Privacy Policy
Last updated 21 June 2026
This policy explains what personal data Gistly collects, why, how long it is kept, and the rights you have over it. It covers the website at gistly.dev and the HTTP API at api.gistly.dev.
Who is responsible for your data
The controller responsible for processing your personal data is:
Drazen BebicPostfach 0029
1190 Vienna
Austria
Email: hello@gistly.dev
What never leaves your browser
The mock-data generator runs the language model entirely on your device using WebGPU. The prompts you type and the data it generates are processed locally and are never sent to us — unless you choose to save the result as a gist, at which point the gist data is handled as described below.
What data we collect and why
We only collect what the service needs to function.
Account data (when you sign in with GitHub)
Signing in is optional and uses GitHub OAuth. When you sign in we store your GitHub username, display name, email address, and avatar URL, together with the identifier of your GitHub account, so we can create and maintain your account.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Sessions and authentication cookies
When you are signed in we set an essential, HTTP-only cookie holding an opaque session token; the database stores only a one-way (SHA-256) hash of that token, never the token itself. A short-lived cookie is also used during the GitHub sign-in flow to protect against cross-site request forgery.
Legal basis: legitimate interest in operating a secure service and performance of a contract (Art. 6(1)(b), (f) GDPR).
API keys
If you create an API key, we store its label, a one-way (SHA-256) hash of the key, a short non-secret display prefix, and the time it was last used. The full key is shown to you only once, at creation, and is never stored in a recoverable form.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Gists you create
A gist stores the snippet content you enter and its display settings (language, indentation, wrapping) and visibility (public, unlisted, or private). Gists can be created without an account, in which case they have no owner. If you are signed in, the gist is linked to your account.
Legal basis: performance of a contract and your consent in submitting the content (Art. 6(1)(a), (b) GDPR).
Technical and usage data
Our hosting and security providers automatically process technical data such as your IP address, browser type, and request metadata in server logs, for analytics, and for abuse prevention and rate limiting. We use privacy-friendly, cookieless analytics that do not build cross-site profiles of you.
Legal basis: legitimate interest in operating, securing, and improving the service (Art. 6(1)(f) GDPR).
Service providers we share data with
We do not sell your data. We share it only with the providers required to run Gistly, acting as our processors:
- GitHub, Inc. — authentication (OAuth sign-in).
- Vercel, Inc. — hosting, server logs, privacy-friendly analytics, performance metrics, and firewall / rate-limiting.
- Neon, Inc. — the managed database that stores your account, gists, and API-key records. Our database is hosted within the EU (Frankfurt, Germany — AWS eu-central-1), so this data does not leave the EU/EEA.
GitHub and Vercel are based in the United States, so using the service involves a transfer of certain data (such as your IP address and, if you sign in, your GitHub profile) to the US. These transfers are safeguarded by the EU Standard Contractual Clauses or an equivalent adequacy mechanism.
How long we keep your data
Account data is kept for as long as your account exists. Sessions expire automatically and are pruned after expiry. Gists are kept until you (or, for owned gists, an authorized request) delete them; deleting your account leaves any gists you created in place but unlinks them from you. Server logs are retained for a limited period by our hosting provider for security and operational purposes.
Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interests. Where processing relies on consent, you may withdraw it at any time without affecting prior processing. To exercise any of these rights, contact us at hello@gistly.dev.
You also have the right to lodge a complaint with a supervisory authority. In Austria this is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde, dsb.gv.at).
Security
Session tokens and API keys are stored only as one-way hashes, authentication cookies are HTTP-only and sent over HTTPS, and data is transmitted over encrypted connections. No system is perfectly secure, but we take reasonable measures to protect your data.
Children
Gistly is not directed at children and we do not knowingly collect personal data from anyone under the age of 16.
Changes to this policy
We may update this policy from time to time. Material changes will be reflected in the “last updated” date above, and where required we will seek your renewed consent.
Contact
Questions about this policy or your data? Email us at hello@gistly.dev.