Public Beta

Beta Privacy Policy

Effective March 16, 2026 · Last updated March 16, 2026

LabHit is currently in public beta. This Beta Privacy Policy describes how we handle your data during the beta period. A formal legal entity is being established, at which point this policy will be replaced with a full Privacy Policy.

Data Controller: LabHit — legal@labhit.dev

1. What We Collect

1.1 Account Data (via GitHub OAuth)

When you sign in, we collect from your GitHub profile:

Data	Purpose	Required
Email address	Account identification	Yes
Display name	Personalization	No
GitHub username	Account linking	Yes
GitHub numeric ID	Unique identifier	Yes
Avatar URL	Profile display	No

We request minimal OAuth scopes: read:user and user:email. We do not access your repositories, organizations, or code.

We do not store your GitHub access token. It is used once to retrieve your profile, then discarded.

1.2 Usage Data

Data	Purpose
Build minutes consumed	Usage tracking
Pipeline run metadata	Service operation
Event timestamps	Usage period calculation

1.3 Technical Data (Not Stored Persistently)

Data	Purpose	Storage
IP address	Rate limiting	In-memory only (60s window), never saved to database
HTTP method and path	Performance monitoring	Server logs only

We do not collect: browser fingerprints, location data, tracking cookies, or advertising identifiers.

1.4 Waitlist Data

If you signed up for the launch waitlist on labhit.dev, we collected your email address (stored in Cloudflare KV). You may request deletion at support@labhit.dev.

2. How We Use Your Data

Purpose	Legal Basis (GDPR)
Provide and operate the service	Legitimate interest (Art. 6(1)(f))
Authenticate your identity	Legitimate interest
Rate limiting and abuse prevention	Legitimate interest
Communicate service updates	Legitimate interest

We do not use your data for advertising, profiling, sale to third parties, or training machine learning models.

3. Cookies

We do not use cookies. Authentication uses JWT tokens in HTTP headers only.

4. Data Sharing

Service	Data Shared	Purpose
GitHub (Microsoft)	OAuth authorization code	Authentication
Cloudflare	IP address (in transit)	CDN, DNS

We do not sell or rent your data.

5. Data Storage and Security

Your data is stored in a SQLite database on a server located in Germany (EU). Security measures include:

TLS encryption for all data in transit
Authentication tokens stored as HMAC-SHA256 hashes (never plaintext)
Server protected by firewall, SSH key authentication, and intrusion prevention
Security headers on all API responses (HSTS, CSP, X-Frame-Options)

6. Data Retention

Data	Retention
Account data	Duration of account
Sessions	30 days or until logout
Usage events	Duration of account
Server logs	90 days

You may request deletion of your data at any time by emailing legal@labhit.dev.

7. Your Rights (GDPR)

You have the right to: access, rectify, erase, restrict processing of, port, and object to processing of your personal data. You may also withdraw consent at any time (revoke GitHub OAuth via GitHub settings).

To exercise any right, email legal@labhit.dev. We will respond within one month.

Supervisory Authority

You may lodge a complaint with the Romanian ANSPDCP:

Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucuresti, Romania
Email: anspdcp@dataprotection.ro
Website: dataprotection.ro

If you are in another EEA state, you may contact your local data protection authority.

8. International Transfers

Account data is stored in the EU (Germany). GitHub and Cloudflare process some data in the United States under the EU-US Data Privacy Framework.

9. Children

The service is not directed to children under 16. We do not knowingly collect data from children under 16.

10. Changes

We may update this policy. Material changes will be communicated via email. For changes to processing purposes, we will seek explicit consent.

11. Contact

Legal: legal@labhit.dev
Security: security@labhit.dev
Support: support@labhit.dev