Privacy Policy

Last updated: May 2026

This Privacy Policy explains how OASDIFF LTD (company number 17071693) ("we", "us", or "our") collects, uses, and protects information when you use the oasdiff website and API (the "Service"). We are committed to handling your information responsibly and transparently.

1. Information We Collect

Uploaded specification files

When you use the diff calculator or API, you submit OpenAPI specification files. These files are processed in memory to generate your diff result and are not written to disk or retained after the response is sent. We do not read, analyse, or index the contents of your specs for any purpose other than computing the diff you requested.

GitHub account information

When you sign in with GitHub, we receive your GitHub username, email address, and profile avatar from GitHub OAuth. We also receive a GitHub access token, which is stored only in your encrypted session cookie and is never written to our database. This token is used solely to fetch OpenAPI specification files from your repositories on your behalf when you use the review page.

Account and subscription information

When you subscribe to a paid plan, we collect your email address and payment information. Payment processing is handled by Stripe; we do not receive or store your full payment card details. We store your email address, Stripe customer ID, GitHub username, profile avatar URL, subscription status, and tenant identifier.

Usage and analytics data

We use Plausible Analytics (plausible.io, hosted in the EU) for anonymous traffic counts. Plausible does not set cookies, does not fingerprint your browser, and does not store individual-level data. Daily aggregate counts (pageviews, referrers, country, device type) are derived from a salted hash of IP and user-agent that is discarded each day. No consent is required because no personal data is processed.

Server logs

Our hosting infrastructure automatically records standard server log data, including IP addresses, request paths, and timestamps. Logs are retained for up to 30 days for security and debugging purposes and are then deleted.

2. How We Use Your Information

• To compute and return the diff result you requested.
• To authenticate you and maintain your session.
• To fetch specification files from your GitHub repositories on your behalf when you use the review page.
• To manage your subscription and process payments.
• To monitor and improve the performance and reliability of the Service.
• To comply with legal obligations or protect against fraud and abuse.

3. Legal Basis for Processing (UK / EEA GDPR)

We process your personal data on the following legal bases:

4. Cookies

We use only essential cookies. When you sign in to oasdiff.com via GitHub, we set a first-party session cookie to keep you authenticated. This cookie is required for the Service to function and cannot be disabled while you are signed in. It does not track you across other websites.

We do not use analytics or advertising cookies. Plausible Analytics (described above) is cookieless, which is why oasdiff.com does not show a cookie consent banner.

5. Sub-processors and Data Sharing

We do not sell, rent, or trade your personal information. We share data only with the following sub-processors and in the following circumstances:

• Stripe — payment processing; your payment data is subject to Stripe's Privacy Policy.
• Google Cloud Platform — hosting and infrastructure; data is processed in the EU/EEA under Google's Data Processing Addendum.
• Plausible Analytics — anonymous, cookieless usage statistics; data processed in the EU; subject to Plausible's Privacy Policy.
• GitHub — OAuth sign-in provider; your use of GitHub sign-in is subject to GitHub's Privacy Statement.
• Law enforcement or regulators — only where required by applicable law.

6. Data Retention

• Uploaded specification files — not retained; deleted after the request completes.
• GitHub OAuth token — stored only in your session cookie; not persisted to our database. Cleared when you sign out.
• Account data — retained while your account is active and for up to 90 days after deletion for legal and accounting purposes.
• Server logs — retained for up to 30 days.

7. Your Rights

Depending on your location, you may have rights under the UK GDPR, EU GDPR, CCPA (California), or similar laws, including the right to:

• Access a copy of the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your personal data ("right to be forgotten").
• Object to or restrict certain processing activities.
• Withdraw consent for analytics cookies at any time (see Section 4).

To exercise any of these rights, please email us at info@oasdiff.com. We will respond within 30 days. To request account deletion, include your GitHub username and registered email address; we will delete your account and associated data and confirm by email.

8. Security

We use HTTPS for all connections to the Service. Uploaded files are processed in isolated request contexts and are not written to persistent storage. Your GitHub OAuth token is stored only in an HTTP-only, encrypted session cookie and is never written to our database or logged. However, no system is perfectly secure, and we encourage you to avoid uploading specification files that contain embedded credentials or other sensitive secrets.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal information to us, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated "Last updated" date. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

11. Contact

For privacy enquiries, please email us at info@oasdiff.com.