← Back

Privacy Policy

Last updated: April 10, 2026

Gitit helps teachers verify assignment authenticity by recording the writing process. We take data handling seriously because our users include students. This policy explains, in plain English, what we collect, why, and who can see it.

What we collect

• Account information — name, email address, and role (student or teacher). We receive this from your identity provider (Clerk) when you sign in.
• Keystroke events — the sequence of insertions, deletions, and paste actions you make while writing an assignment. Each event includes position, content, and a client-side timestamp.
• Submission content — the current state of your written assignment, maintained from the keystroke stream.
• Class and assignment metadata — class names, join codes, assignment titles, and due dates.
• Browser metadata — we receive standard HTTP headers (user agent, IP address) as part of normal web traffic. We do not fingerprint devices or track across sites.

What we do NOT collect

• Passwords (authentication is handled entirely by Clerk)
• Payment or financial information (not applicable today)
• Location data beyond what the IP address reveals
• Data from other tabs, apps, or sites

Why we collect it

Every piece of data serves the core product: letting teachers see how an assignment was written, not just the final result. Keystroke events power the replay and diff features. Account and class data connect students to their teachers. We do not sell data, serve ads, or use student data for marketing.

Who can see your data

• Students see only their own submissions and keystroke history.
• Teachers see submissions and replays for students in their classes — this is the product's purpose.
• Gitit team — a small number of administrators can access data for support, debugging, and abuse prevention. We do not browse student writing for any other reason.
• No third parties receive student data. We do not share, sell, or license it.

Where data lives

Data is stored in a database hosted on infrastructure within the United States. Connections are encrypted in transit (TLS). Backups are encrypted at rest.

Data retention

We retain submission and keystroke data for the duration of the school year or as long as the teacher's account is active, whichever is longer. Teachers can archive classes, which soft-deletes enrolment records but preserves submission data for the academic record.

Read notifications are automatically purged after 30 days.

Your rights

You can request a copy of your data or ask us to delete your account and associated data by contacting us at the address below. We are building self-service deletion — until it ships, we will process requests manually within 30 days.

Cookies

We use a single session cookie (__session) for authentication. We do not use tracking cookies, analytics pixels, or third-party advertising cookies.

Changes to this policy

If we make material changes, we will update the date at the top and notify active users via the in-app notification system.