Privacy Policy

1. What we collect

• Account data: your email address, an optional display name, the identifier from any OAuth provider you sign in with, and an avatar URL if you sign in with Google or GitHub.
• Repository data & metadata: the repositories you create and information about them (names, branches, issues, collaborators, webhooks). We store these to host your repositories for you.
• SSH public keys you add, so we can authenticate your Git pushes and pulls.
• Operational telemetry: request paths, response codes, and latency, used to keep the service healthy.
• IP-derived identifiers: hashed with a server-side pepper (a secret value mixed in before hashing). Your plaintext IP address is never written to disk.
• Billing data (only when paid tiers launch): a billing email and a processor token. No card details ever touch konnos infrastructure.

2. What we do NOT collect

• We do not read the contents of your private repositories beyond serving them to you and the collaborators you have authorised.
• No third-party advertising cookies, marketing trackers, or session-replay scripts.
• No plaintext IP addresses stored for advertising or profiling.

3. Why we process it

Under Article 6 of the GDPR, we rely on: performance of our contract with you (running the service you signed up for); our legitimate interests (keeping the platform secure and reliable, preventing abuse); compliance with our legal obligations; and your consent where it applies.

4. Who we share with

We share data only with the processors listed on our subprocessors page, each engaged under a data-processing agreement (DPA). We do not sell your data. We disclose data to law enforcement only when we are legally compelled to, and we challenge demands that are overly broad.

5. Retention

We keep your account and repository data while your account is active. After deletion, data enters a 30-day soft-delete window before being permanently removed. Audit logs are retained for 13 months. Backups are kept for 30 days on a rotating basis.

6. Security

We protect data with TLS 1.3 in transit; AES-256-GCM encryption for secrets at rest; bcrypt hashes for any passwords; SHA-256 hashes for API keys; and constant-time comparison to resist timing attacks. SSH access is key-only. If you find a vulnerability, please report it privately through our contact form rather than disclosing it publicly.

7. International transfers

konnos is hosted in the EU on Hostinger infrastructure. Where a subprocessor is outside the EU, transfers are covered by Standard Contractual Clauses (SCCs) plus supplementary measures. See the subprocessors page for the full list and their locations.

8. Your rights

Subject to applicable law, you have the right to access, rectify, and erase your data (Settings → delete, with a 30-day reversal window), to port it (Git is portable and we provide a data export), to restrict or object to processing, and to withdraw consent. You can also lodge a complaint with your data protection authority. Make a request via our contact form; we aim to acknowledge within 72 hours and resolve within 30 days.

9. Cookies

We use only essential, first-party session cookies — for example konnos.session and a CSRF token — set as HTTP-only. We use no advertising or analytics cookies, so no consent banner is needed.

10. Children

konnos is not intended for anyone under 16. If we learn that we hold data about a child under 16, we will erase it.

11. Updates

We may update this policy from time to time. For material changes, we will announce them and email registered users at least 30 days in advance, and we will revise the "last updated" date at the top of this page.

12. Contact

For any questions about this document or to make a request, please reach us through our contact form. We do not publish a direct email address.