← Back to Home

Privacy Policy

How we protect and handle your data

Last updated: February 21, 2026

Diffshot (“we,” “us,” or “our”) operates the Diffshot application and website at diffshot.app. This Privacy Policy explains how we collect, use, and protect your information when you use our service.

By using Diffshot, you agree to the collection and use of information as described in this policy.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address (via Clerk authentication)
  • GitHub username and profile information (via GitHub OAuth)
  • X (Twitter) handle (via X OAuth, when you choose to connect)

GitHub Data

When you connect a GitHub repository, we access:

  • Repository names and metadata
  • Commit messages
  • File paths changed per commit
  • Line addition/deletion counts per commit

We do NOT access or store your actual source code, file contents, environment variables, secrets, issues, pull requests, or collaborator information.

X (Twitter) Data

When you connect your X account, we access:

  • Write-only permission to post tweets on your behalf

We do NOT read your timeline, direct messages, followers, following lists, or existing tweets.

Usage Data

We collect basic usage information:

  • Number of generations used per month
  • Draft creation and publishing timestamps
  • Account plan type (free or pro)

Payment Information

If you upgrade to Pro, payment is processed by Polar.sh, who acts as our Merchant of Record. Polar handles all payment processing, VAT collection, tax compliance, and invoicing under their own privacy policy. We do not store your credit card number, bank account details, or other sensitive financial information.

2. How We Use Your Information

We use the collected information to:

  • Authenticate your account and manage your session
  • Fetch commit data from your selected GitHub repositories
  • Generate visual changelog drafts using AI (Anthropic Claude API)
  • Publish tweets to X on your behalf when you choose to
  • Track your generation usage for plan limits
  • Process payments for Pro subscriptions
  • Send essential service communications (account issues, critical updates)

We do not use your information to:

  • Sell or rent your data to third parties
  • Send marketing emails (unless you explicitly opt in)
  • Train AI models on your data
  • Track you across other websites

3. Third-Party Services

Diffshot uses the following third-party services that may process your data:

ServicePurposeData Shared
ClerkAuthenticationEmail, GitHub profile
ConvexDatabase and backendAccount data, drafts, commit metadata
GitHub APIFetching commit dataOAuth token (to read your repos)
X (Twitter) APIPublishing tweetsOAuth token (to post on your behalf)
Anthropic Claude APIAI content generationCommit messages, file paths, line stats
Polar.shPayment processing (MoR)Payment method, billing info
VercelHostingStandard server logs

Each third-party service operates under its own privacy policy. We encourage you to review their policies.

4. Data Sent to AI

When generating visual changelog drafts, we send the following data to the Anthropic Claude API:

  • Commit messages from your selected repository
  • File paths changed in each commit
  • Line addition/deletion statistics

We do NOT send your actual source code to the AI. The AI generates tweet text and visual card descriptions based on commit metadata only.

5. Data Storage and Security

  • Your data is stored on Convex’s secure cloud infrastructure
  • OAuth tokens are stored in our database (encryption will be implemented before public launch)
  • We use HTTPS for all data transmission
  • We do not store your GitHub or X passwords — authentication is handled via OAuth tokens

6. Data Retention

  • Your account data is retained as long as your account is active
  • Generated drafts and published tweet records are retained as long as your account exists
  • Commit metadata is retained for the purpose of generating drafts
  • If you delete your account, we will delete your data within 30 days

7. Your Rights

Under GDPR (as we operate from the European Union), you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your data in a portable format
  • Withdraw consent at any time
  • Object to data processing

To exercise any of these rights, contact us at legal@diffshot.app.

8. Cookies

Diffshot uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking cookies, or analytics cookies.

9. Children's Privacy

Diffshot is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children.

10. Revoking Access

You can revoke Diffshot's access at any time:

  • GitHub: Go to GitHub Settings → Applications → Authorized OAuth Apps → Revoke Diffshot
  • X (Twitter): Go to X Settings → Security and account access → Apps and sessions → Revoke Diffshot
  • Account deletion: Contact us at legal@diffshot.app or use the account settings page

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website. Your continued use of Diffshot after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy, contact us at:

Email: legal@diffshot.app

Operator: Nick Vardakas (Sole Proprietor)

Location: Thessaloniki, Greece