Summary
GitFit creates a profile that combines verified GitHub contribution activity with Strava-derived fitness activity for the signed-in profile owner. We collect only the data needed to sign you in, connect your selected providers, sync your activity, generate your profile, and operate the service.
- GitFit does not sell personal data.
- GitFit does not use GitHub or Strava data for advertising, data broker services, surveillance, or AI model training.
- GitFit does not request private repository code, Strava maps, route streams, heart rate, calories, photos, comments, or kudos.
- Provider access tokens are encrypted before storage and are used only to provide GitFit features you requested.
Information We Collect
The exact data GitFit receives depends on the providers you connect and the profile settings you choose.
- Account and sign-in data: when you sign in with GitHub through Supabase Auth, GitFit receives authentication data such as your GitHub account identifier, username, email address when available, display name, and profile image URL as made available by GitHub and Supabase. GitFit stores your app user ID and uses your GitHub profile information to create your GitFit profile.
- Profile data: your handle, display name, selected profile photo source, avatar URL, public or private profile setting, and whether your GitHub or Strava profile links should be shown.
- GitHub connection data: your GitHub user ID, username, name, avatar URL, profile URL, email address when available, granted OAuth scopes, encrypted access token, connection timestamps, and sync timestamps.
- GitHub activity data: authenticated contribution calendar data for the sync range, including daily contribution counts, contribution levels, total contributions, and contribution breakdowns for commits, issues, pull requests, and reviews. GitFit does not store repository names, repository code, private repository contents, issue text, pull request text, or review text.
- Strava connection data: your Strava athlete ID, username when available, profile image URL, granted scopes, encrypted access token, encrypted refresh token, token expiration time, connection timestamps, and sync timestamps.
- Strava activity data: GitFit requests Strava activity data available under the activity:read scope. The sync process keeps start date, moving time, distance, activity type, and sport type long enough to compute daily aggregates. GitFit stores daily aggregate activity count, moving time, distance, a display level, and the fact that Strava was the source. GitFit does not persist raw Strava activities.
- Operational data: sync status, provider error codes or short error messages, webhook routing metadata such as Strava athlete ID for deauthorization handling, security logs, and basic technical logs needed to operate and protect the service.
- Cookies and local storage: GitFit and Supabase use cookies or similar storage for authentication sessions, OAuth state protection, security, and service operation.
How We Use Information
- Authenticate your account and maintain your session.
- Create and maintain your GitFit profile.
- Use GitHub as your sign-in identity and connect Strava only after you authorize it.
- Sync activity from connected providers and convert it into the GitFit graph, stats, and profile views.
- Show public profile information when your profile is public and the related display setting is enabled.
- Let you select a GitHub or Strava profile image when that image is available.
- Detect revoked tokens, process Strava deauthorization webhooks, prevent duplicate syncs, debug service errors, secure the service, and comply with law.
Provider-Specific Disclosures
GitHub and Strava each control their own OAuth authorization screens and provider services. You should review the permissions shown by each provider before authorizing GitFit.
- GitHub:GitFit requests the read:user OAuth scope and uses GitHub's APIs to read your profile data and contribution counts. GitHub OAuth scopes limit what a token can access. GitFit does not request repository write access or private repository code access.
- Strava:GitFit requests the activity:read scope to calculate your fitness contribution layer. GitFit does not sell, license, disclose, or make Strava data available to advertisers or data brokers. Strava may monitor and collect usage data related to GitFit's access to the Strava API, as described in the Strava API Agreement.
What Other People Can See
GitFit profiles are public by default so your profile URL and SVG graph can work without a login. You can make your profile private from your owner controls.
- A public profile may show your handle, display name, selected avatar, GitHub username, GitHub profile link if enabled, GitHub contribution graph and metrics, and GitHub contribution breakdown.
- A public profile may show your Strava profile link if you enable that setting and GitFit has a valid Strava athlete ID.
- Public profile visitors do not see Strava-derived activity metrics. The signed-in profile owner can see Strava-derived aggregate counts, time, distance, levels, and derived activity metrics. GitFit does not display raw Strava activities, maps, routes, activity titles, descriptions, photos, heart rate, calories, comments, or kudos.
- When your profile is private, unauthenticated visitors cannot view your profile. You can still view and manage it while signed in.
How We Share Information
We share personal data only as needed to provide GitFit, follow your settings, use the providers you connect, protect the service, or comply with law.
- Service providers: GitFit uses infrastructure, hosting, authentication, database, logging, and security service providers such as Supabase and hosting/CDN providers. These providers process data for GitFit service operation.
- Connected providers: GitFit sends OAuth requests and API requests to GitHub and Strava when you sign in, authorize a provider, refresh access, or sync data.
- Public profile visitors: public profile data is visible to anyone who visits or embeds your public profile, subject to your profile settings.
- Legal and safety: we may disclose information if required by law, legal process, security incident response, abuse prevention, or to protect rights, safety, and service integrity.
- Business transfers: if GitFit is involved in a merger, acquisition, financing, or sale of assets, user data may be transferred as part of that transaction, subject to this policy or a policy with materially similar protections.
Retention and Deletion
- Account and profile data is retained while your GitFit account exists unless you delete it or ask us to delete it.
- Provider tokens are retained only while the provider connection remains active. Disconnecting a provider removes the stored provider connection and encrypted tokens.
- Disconnecting Strava or receiving a Strava deauthorization webhook clears stored Strava-derived daily aggregates and removes the Strava connection.
- You can delete Strava-derived data from your owner controls without deleting your GitHub activity.
- GitHub-derived daily contribution data is retained to power your profile history unless you delete your account or ask us to delete it.
- Operational logs and sync records may be retained for a limited period for security, debugging, abuse prevention, and legal compliance.
- Backups may retain deleted data for a short period until they expire through normal backup rotation.
Your Controls and Rights
- You can change your handle, display name, avatar source, public/private profile setting, and provider link visibility in your owner controls.
- You can disconnect Strava from GitFit. You can also revoke GitFit from the provider account settings at GitHub or Strava.
- You can request access, correction, export, or deletion of your personal data by contacting us.
- Depending on where you live, you may have additional rights to know, access, correct, delete, restrict, object to, or receive a copy of personal data.
- We will not discriminate against you for exercising privacy rights.
Security
GitFit uses HTTPS, OAuth state checks, encrypted provider token storage, provider token revocation handling, role-based database policies, and limited service-role access for server-side public profile rendering and sync jobs. No internet service can guarantee perfect security, but we use reasonable administrative, technical, and organizational safeguards for the type of data GitFit processes.
Children
GitFit is not directed to children under 13, and you must be at least 13 years old or the minimum age required in your country to use GitFit. Do not use GitFit if you are not old enough to consent to connected provider access.
International Transfers
GitFit and its service providers may process information in the United States and other countries where they operate. Data protection laws in those places may differ from the laws where you live.
Changes and Contact
We may update this policy as GitFit changes or legal requirements evolve. If a change materially affects how GitFit uses connected provider data, we will update this page and, when required, request renewed consent before using data in a new way.
Contact: privacy@gitf.it