Privacy Policy

Effective date: 23 May 2026 · Last updated: 26 May 2026 · Version 0.2

This Privacy Policy explains what personal data we process when you visit bitvibelabs.com (the “Site”), why we process it, how long we keep it, and the rights you have under applicable data-protection law (including the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK GDPR). Each individual BitVibe Labs product (gitdeployhub, gitaskhub, gitsafehub, gitllmhub, youasktube, keepgit, whatisgithub, explaingit, gitvibehub) publishes its own product-specific privacy notice; this Policy covers only the parent brand site at bitvibelabs.com.

Contents

Who We Are
Site Scope
Lawful Bases
Data We Collect
How We Use the Data
Cookies & Similar Technologies
Retention
Subprocessors
Your Rights
International Transfers
Security
Breach Notification
Children
Automated Decision-Making
Marketing Emails
Changes to This Policy
Contact

1.Who We Are (Data Controller)

BitVibe Labs is operated by a sole individual (“John”), a Greek tax resident, who is the data controller for the Site under Article 4(7) GDPR / UK GDPR and is responsible for the processing described in this Policy. We intend to incorporate BitVibe Labs Ltd in the United Kingdom; that company does not yet legally exist, so until it is registered at Companies House the named individual remains the controller. Within 14 days of incorporation we will update this Policy to name the company (with its registered number and registered office), and the company will assume responsibility for the processing from the date of registration. All data-protection enquiries: [email protected] or [email protected]. A postal address for service is available on request and will be published here once the business address is finalised.

Representatives & supervisory authority. The controller is currently a natural person established in the European Union (Greece). Because the controller is established in the EU, no EU representative under Article 27 GDPR is required — Article 27 applies only to controllers not established in the Union. The Site is also available to individuals in the United Kingdom; for that processing the controller relies on the exemption in UK GDPR Article 27(2)(a), as the processing carried out through this Site is not large-scale, includes no special-category or criminal-offence data, and is unlikely to result in a risk to individuals’ rights and freedoms. The competent supervisory authority for the current controller is the Hellenic Data Protection Authority (dpa.gr/en). If you are in the EU/EEA you may lodge a complaint with the Hellenic DPA or with the supervisory authority in your country of residence, place of work, or place of the alleged infringement (Article 77 GDPR); if you are in the United Kingdom you may complain to the Information Commissioner’s Office under the UK GDPR. When BitVibe Labs Ltd is incorporated and becomes the controller it will be a UK-established company; from that point it will not require a UK representative, and to the extent it continues to offer services to or monitor individuals in the EU it will appoint an EU representative under Article 27 GDPR unless the Article 27(2)(a) exemption continues to apply.

2.Site Scope

This Policy applies to bitvibelabs.com only - the parent brand site that lists our products and links to each one. Each individual BitVibe Labs product publishes its own privacy notice at its own product domain:

gitdeployhub.com/privacy/
gitaskhub.com/privacy/
gitsafehub.com/privacy/
youasktube.com/privacy/
Other products: notices published when each launches.

If you used a product (rather than this parent site), please consult the product-specific notice. This Policy is silent about the processing inside any product.

3.Lawful Bases

Legitimate interests - Article 6(1)(f) GDPR. Cloudflare edge logs (IP address, URL, user-agent) are processed under our legitimate interest in operating the Site securely and preventing abuse (see GDPR Recital 49 on network and information security). We have weighed these interests against your interests, rights, and freedoms and consider the processing proportionate.
Taking steps at your request / legitimate interests - Article 6(1)(b)/(f) GDPR. If you email us, we process your email address and the contents of your message in order to respond to your enquiry.

4.Data We Collect

Category	Specifics	Where stored
Network metadata	IP address, URL, referrer (if sent), User-Agent, timestamp - the standard request data Cloudflare records at its edge. We do not run a custom log pipeline (no Logpush, no analytics provider).	Cloudflare edge logs, retained per Cloudflare’s policy (typically ≤ 30 days for raw logs; aggregated metrics longer but unlinkable to identifiable visitors).
Email correspondence	If you email us at `[email protected]`, `[email protected]`, or any of our other addresses, we receive your email address and message contents.	Migadu (our mailbox provider, established in Switzerland).

The Site sets no cookies, runs no analytics, embeds no third-party tracking pixels, uses no fingerprinting, and does not write to localStorage or sessionStorage beyond what is strictly necessary for the page UI (no persistent client-side identifier).

5.How We Use the Data

Operational metrics - request volumes, error rates, slow paths - for capacity planning and reliability. Aggregate, not linked to identifiable individuals.
Responding to enquiries sent to our published email addresses.
Compliance. Responding to lawful requests from supervisory authorities, courts, or law enforcement; enforcing our Terms.

6.Cookies & Similar Technologies

The Site sets no cookies. The parent landing page does not write to localStorage, sessionStorage, IndexedDB, or any client-side identifier. We do not use advertising, analytics, fingerprinting, or any other non-essential client-side identifier on this parent site. If, in future, we add Cloudflare Web Analytics, it is cookieless and aggregate-only; we will update this section and the Subprocessors list before doing so.

7.Retention

Data	Retention
Cloudflare edge logs	Per Cloudflare’s retention policy (typically ≤ 30 days for raw logs).
Email correspondence (Migadu mailbox)	Kept only as long as needed to handle your enquiry and any follow-up, then deleted. Migadu’s own log retention is per its policy (transactional envelopes typically purged within 30 days).

