debug, investigate, and improve the service.

Operational data may include:

• IP addresses.
• Request metadata.
• Browser metadata.
• Device metadata.
• User-agent strings.
• Referrer information, where available.
• Login events.
• Logout events.
• Session events.
• Token use metadata.
• SSH access metadata.
• Git access metadata.
• Account activity metadata.
• Error logs.
• Application logs.
• Security logs.
• Server logs.
• Abuse reports.
• Security reports.
• Copyright reports.
• Moderation notes.
• Enforcement history.
• Cloudflare request metadata.
• Cloudflare security events.
• Cloudflare filtering data.
• Cloudflare Tunnel metadata.
• Hetzner hosting metadata.
• Hetzner server, storage, backup, and infrastructure metadata.

4. Why NobGit Uses Data

NobGit uses data to:

• Create and manage user accounts.
• Authenticate users.
• Keep users signed in.
• Protect account actions.
• Provide Git hosting.
• Provide repository pages.
• Provide Git push, pull, clone, and fetch access.
• Provide SSH access.
• Provide repository visibility and permission controls.
• Provide issues, comments, labels, and milestones.
• Provide wiki features.
• Provide merge request and fork request features, where available.
• Provide organization and team features.
• Provide stars, follows, and activity features.
• Manage SSH keys, GPG keys, passkeys, OTP, and access tokens.
• Verify signed commits where signature verification is available.
• Send transactional emails.
• Send verification, password, security, and account emails.
• Detect abuse.
• Investigate spam, phishing, malware, credential leaks, harassment, and illegal content.
• Respond to copyright, security, and abuse reports.
• Debug errors.
• Maintain uptime.
• Protect infrastructure.
• Prevent account compromise.
• Enforce NobGit policies.
• Comply with legal obligations.
• Restore service after accidents, failed deployments, corruption, or outages.

5. Repository Content and Public Visibility

Repository content may be public or private depending on repository settings.

Public repositories, public issues, public wikis, public merge requests, public comments, public profiles, and public organization pages may be visible to anyone.

Public Git content may be cloned, copied, cached, indexed, archived, mirrored, downloaded, forked, or shared by users, search engines, external systems, public archives, and third parties.

NobGit cannot control what others do with public content after it has been accessed.

Private repositories are intended to be visible only to authorized users, teams, organizations, and system components required to operate NobGit.

Users should avoid storing passwords, private keys, API tokens, database credentials, session cookies, secrets, or sensitive personal data in any repository unless they fully understand the risk and maintain their own security process.

6. Cookies and Local Storage

NobGit currently uses only necessary cookies and browser storage needed to provide the service, keep users signed in, protect account actions, protect forms and requests, and remember basic user interface choices.

NobGit may use:

• Session cookies: used to keep users signed in and store short-lived login, verification, OTP, passkey, and signup state.
• Security cookies or tokens: used to protect forms, requests, sessions, and account actions against misuse.
• Local browser storage: used for the nobgit-theme preference so the site can remember dark mode or light mode.

NobGit does not currently use analytics cookies, advertising cookies, marketing pixels, cross-site tracking cookies, behavioral advertising tools, or third-party tracking scripts.

Because the current cookies and browser storage are necessary for login, security, or a user-requested display preference, NobGit does not currently show a cookie consent banner.

If NobGit later adds analytics, advertising, tracking, embedded marketing tools, or any non-essential third-party cookies or scripts, NobGit will update this notice and add a real cookie consent mechanism before those tools run.

7. Legal Bases for Processing

Depending on the user's location, NobGit may rely on different legal bases for processing personal data.

• Contract: to provide the NobGit service, accounts, repositories, Git hosting, authentication, security features, and requested platform features.
• Legitimate interests: to secure the service, prevent abuse, detect attacks, debug issues, maintain reliability, improve operations, and protect users.
• Legal obligation: to comply with applicable legal duties, law enforcement requests, copyright claims, abuse investigations, regulatory requirements, or valid legal process.
• Consent: where NobGit later adds optional features that legally require consent.

8. Providers and Subprocessors

NobGit uses providers to operate the service. These providers may process data as needed to provide hosting, traffic delivery, security, domain, email, backup, logging, or operational services.

• Hetzner: server hosting, storage, database, repository data, Git objects, uploads, logs, and backups.
• Cloudflare: DNS, proxying, Cloudflare Tunnel, traffic delivery, TLS-related handling, security filtering, request metadata, and traffic protection.
• Email or SMTP provider: transactional email delivery, if email delivery is configured.
• Other providers: security, monitoring, backup, domain, logging, or operational services if NobGit adds them later.

NobGit should keep a separate subprocessor or provider list when providers change or become more specific.

9. International Transfers

NobGit is hosted on an EU-Central Hetzner server.

Cloudflare and other providers may operate infrastructure, security systems, support systems, request routing, or logs in multiple countries.

NobGit will try to use providers and configurations appropriate for an EU-hosted service, but users should understand that internet traffic, DNS, proxying, security filtering, provider logs, and support systems may involve cross-border processing.

10. Retention and Deletion

NobGit keeps data for as long as needed to provide the service, protect the platform, comply with legal obligations, resolve disputes, enforce policies, maintain backups, or operate security systems.

