Privacy Policy

gitHtml is built around a simple promise: your content stays on your device, and nothing that leaves it is linked to you. This page lists every byte the app touches and where it goes, so you can decide whether that promise holds.

The short version

• Your docs, notes, favorites, recents, and GitHub token never leave your device.
• Two anonymous data flows do leave the device: an anonymous purchase record (RevenueCat, required to honor your subscription) and anonymous onboarding-funnel analytics (TelemetryDeck, used to fix drop-off points). Neither is linked to your identity. Both are detailed below.
• No ads, no ad SDKs, no tracking, no profiles, no resale of data, ever.

What stays on your device

• GitHub access token → iOS Keychain (encrypted by iOS).
• List of connected repositories → local SwiftData store.
• Cached HTML files → app sandbox file system.
• Notes → local SwiftData store.
• Favorites and Recents → local SwiftData store.
• Onboarding answers (the multiple-choice questions during first-run) → local UserDefaults. These never leave the device. They are used inside the onboarding flow only — to tailor the framing of the next slide — and have no role outside it.

Nothing in this list is transmitted off your device.

What does leave the device

Only two things, both anonymous. Each is below in full.

1. The GitHub connection

The app authenticates to GitHub using GitHub's official GitHub App install flow with PKCE. You authorize specific repositories with Read access to code — nothing else. No write access, no organization data, no actions on your behalf.

The OAuth code-for-token exchange runs through a small serverless function at https://githtml.com/oauth/callback. This function:

• Receives the GitHub OAuth code redirect.
• Calls github.com/login/oauth/access_token with the app's client_id and client_secret.
• Redirects back to the app's custom URL scheme (githtml://) with the resulting access token in the URL.

The function is stateless. It does not log the code, the token, or any user identifier. The GitHub client secret lives only in Vercel's environment variables; it has never shipped in any binary.

Once the token arrives back in the iOS app it lives in the iOS Keychain, never written to disk in plaintext, never transmitted anywhere except directly to api.github.com over TLS.

2. Purchases (RevenueCat)

gitHtml is free to download. After onboarding, the app uses in-app purchases:

• Monthly subscription — $4.99 / month
• Annual subscription — $29.99 / year (includes a 7-day free trial)
• Lifetime — $59.99 once

Apple processes the actual purchase via StoreKit. gitHtml uses RevenueCat to verify your purchase receipt and decide whether to unlock the app on this device. To do that, RevenueCat's SDK sends Apple's StoreKit receipt to its servers.

Our RevenueCat integration is configured with appUserID: nil, which means an anonymous, per-install identifier is used. RevenueCat sees a purchase happened on some anonymous install — not who you are, not your email, not your Apple ID. We cannot connect a RevenueCat record back to a specific person either; the link does not exist.

This is what Apple's App Privacy questionnaire labels as “Purchase History · Not Linked to Identity”. It is used for two purposes only:

• App Functionality — checking whether your install has an active entitlement, so the app unlocks.
• Analytics — RevenueCat's aggregate dashboard (total subscribers, churn, conversion percentages) so we know whether the pricing works.

It is not used for tracking: no ad attribution, no cross-app or cross-website profile, no sharing with data brokers.

RevenueCat's own privacy policy: revenuecat.com/privacy.

3. Onboarding analytics (TelemetryDeck)

gitHtml uses TelemetryDeck to measure where people drop off during the first-run onboarding and sign-in. Without this, fixing a confusing slide would mean guessing.

The integration is deliberately the minimum the SDK supports. We never pass a clientUser identifier, which means TelemetryDeck assigns an opaque, per-install identifier that is one-way hashed at the source and cannot be reversed back to a device, account, or person. No email, no Apple ID, no IP-derived profile, no IDFA.

What we log: anonymous events like “onboarding slide N reached,” “paywall viewed,” “sign-in succeeded.” That's the whole list. No content of any document, no note text, no repository names, no GitHub usernames.

Apple's App Privacy questionnaire treats integrations of this shape — anonymous, no linked identifier, no tracking — as “No data collected”, which is why TelemetryDeck does not appear in the App Store privacy card even though the SDK is in the app.

TelemetryDeck's own privacy policy: telemetrydeck.com/privacy.

What gitHtml does not do

• No advertising SDKs (no AppsFlyer, no Branch, no IDFA).
• No identity-linked analytics SDKs (no Firebase, Mixpanel, Amplitude, Sentry, Crashlytics, Bugsnag).
• No gitHtml server that sees your documents, notes, or repository contents.
• No selling of data to third parties — there is nothing identity-linked to sell.
• No analytics scripts on this website. Vercel — the host — keeps standard HTTP request logs (IP, user-agent, request path) for around 30 days for abuse prevention; we do not aggregate or look at them.

Deleting your data

Three options inside the app, in increasing scope:

1. Settings → Disconnect a single repository — removes that repo's index and cached files. Other repos and the GitHub connection stay intact.
2. Settings → Delete all data — wipes every cached file, every note, every favorite, every recent, and your onboarding answers. Your GitHub token stays so you can sync fresh without re-authorizing.
3. Settings → Disconnect GitHub — does Delete all data, plus removes your GitHub token from the iOS Keychain.

You can also revoke gitHtml's access on GitHub's side: github.com → Settings → Applications → Authorized GitHub Apps → gitHtml → Revoke. This is server-side authoritative; the next time the app tries to call GitHub, it will fail with a 401.

Managing your subscription

Subscriptions are managed by Apple, not by gitHtml. Cancel, change tier, or request a refund via iOS Settings → Apple ID → Subscriptions. Subscriptions auto-renew unless cancelled at least 24 hours before the end of the current period. Restore Purchase is available on the paywall and in Settings.

Children

gitHtml is rated 4+ on the App Store and contains no objectionable content, but it is built for developers reading their own repositories and is not directed at children. We do not knowingly collect data from children under 13.

Changes to this policy

If a future version of gitHtml changes the data picture — adds a cloud sync feature, swaps an analytics provider, anything material — this page will be updated and the change will be called out in the App Store “What's New” for that release. The “last updated” date at the top of this page reflects the most recent change.

Contact

Privacy questions: support@wavetechhq.com.