Privacy Policy

This document explains how GitHub Graveyard processes personal data. Not legal advice.

1) Who we are

GitHub Graveyard is a web service for discovering, reviewing, and reassessing open-source repositories on GitHub. The service helps users find forgotten, completed, or underrated projects, view repository activity signals (such as commits, issues, pull requests, and stars), label repository status, and support interesting projects using virtual “candles”.
Email: nacosof@gmail.com

2) What data we collect

We collect data needed to provide the service: account, sessions, profile activity, and technical data.

  • Account data: username, email, email verification status (verified), and a password hash (we never store passwords in plain text).
  • OAuth data: when you sign in with GitHub or Google, NextAuth may receive email, display name, providerAccountId and profile image (if the provider returns it).
  • Sessions and cookies: cookies are used for authentication, including `gg_session` and NextAuth cookies.
  • User activity: candles/donations, votes, and category labels associated with your account.
  • Admin metrics: we use `lastSeenAt` and calculate “online” as users active within the last ~5 minutes. This metric is visible only to the administrator.
  • Email communication: email verification codes and password reset codes.
  • Technical data: request-related information such as IP address and user agent that may be logged by hosting and Next.js/NextAuth infrastructure.

3) How we use data

  • To create and maintain your account and access your profile.
  • To send transactional emails: verification and password resets.
  • To display candles/stats and reflect your actions.
  • To maintain security, reduce abuse, and help prevent suspicious activity.
  • To integrate with external services: GitHub/Google OAuth and GitHub API signals for repositories.

4) Legal bases

Where GDPR/UK GDPR applies, we typically rely on: contract (when you create an account), legitimate interests (security and abuse prevention), and consent where required.

5) Who we share data with

We share personal data only when needed to run the service, for example:

  • OAuth providers: GitHub and Google.
  • Payment provider (for topping up virtual “candles”): NOWPayments. We share the data required to create an order/invoice and process payment status updates.
  • Email provider: Resend or SMTP (if configured).
  • Hosting and infrastructure: platforms that host the site and database.
  • Database/ORM: Prisma + Postgres/Serverless Postgres.

6) International transfers

OAuth and email providers may process data in different countries. We take reasonable steps to ensure transfers comply with applicable laws (including appropriate safeguards where required).

7) Retention

  • Email verification and password reset codes are valid for 10 minutes and are deleted after use or expiration.
  • `gg_session` cookie is stored for up to 30 days (for convenience).
  • NextAuth sessions are stored and expire according to NextAuth settings (and their session record in the database).
  • Account data is stored until you delete your account or until it is no longer needed for the purposes described in this policy.

8) Your rights

Depending on your jurisdiction, you may request access, rectification, deletion, restriction of processing, and you may lodge a complaint with the relevant supervisory authority.

Contact us at nacosof@gmail.com.

9) Cookies

We use cookies primarily for authentication and session management. This includes the `gg_session` cookie (httpOnly) and NextAuth cookies.

10) Security

We use reasonable technical and organizational measures to protect data, including password hashing and httpOnly cookies for sessions.

11) Children

The service is intended for users aged 13 or older.

12) Changes

We may update this policy. The latest version will be published on the site.