• Account data is kept while the account exists.
• Repository data is kept while the repository exists.
• Organization data is kept while the organization exists.
• Team and membership data is kept while needed for access control.
• Public Git history may remain visible while the repository is public.
• Private repository data remains stored while the repository exists and may also exist in backups.
• Issues, comments, wikis, merge requests, and fork requests are kept while the related content exists.
• SSH public keys are kept until removed by the user or account cleanup.
• GPG public keys are kept until removed by the user or account cleanup.
• Passkeys are kept until removed by the user or account cleanup.
• OTP data is kept while OTP is enabled or until account cleanup.
• Personal access tokens are kept until expiry, revocation, deletion, or cleanup.
• OAuth tokens and authorizations are kept until expiry, revocation, deletion, or cleanup.
• MCP authorizations are kept until revocation, deletion, or cleanup.
• Authorization codes and signup verification data are temporary.
• Logs may be retained for security, debugging, abuse handling, provider operations, and legal needs.
• Abuse, copyright, security, and enforcement records may be kept where needed to protect the service.
• Hetzner CPX22 Cloud Server backups are created daily and retained for exactly 7 days.

If a user deletes their account, NobGit attempts to delete the user account and personal repositories owned by that user.

Organization-owned repositories may remain if they belong to an organization.

Data may also remain in Git history, forks, clones, public archives, caches, logs, abuse records, security records, legal records, email records, provider systems, or Hetzner CPX22 Cloud Server backups until the relevant backup expires through the 7-day backup rotation.

11. Backups

NobGit uses Hetzner CPX22 Cloud Server backups. These backups are created daily and retained for exactly 7 days.

Backup data may include account data, repository data, Git objects, wiki content, issue content, merge request content, fork request data, uploaded files, avatars, profile data, settings, organization data, team data, permission data, SSH public keys, GPG public keys, passkey data, token records, logs, security records, provider metadata, and other operational data stored on the server at the time the backup is created.

Deleted or changed data may remain inside these backups until the relevant backup expires and is removed through the 7-day backup rotation.

Backups are used for recovery after accidents, technical failures, failed deployments, data corruption, database issues, security incidents, server problems, or hosting problems.

Backups are not a guarantee that every file, repository, issue, wiki page, setting, account, Git object, upload, token record, key, organization, team, permission record, or other piece of data can always be restored.

Users should keep their own local Git copies and independent backups of important repositories.

12. Security

NobGit uses technical and organizational security measures intended to protect accounts, repositories, and platform operations.

Security measures may include:

• Account authentication.
• Password hashing.
• Session handling.
• CSRF protection.
• Access controls.
• Repository permissions.
• Organization roles.
• Team permissions.
• SSH public key authentication.
• GPG key storage and signature verification.
• Optional OTP authentication.
• Optional passkey authentication.
• Token hashing.
• Token scopes and expiration.
• No-store response headers where used.
• Cloudflare traffic handling.
• Cloudflare security filtering.
• Server-side access controls.
• Logging and security investigation records.

No service can promise perfect security. Users are responsible for using strong passwords, protecting email accounts, protecting passkeys, protecting SSH keys, protecting GPG keys, rotating exposed secrets, keeping local devices secure, and avoiding the upload of sensitive credentials into repositories.

13. Data Shared by Users

Users may choose to make repositories, profiles, organizations, issues, wikis, comments, merge requests, fork requests, stars, follows, keys, or other information public.

Public information can be accessed by others. NobGit cannot prevent other people from copying or storing public content.

Users should not publish personal data about other people unless they have the right to do so.

14. Data from Git Commits

Git commits often contain names, email addresses, timestamps, signatures, commit messages, and other metadata.

This metadata may be visible in repository history. In public repositories, this metadata may be visible to anyone.

Rewriting Git history may not remove already-cloned copies, forks, mirrors, caches, public archives, or backup copies.

15. Abuse, Security, and Legal Handling

NobGit may review accounts, repositories, issues, wikis, logs, provider metadata, and other records when investigating abuse, malware, phishing, spam, credential leaks, copyright infringement, harassment, illegal content, security incidents, or service abuse.

NobGit may preserve data where needed to investigate incidents, protect users, prevent repeat abuse, comply with legal obligations, enforce policies, or respond to valid legal requests.

NobGit may restrict accounts, repositories, organizations, Git access, SSH access, web access, API access, tokens, or other features when needed to protect the service.

16. User Rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to processing, or request portability of your personal data.

You may also have the right to withdraw consent where processing is based on consent.

To request access, correction, deletion, restriction, objection, or portability, contact: support@nobgit.com

Some requests may be limited where NobGit must keep data for security, abuse handling, legal compliance, backup integrity, fraud prevention, dispute handling, operational continuity, or protection of other users.

If data exists in a Hetzner CPX22 Cloud Server backup, it may remain there until the relevant daily backup expires through the exact 7-day retention period.

17. Account Deletion

If account deletion is available, deleting an account may remove the user profile and personal repositories owned directly by that account.

Deletion may not remove content owned by organizations, content copied by other users, Git commits already cloned by others, public archives, provider logs, abuse records, security records, legal records, email records, or backup copies.

Some user identifiers may remain in Git history, issue history, audit-style records, logs, or collaboration records where needed for repository integrity, security, legal compliance, or abuse prevention.

18. Children and Age Requirement

NobGit is not intended for children under 13.

Users must meet the age requirement in the Terms of Service. If NobGit learns that an account violates the age rule, the account may be restricted or deleted.

19. No Sale of Personal Data

NobGit does not sell personal data.

NobGit does not use private repository content for advertising.

NobGit does not currently use advertising cookies, behavioral advertising, marketing pixels, or third-party tracking scripts.

Public content may be viewed, indexed, cloned, copied, or archived by others if it is made public by the user.

20. Changes to This Page

NobGit may update this Privacy & Data Handling page from time to time.

Updates will be posted on this page with a new version number, effective date, or last updated date.

Continued use of NobGit after changes means the updated version applies.