Privacy Policy
This policy describes how OctoFirst collects and processes personal data, in accordance with the General Data Protection Regulation (GDPR) and French data protection law.
1. Data controller
The data controller is Jean-François Lépine, sole trader, 14 allée Boileau, 22950 Trégueux, France. For any question about your data, you may contact them via the contact page.
2. Data collected
Account data
- Name and username;
- Email address;
- Avatar;
- GitHub and/or GitLab identifiers;
- OAuth access tokens for the connected platforms, stored encrypted.
Activity metadata
- Metadata of pull/merge requests, reviews and commits;
- Timestamps and derived activity statistics.
OctoFirst does not collect, read or store any source-code content. Only the metadata above is processed.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Providing the Service (account, dashboards, metrics, gamification, email/Slack summaries) | Performance of the contract |
| Generating AI recommendations | Performance of the contract / legitimate interest |
| Security, abuse prevention and Service improvement | Legitimate interest |
| Sending the newsletter | Consent |
| Billing and accounting obligations | Performance of the contract / legal obligation |
4. Recipients and sub-processors
Data is never sold. It is accessible to the Publisher and the following sub-processors, strictly limited to their services:
- DigitalOcean LLC :hosting of the application and data (France (Union européenne));
- Stripe :payment processing (billing and card data);
- OpenAI :generation of recommendations. Only aggregated, anonymisable metadata is sent; no source code is transmitted.
5. Retention periods
- Account data and activity metadata: for the duration of Service use, then deleted when the account is deleted;
- OAuth tokens: kept while the platform connection is active, deleted on disconnection or account deletion;
- Billing data: kept in accordance with legal accounting and tax obligations;
- Email address for the newsletter: until consent is withdrawn (unsubscribe).
6. Transfers outside the European Union
Hosting is located in France (Union européenne). Some sub-processors (Stripe, OpenAI) may process data outside the European Union. Such transfers are governed by appropriate safeguards, in particular the European Commission's Standard Contractual Clauses.
7. Security
The Publisher implements appropriate technical and organisational measures: encryption of OAuth tokens, encrypted communications over HTTPS, access control and hosting in a secure environment.
8. Your rights
Under the GDPR, you have the following rights: access, rectification, erasure, objection, restriction and data portability.
- Account deletion and data erasure: directly from your profile;
- Other rights (access, rectification, objection, restriction, portability): by contacting us via the contact page;
- Newsletter: you may withdraw your consent at any time via the unsubscribe link in each email.
9. Cookies and trackers
OctoFirst limits the use of trackers to what is strictly necessary:
- Session cookie: strictly necessary for operation and authentication; it does not require consent;
- Umami analytics: a privacy-friendly solution, run server-side, without any tracking cookie or advertising profiling.
OctoFirst does not use advertising cookies or third-party tracking trackers.
10. Complaint to the CNIL
If you believe that the processing of your data does not comply with regulations, you have the right to lodge a complaint with the French data protection authority (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, or at www.cnil.fr.
Last updated: 20 June 2026. The French version of this document prevails in case of discrepancy.