8.Subprocessors

The Site relies on the following third parties. Each operates under its own privacy notice and (where applicable) a data-processing agreement with us:

Cloudflare, Inc. (USA) - hosts the static pages and Workers Functions, terminates TLS, stores KV records at the edge, and provides edge logging plus WAF / Bot Fight Mode. Cloudflare’s Data Processing Addendum is incorporated by reference into our Cloudflare service agreement. Cloudflare Privacy Policy · Cloudflare DPA.
Migadu-Mail GmbH (Switzerland) - our email mailbox provider for bitvibelabs.com (it carries the messages you send to our published addresses and our replies). Switzerland benefits from an EU adequacy decision, so EU/UK–Switzerland transfers do not require a separate instrument. Migadu Privacy Policy.

Fonts (Fraunces, DM Sans, JetBrains Mono) are self-hosted on Cloudflare from /assets/fonts/; the Site does not load Google Fonts or any other third-party font CDN, so no visitor IP address is sent to Google or any third party to render type.

We do not currently use any analytics provider (no Google Analytics, no Plausible, no Cloudflare Web Analytics, no Mixpanel), no behavioural-advertising network, and no fingerprinting service. If we introduce any new subprocessor we will update this section and, for material additions, post a notice on the home page before the change takes effect.

9.Your Rights

Subject to certain exceptions, you have the following rights under the GDPR and the UK GDPR:

Access - obtain confirmation of whether we process your personal data and a copy of it (Art. 15).
Rectification - have inaccurate data corrected (Art. 16).
Erasure - have your data deleted where one of the listed grounds applies (Art. 17).
Restriction - restrict processing in certain situations (Art. 18).
Data portability - receive structured, machine-readable data and have it transmitted to another controller (Art. 20).
Objection - object to processing based on our legitimate interests (Art. 21).
Withdraw consent - where we rely on your consent for any processing, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
Lodge a complaint - with your local supervisory authority. The operator is a Greek tax resident, so complaints against the operator personally may be lodged with the Hellenic Data Protection Authority (dpa.gr/en). In the United Kingdom, the Information Commissioner’s Office (ico.org.uk); elsewhere in the EU/EEA, the authority of your habitual residence.

To exercise any right, email [email protected]. We aim to respond within the one-month period set by Article 12(3) GDPR.

10.International Transfers

Cloudflare (USA) relies on the European Commission Standard Contractual Clauses (Decision 2021/914) for transfers from the EEA, Switzerland, and the United Kingdom, and is certified under the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK Extension to the EU-US DPF.
Migadu (Switzerland) - covered by the European Commission’s Swiss adequacy decision; no separate transfer instrument required.

11.Security

All traffic is served over TLS 1.2 or higher (the Cloudflare zone enforces min_tls_version=1.2 + always_use_https=on). DNSSEC is enabled.
Data at rest on Cloudflare is encrypted with AES-256 (KV) by default.
Environment variables (SMTP credentials, API tokens) are stored as Cloudflare Pages secret_text values - encrypted at rest, never logged.
No plaintext credentials are committed to source control. The Cloudflare API token used by tooling is scoped to non-catastrophic actions (no transfer, no billing, no token-create, no tunnel mutation).
Strict security headers on every response: HSTS with preload, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a tight Content-Security-Policy, and a hardened Permissions-Policy.
Bot Fight Mode is enabled at the Cloudflare edge.

No system can be guaranteed perfectly secure, and we make no warranty to that effect.

12.Breach Notification

If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Article 33 GDPR). If the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay (Article 34 GDPR), using the email address on file.

13.Children

The Site is not directed at children under 16, and we do not knowingly collect personal data from anyone under that age. If you are a parent or guardian and believe a child has provided personal data to us, please contact [email protected] and we will erase it.

14.Automated Decision-Making

We do not use your personal data to make any legally-significant or similarly-significant automated decisions about you (Article 22 GDPR). We do not profile visitors, do not perform behavioural advertising, and do not score users for risk or eligibility on this parent site.

15.Marketing Emails

We do not operate a newsletter or send marketing emails from this Site, and we do not maintain a marketing list. We only email you in reply to a message you send us. We do not sell, rent, share, or trade contact details with any third party. If we introduce a newsletter in future, it will use double opt-in (you confirm via a link before receiving anything), every email will carry one-click unsubscribe, and we will update this Policy before launching it.

16.Changes to This Policy

We may update this Policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. For non-material changes (clarifications, typo fixes, formatting), we update the page silently. For material changes - new subprocessors, new data categories, new lawful bases, new retention periods that meaningfully expand processing - we will give at least 30 days’ notice by displaying a prominent notice on the home page during that window (and, where we hold a contact address for you, by email).

17.Contact

We have not appointed a statutory Data Protection Officer because our processing does not meet the Article 37(1) GDPR thresholds. The natural-person operator named in section 1 above acts as the single point of contact for all privacy matters.

BitVibe Labs — operated by a sole individual (UK company in formation)
Attn: Privacy
Email: [email protected] · [email protected]
Postal address: available on request; will be published here once the business address is finalised.

For complaints, you may contact the Hellenic Data Protection Authority at dpa.gr/en, the UK Information Commissioner’s Office at ico.org.uk, or your own EU/EEA Member State’s supervisory authority.

← Back to BitVibe Labs