github unlistedSign In

Privacy Policy

Last updated: 19 May 2026

This Privacy Policy explains how the Unlisted Repo service ("the Service", "we", "us") collects, uses, retains, and discloses information when you use www.github-unlisted.com. The Service is operated by Rév ("the Operator"). By using the Service you agree to the practices described below.

1. Data Controller and Contact

The data controller for the purposes of the EU and UK General Data Protection Regulation (GDPR) is the Operator. For any privacy enquiry, or to exercise the rights set out in this policy, contact: oconnerrev@gmail.com. The source code is publicly available at the project repository.

2. Summary

The Service lets a repository owner share a private GitHub repository as a read-only link. The Operator does not, in the ordinary course of operating the Service, access the contents of your repositories. Repository content is retrieved from GitHub on demand and rendered to the viewer. It is not stored, cached, or logged by the Service. As with any GitHub App, the Service is technically capable of reading the repositories you grant it; the Operator does not exercise that capability, and you can revoke access at any time through GitHub.

3. Information We Collect

We collect the minimum information required to operate the Service:

  • Account identity. When you sign in with GitHub, we receive your GitHub username, your numeric GitHub user identifier, and the list of GitHub App installations you control. This information is held only in a signed, HTTP-only session cookie stored in your browser. It is not written to any server-side database.
  • Share configuration. When you create a share link, we store a record containing the GitHub installation identifier, the repository owner and name, a creation timestamp, and an optional expiry. Each link is identified by a random, opaque identifier. No repository content and no access credentials are stored.
  • Authentication tokens. During sign-in, a short-lived GitHub user access token is used in memory only, solely to confirm your identity and list your installations. It is never persisted. Server-side installation tokens used to read repositories are short-lived and never sent to the browser.
  • Repository content. Not collected. It is fetched live from GitHub for each request and streamed to the viewer. It is not stored, cached, or logged by the Service.
  • Operational data. Our infrastructure providers process standard technical data (such as IP address and request metadata) in server logs for security, reliability, and abuse prevention. We do not operate third-party analytics, advertising, or tracking technologies.

4. Cookies

The Service uses strictly necessary, first-party cookies only: a signed session cookie that keeps you authenticated, and a short-lived state cookie used to protect the sign-in flow against cross-site request forgery. No advertising, analytics, or cross-site tracking cookies are used, so no cookie consent banner is required for non-essential cookies.

5. How We Use Information

Information is used exclusively to:

  • authenticate you and identify the installations you control;
  • create, display, and manage share links, and render the repositories you have chosen to share;
  • enforce access controls, link expiry, and revocation; and
  • maintain the security and integrity of the Service.

We do not use your information for marketing, profiling, or automated decision-making, and we do not sell or share it for cross-context behavioural advertising.

6. Legal Bases for Processing (GDPR)

Where the GDPR applies, we rely on the performance of a contract (Article 6(1)(b)) to provide the Service you request, and on our legitimate interests (Article 6(1)(f)) in operating the Service securely and preventing abuse. You may object to processing based on legitimate interests as described in your rights below.

7. Disclosure and Sub-Processors

We do not sell your personal information and have no commercial interest in it. We rely on the following processors strictly to deliver the Service:

  • GitHub as the source of repository data and identity (GitHub App and OAuth).
  • Vercel for application hosting and request handling.
  • Upstash for the key-value store that holds share-link records.

Each processor maintains its own privacy and security practices. We may also disclose information where required by law.

8. Data Retention

  • The session cookie expires approximately seven days after sign-in, or sooner if you sign out.
  • A share-link record is retained until you revoke the link, the link reaches the expiry you set, or the GitHub App is uninstalled or repository access is removed, at which point associated records are purged.
  • Repository content is never retained.

9. International Transfers

The Service and its processors operate on infrastructure that may be located outside your country of residence, including the United States. Where personal data is transferred internationally, the relevant processors apply their own lawful transfer safeguards.

10. Your Rights

Subject to applicable law, you have the right to access, correct, delete, restrict, or object to the processing of your personal information, and the right to data portability. If you are a California resident, you have the right to know, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information (we do not sell or share it), and the right not to receive discriminatory treatment for exercising your rights.

You can exercise most of these rights yourself and immediately: revoke a share link from your dashboard, and grant or revoke repository access, or uninstall the GitHub App, from your GitHub settings. Revocation takes effect at once. For any other request, contact oconnerrev@gmail.com.

11. Security

Access credentials are held server-side only, are short-lived, and are never placed in a URL or sent to the browser. Share links contain only an opaque identifier. Session cookies are signed and verified. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Children

The Service is not directed to children and is not intended for use by anyone under the age required to hold a GitHub account in their jurisdiction. We do not knowingly collect information from children.

13. Changes to This Policy

We may update this policy from time to time. The date at the top of this page indicates when it was last revised. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact

Questions about this policy or our handling of your information can be sent to oconnerrev@gmail.com, or raised on the project repository.