Privacy & Security

How GitCloud handles your data

We believe in full transparency. This page explains exactly what GitCloud accesses, what it does with your data, and what it doesn't.

On this page

What is GitCloud?How Authentication Works What Permissions We Request What GitCloud Does What GitCloud Does NOT Do Data We Store Revoking Access Security Measures Open Source & Transparency Contact

01What is GitCloud?

GitCloud is a web-based file manager that uses your GitHub account as cloud storage. It lets you upload, preview, organize, and share files stored in your GitHub repositories — without using Git commands or the GitHub interface directly.

GitCloud does not have its own storage. Every file you upload is stored in your GitHub repositories, subject to GitHub's own terms and limits.

02How Authentication Works

GitCloud uses GitHub OAuth for sign-in. When you click "Continue with GitHub", you are redirected to GitHub's own login page. GitCloud never sees, handles, or stores your GitHub password.

After you authorize, GitHub provides GitCloud with an access token scoped to the permissions you granted. This token is encrypted at rest (AES-256) and stored in a server-side SQLite database so your session persists across server restarts. The token is never exposed to the browser in plain text.

03What Permissions We Request

repoRepository access (read & write)

Required to list your repositories, read file contents, upload new files, create folders, rename and delete files. This is the core functionality of GitCloud.

delete_repoDelete repositories

Required to delete repositories you no longer need, directly from the GitCloud dashboard.

user:emailEmail address (read only)

Used to display your profile information. We do not send emails or share your address with anyone.

04What GitCloud Does

Lists your repositories and their contents via the GitHub API

Uploads files by creating commits in your repositories

Splits large files (over 20 MB) into chunks and stores a manifest file for reassembly on download

Auto-creates overflow repositories when a repo nears its storage limit (these are hidden from your dashboard but visible on GitHub)

Creates folders using a .gitkeep placeholder file

Previews images, audio, video, code, and markdown files

Generates shareable public links for individual files

Displays storage usage statistics calculated from actual file sizes across all linked repos

05What GitCloud Does NOT Do

We do not store your GitHub password — ever

We do not store your files on our servers — everything lives on GitHub

We do not modify your code, branches, or commit history beyond file operations you initiate

We do not access repositories belonging to other users

We do not sell, share, or transfer your data to third parties

We do not use your data for analytics, advertising, or training

We do not run any background operations on your repos when you're not actively using GitCloud

06Data We Store

GitCloud stores minimal data in a server-side SQLite database:

Encrypted access token — Your GitHub OAuth token is encrypted with AES-256 and stored so your session persists across server restarts. It is deleted when you log out.

Share links — When you create a shareable link, we store a record containing: the share ID, your username, repository name, file path, and creation date. No file content is stored — the file is fetched from GitHub when someone opens the link.

Repo group mappings — When GitCloud auto-creates overflow repositories, we store a mapping between the primary repo and its overflow repos so they can be managed as one unit.

We do not maintain user profiles, usage logs, browsing history, or any analytics data about you.

07Revoking Access

You can revoke GitCloud's access to your GitHub account at any time:

1. Go to GitHub Settings → Applications 2. Find GitCloud in the list 3. Click Revoke

Once revoked, GitCloud can no longer access any of your repositories. Any active sessions will stop working immediately.

08Security Measures

GitHub tokens are encrypted at rest using AES-256-CBC

All API inputs are validated — repository names, file paths, and folder names are checked for path traversal and injection attacks

Rate limiting is enforced on all API endpoints (300 req/15min), uploads (60/15min), and auth (20/15min)

Security headers are set via Helmet: HSTS, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, and Permissions-Policy

File previews serve HTML and SVG as plain text to prevent cross-site scripting (XSS)

CORS is restricted to the GitCloud frontend domain only

All traffic is served over HTTPS

09Open Source & Transparency

GitCloud's source code is publicly available. You can inspect exactly what the application does, how tokens are handled, and what API calls are made. There is no hidden or obfuscated behavior.

If you find a security concern, please report it via GitHub issues.

10Contact

If you have questions about this policy or GitCloud's security practices, you can reach out via GitHub:

github.com/SameerMatoria

Comfortable with how GitCloud works?

Get Started Back to Home