What we scan
- Your public GitHub account — repositories, commits you authored, README files, manifests, first-party source files, pinned projects. Source is analyzed in chunks: small and medium repositories are read end to end, while very large repositories are read in prioritized batches with coverage tracking. If you connect private repos or orgs via the OAuth flow, we only read repositories you explicitly grant access to.
- Your LinkedIn profile URL, if you provide one — fetched from the public page using a server-side headless browser with a Googlebot user agent. We never log into LinkedIn, and we don't ask for your password.
- Socials and blog URLs you give us during intake — Twitter / X, personal site, dev.to, Medium, Substack, etc.
- Public search results we fetch when corroborating claims — HN threads, conference pages, interviews you opted into.
Where it lives
- Cloudflare R2— scan snapshots, structured analysis, images used in your portfolio, knowledge-graph JSON. Raw repository source chunks are pass-through inputs to inference; we don't retain them as portfolio content.
- Cloudflare D1 — your account record, scan metadata, subscription state, and minimal analytics events.
We don't sell data. We don't ship it to ad networks. The only third parties that see your data are the providers we use to deliver the product: Cloudflare (hosting, storage, auth), OpenRouter (LLM inference for scan stages), TinyFish (headless browser fetches), Resend (transactional email), and Dodo Payments (billing).
Visitor analytics
When someone reads your portfolio, we record the page, referrer, country, device, and browser. There's no third-party script and no reader-side identifier we can use to track the same person across the internet — visits are counted via a salted, non-reversible cookie scoped to your gitshow profile (gs_v), rotated regularly. No IP addresses or user agents are stored alongside events.
LinkedIn note
We don't use any LinkedIn OAuth product. We fetch your public profile page using a server-side headless browser and extract the text server-side. If your profile is login-walled, we fall back to a PDF you can upload from LinkedIn's built-in "Save to PDF" export.
Retention & deletion
You can delete your account at any time from the app. Deletion purges your D1 rows and the R2 keys under your handle; scans are removed in a background job within ~24 hours. If you cancel your subscription without deleting, your published portfolio stays live as a read-only page until you either re-subscribe or delete the account.
Children
gitshow is built for working developers and is not directed at children under 13. If you believe a child has signed up, email us and we'll remove the account.
Contact
Questions or a data request? Email yatendra@gitshow.io.