Privacy Policy

Last updated: May 09, 2026

Summary

GitNotēs (the “App”) is published by Xaventra (Pvt) Ltd, Level 26, East Tower, Echelon Square, World Trade Center, Colombo 01, Sri Lanka (“we”, “us”).

We do not operate a server that collects your personal data. Your notes, todos, journals, templates, and canvases live in two places only:

  • On your device, as a local cache. iOS Keychain holds your GitHub access token; AsyncStorage holds a copy of files for offline access.

  • In the GitHub repository you choose, under your own GitHub account. GitHub’s privacy policy governs that storage: GitHub General Privacy Statement.

We do not see, transmit, or process the content of your notes. We do not sell, rent, share, or trade any data.

What the App stores on your device

  • GitHub access token — a personal access token (PAT) you generate, or an OAuth token from the GitHub sign-in flow. Stored in the iOS Keychain via expo-secure-store. Never transmitted to any server we operate.

  • Local cache of your notes — copies of the files in your linked repository so the App works offline and feels fast. Stored in your app sandbox; removed when you uninstall the App.

  • Settings and preferences — theme, sync interval, last-used repository, etc. Stored in AsyncStorage. Never leaves your device.

  • AI provider configuration — if you enable AI features, the API base URL and (for BYO providers) the API key you enter. Keys are stored in the iOS Keychain.

What the App does NOT do

  • We do not run any backend that stores user data.
  • We do not include analytics SDKs (no Google Analytics, Mixpanel, Amplitude, Sentry, Firebase, or Crashlytics).
  • We do not track you across apps or websites.
  • We do not sell or share data with advertisers.
  • We do not send marketing email or push notifications.
  • We do not collect IP addresses, device identifiers, or location data.

Authentication

The App authenticates with GitHub via OAuth or a personal access token that you generate yourself. The token is stored in the iOS Keychain on your device and is sent only to api.github.com when you load, view, or modify your notes. You can revoke the token at any time from your GitHub settings.

AI features (optional, off by default for new accounts)

The App offers optional AI assistance. You can disable AI entirely from Settings → AI; every other feature works without it.

  • Apple Intelligence— on supported Apple devices, runs on-deviceusing Apple’s foundation models. No data leaves your device.

  • Bring-your-own provider— if you configure an OpenAI-compatible endpoint, the App sends your prompt and any selected note context directly from your device to the URL and API key you configured. We do not proxy, log, or inspect this traffic. The provider you choose is bound by its own privacy policy.

Permissions the App may request

  • Camera— only when you choose to take a photo to attach to a note.

  • Photo Library— only when you pick an existing image to attach to a note. Selected images are uploaded to your linked GitHub repository under notes/images/.

  • Microphone— only when you tap voice-to-text. Speech is processed by expo-speech-recognition (on-device by default on iOS).

  • Face ID / Touch ID— only if you enable App Lock in Settings. Verification happens in the Apple Secure Enclave; biometric data never leaves your device and is never seen by the App.

  • Background fetch / processing— keeps your notes synced with GitHub when the App is closed. Network traffic is between your device and api.github.com only.

Network endpoints the App contacts

  • api.github.com— to read and write the notes in your repository, using your token.
  • github.com— to authorise the OAuth flow.
  • Any AI provider URL youconfigure — only when you actively use an AI feature.
  • Apple servers (App Store updates, push token registration) — standard iOS platform traffic that we don’t control or observe.

Children’s privacy

GitNotēs is not directed at children. We do not knowingly collect personal data from anyone under the age of 13 (the US COPPA threshold) or under the age of 16 in the EU/EEA (GDPR Article 8). If you believe a child has used the App and provided personal information, contact us and we will assist in removing any local data.

Your rights

Because we hold no server-side personal data, the typical “right of access” and “right of erasure” requests under GDPR / CCPA / equivalent regimes resolve to:

  • Access— your notes are already accessible to you in the GitHub repository you chose, in the App, or via any Git client. There is no separate copy we hold.

  • Erasure— deleting a note in the App removes it from local storage and pushes a delete commit to your repository. Uninstalling the App removes every local cache. To delete history beyond that, manage the GitHub repository directly.

  • Portability— your notes are Markdown / Org-mode / Neorg files in a Git repository. Portability is the default state.

  • Token revocation— revoke the GitHub access token from GitHub settings at any time.

Security

Tokens and BYO API keys are stored in the iOS Keychain. The App speaks to GitHub over HTTPS only. No method of electronic storage is 100% secure; we cannot guarantee absolute security of data on your device. For sensitive notes we recommend a private GitHub repository and enabling the in-App Face ID lock.

Third-party services

  • GitHub (Microsoft)— storage and authentication. See the GitHub General Privacy Statement.

  • Apple— iOS platform services, Keychain, optional Apple Intelligence. See Apple’s Privacy Policy.

  • Any AI provider you configure— when AI is enabled with a BYO endpoint. That provider receives the prompt and selected context you send. Contact your provider for their privacy practices.

Changes to this policy

We may update this Privacy Policy as the App evolves. Updates are posted to this page with a new “Last updated” date. Material changes will be highlighted in-App on the next launch.

Contact

← Back to home

Made with by Vidwa De Seram in collaboration with Xaventra