Privacy Policy
Last updated: April 2026
This Privacy Policy explains how OASDIFF LTD (company number 17071693) ("we", "us", or "our") collects, uses, and protects information when you use the oasdiff website and API (the "Service"). We are committed to handling your information responsibly and transparently.
1. Information We Collect
Uploaded specification files
When you use the diff calculator or API, you submit OpenAPI specification files. These files are processed in memory to generate your diff result and are not written to disk or retained after the response is sent. We do not read, analyse, or index the contents of your specs for any purpose other than computing the diff you requested.
GitHub account information
When you sign in with GitHub, we receive your GitHub username, email address, and profile avatar from GitHub OAuth. We also receive a GitHub access token, which is stored only in your encrypted session cookie and is never written to our database. This token is used solely to fetch OpenAPI specification files from your repositories on your behalf when you use the review page.
Account and subscription information
When you subscribe to a paid plan, we collect your email address and payment information. Payment processing is handled by Stripe; we do not receive or store your full payment card details. We store your email address, Stripe customer ID, GitHub username, profile avatar URL, subscription status, and tenant identifier.
Usage and analytics data
We use Google Analytics to understand how the Service is used in aggregate. Google Analytics collects data such as pages visited, browser type, country, and session duration. We use Google Analytics Consent Mode v2: if you accept the cookie banner, Google Analytics collects your data directly. If you decline, Google Analytics still loads but operates in a restricted mode — no personal data is collected and no identifying cookies are set. Google may use aggregate, anonymised signals to model overall usage patterns, but this does not identify you individually. You can withdraw consent at any time by clearing your browser's local storage for oasdiff.com (which will show the banner again on your next visit).
Server logs
Our hosting infrastructure automatically records standard server log data, including IP addresses, request paths, and timestamps. Logs are retained for up to 30 days for security and debugging purposes and are then deleted.
2. How We Use Your Information
- To compute and return the diff result you requested.
- To authenticate you and maintain your session.
- To fetch specification files from your GitHub repositories on your behalf when you use the review page.
- To manage your subscription and process payments.
- To monitor and improve the performance and reliability of the Service.
- To comply with legal obligations or protect against fraud and abuse.
3. Legal Basis for Processing (UK / EEA GDPR)
We process your personal data on the following legal bases:
| Data | Legal basis |
|---|---|
| GitHub username, email address, avatar | Contract — required to provide the Service to signed-in users |
| GitHub OAuth token | Contract — required to fetch specification files from your repositories on your behalf |
| Stripe customer ID, subscription data | Contract — required to process and manage your subscription |
| Server logs (IP address, request paths) | Legitimate interest — security monitoring and abuse prevention |
| Analytics data (Google Analytics) | Consent — collected only after explicit opt-in via the cookie banner |
4. Cookies
We use two categories of cookies:
Essential cookies — When you sign in to oasdiff.com via GitHub, we set a first-party session cookie to keep you authenticated. This cookie is required for the Service to function and cannot be disabled while you are signed in. It does not track you across other websites.
Analytics cookies — We use Google Analytics Consent Mode v2. If you accept the cookie banner, Google Analytics cookies (_ga, _gid) are set to track your session. If you decline, Google Analytics operates in a restricted mode: no identifying cookies are set and no personal data is collected. You can change your preference at any time by clearing your browser's local storage for oasdiff.com, or by installing the Google Analytics opt-out browser add-on.
No other first-party or third-party cookies are used.
5. Sub-processors and Data Sharing
We do not sell, rent, or trade your personal information. We share data only with the following sub-processors and in the following circumstances:
- Stripe — payment processing; your payment data is subject to Stripe's Privacy Policy.
- Google Cloud Platform — hosting and infrastructure; data is processed in the EU/EEA under Google's Data Processing Addendum.
- Google Analytics — aggregate usage statistics, with your consent only.
- GitHub — OAuth sign-in provider; your use of GitHub sign-in is subject to GitHub's Privacy Statement.
- Law enforcement or regulators — only where required by applicable law.
6. Data Retention
- Uploaded specification files — not retained; deleted after the request completes.
- GitHub OAuth token — stored only in your session cookie; not persisted to our database. Cleared when you sign out.
- Account data — retained while your account is active and for up to 90 days after deletion for legal and accounting purposes.
- Server logs — retained for up to 30 days.
7. Your Rights
Depending on your location, you may have rights under the UK GDPR, EU GDPR, CCPA (California), or similar laws, including the right to:
- Access a copy of the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your personal data ("right to be forgotten").
- Object to or restrict certain processing activities.
- Withdraw consent for analytics cookies at any time (see Section 4).
To exercise any of these rights, please email us at info@oasdiff.com. We will respond within 30 days. To request account deletion, include your GitHub username and registered email address; we will delete your account and associated data and confirm by email.
8. Security
We use HTTPS for all connections to the Service. Uploaded files are processed in isolated request contexts and are not written to persistent storage. Your GitHub OAuth token is stored only in an HTTP-only, encrypted session cookie and is never written to our database or logged. However, no system is perfectly secure, and we encourage you to avoid uploading specification files that contain embedded credentials or other sensitive secrets.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal information to us, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated "Last updated" date. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
11. Contact
For privacy enquiries, please email us at info@oasdiff.com.