Gitbit Privacy Statement

Effective Date: November 03, 2025

Introduction

Your privacy is important to us. This Privacy Statement explains the personal data Gitbit processes, how we process it, and for what purposes.

Gitbit provides a web application that connects to a customer’s Microsoft 365 environment to retrieve and analyze user account information (for example: displayName, userPrincipalName, accountEnabled, assignedLicenses, and signInActivity). We organize and display that data so administrators can identify which users require licenses. References to “Gitbit”, “we”, “us” or “our” in this statement mean Gitbit LLC and its subsidiaries and affiliates, unless otherwise stated.

Personal data we collect

We collect data from you, through our interactions with you and through the Gitbit product. You provide some of this data directly, and some is retrieved from your Microsoft 365 environment after you authorize the connection. The data we collect depends on the features you use and the permissions you grant.

Data retrieved from your Microsoft 365 environment

When you connect Gitbit to your Microsoft 365 tenant (via OAuth or an administrator consent flow), you authorize Gitbit to retrieve user and directory information limited to the fields and APIs we request. Typical data we retrieve includes:

• displayName — user's display name
• userPrincipalName — user's sign-in name / email
• accountEnabled — whether the account is enabled or disabled
• assignedLicenses — licenses assigned to the user
• signInActivity or equivalent metadata — recent sign-in timestamps and activity indicators

We only request the minimum permissions necessary to provide the Service. If you grant additional permissions or integrate other systems, Gitbit may collect additional information consistent with your choices and the permissions granted.

Data you provide directly

You may provide contact, billing, or account administration information (for example, administrator email, organization name, and billing contact). You may also provide support requests and other communications to us via email or support forms.

Data we generate

We may derive metadata, analytics, or aggregated reports from your data (for example: number of unlicensed accounts, inactive accounts, or license utilization metrics). Aggregated or de-identified data may be used for product improvement and analytics.

How we use personal data

We use personal data for the following purposes:

• Provide and maintain the Service: retrieving, storing, organizing and presenting user account information so you can identify license needs and manage licenses.
• Support and troubleshooting: diagnosing and resolving issues, responding to support requests, and providing customer service.
• Improve the Service: analyzing usage patterns, measuring performance, and developing features and enhancements.
• Security and compliance: detecting, preventing and responding to security incidents, abuse, and fraud.
• Communications: sending transactional messages such as service notices, updates, and administrative messages.
• Improve and develop our products.
• Personalize our products and make recommendations.
• Advertise and market to you, which includes sending promotional communications, targeting advertising, and presenting you relevant offers.

We combine data collected from different contexts (for example, different organizations or different sessions) to deliver a consistent and useful experience. Our processing includes both automated methods (including algorithms) and human review where necessary to provide support and maintain quality.

Reasons we share personal data

We do not sell personal data. We may share personal data in limited circumstances, including:

• With your consent: where you authorize or request us to share data (for example, an exported report you request that we send to a third party).
• With our service providers: vendors or contractors who perform services on our behalf (for example, hosting, data storage, analytics, or customer support). These parties are contractually obligated to keep your data confidential and use it only to perform services for Gitbit.
• With affiliates: where necessary for business operations and as permitted by applicable law.
• For legal reasons: when required by law, court order, or to respond to lawful requests by public authorities; to protect the rights, property or safety of Gitbit, our customers or others; or to prevent or investigate wrongdoing.

We require third parties who process data on our behalf to implement reasonable security measures and to process data only in accordance with our instructions.

How to access and control your personal data

You have choices about the data Gitbit collects and how it is used. Depending on the context and your role (for example, administrator of an organization), available controls may include:

• Decline permissions: you can refuse to authorize Gitbit to access your Microsoft 365 tenant. If you decline permissions required to provide the Service, you cannot use the Service.
• Account administrator controls: tenant administrators can revoke Gitbit’s access via the Microsoft Azure Portal or the Microsoft 365 admin center by revoking app consent or deleting the Gitbit service principal. Revoking access prevents further data retrieval.
• Delete data on request: you may request deletion of data stored by Gitbit by emailing support@gitbit.org. Upon receipt we will verify the request and delete your data within a reasonable timeframe, unless we are required to retain it by law. Deletion requests should include the organization name, administrator contact, and any relevant identifiers to help us locate the data.
• Export data: you may request an export of your stored data; we will provide exported data in a commonly used, machine-readable format where feasible.
• Marketing communications: you may opt out of promotional emails by following the unsubscribe instructions in those messages or by contacting support@gitbit.org.

If you are an end user whose account is provided and managed by an organization, contact your organization’s administrator for questions about your account data and how it is used.

Cookies and similar technologies

Gitbit uses cookies and similar technologies (such as web storage and beacons) to operate the Service, remember preferences, maintain sessions, and measure site usage and performance. Third-party services we rely on (for example analytics providers) may also use cookies or similar technologies.

You can use your browser settings to block or remove cookies; however, blocking cookies may prevent some features of the Service from functioning properly. We will obtain consent where required by applicable law before using non-essential cookies.

Products provided by your organization — notice to end users

If you use Gitbit with an account provided by an organization (for example, your employer or school), that organization may control certain privacy-related settings and may have access to the data Gitbit retrieves from that organization’s Microsoft 365 tenant. Gitbit’s processing of personal data in connection with organization-provided products is governed by the agreement between Gitbit and the organization and by the permissions granted by the organization’s administrators.

If you have questions about your organization’s privacy practices or want to exercise data subject rights for data controlled by your organization, consult your organization’s administrator.

Collection of data from children

Gitbit is intended for use by administrators and organizations. We do not knowingly collect personal data from children under the age required by law in your jurisdiction (for example, under 13 in the United States) to use our services. If you believe we have collected data from a child in a manner that violates applicable law, please contact us at support@gitbit.org and we will take appropriate steps to investigate and, where required, remove the data.

Security & data retention

Security: We implement administrative, technical and physical safeguards designed to help protect personal data from unauthorized access, disclosure, alteration, and destruction. These safeguards include encryption in transit and at rest where feasible, access controls, and security monitoring. However, no system can be 100% secure, and we cannot guarantee absolute security.

Data retention: We retain personal data for as long as necessary to provide the Service, to comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer needed, we will delete or de-identify it in accordance with our retention policies unless legal obligations require otherwise.

Artificial Intelligence

Gitbit may use automated and algorithmic techniques to analyze data and generate reports, insights or recommendations (for example, determining accounts that appear inactive or identifying license waste). Where automated processing affects your rights under applicable law, you may have certain rights to challenge or request human review of those decisions. If Gitbit uses personal data to train or improve machine-learning models, we will ensure data is handled in accordance with this Privacy Statement and applicable laws. Contact support@gitbit.org for information about automated processing specific to your organization.

International transfers & where we process data

Gitbit is hosted on cloud infrastructure and may process and store personal data in the United States and other countries where our service providers operate. When we transfer personal data across borders, we will protect it in accordance with this Privacy Statement and applicable law. If your organization requires specific data residency or transfer protections, please contact us at support@gitbit.org.

Legal bases & legal requirements

Where applicable law requires that we identify a legal basis for processing personal data, Gitbit relies on one or more of the following: (i) performance of a contract with you or your organization (e.g., to provide the Service), (ii) your consent where requested, (iii) compliance with legal obligations, and (iv) our legitimate interests (for example, to secure the Service, improve our products, and operate our business), where those interests are not overridden by your rights.

We will disclose personal data when required by law or legal process, or to protect Gitbit, our customers or others from harm or unlawful activity.

How to contact us

If you have questions about this Privacy Statement or want to exercise your data protection rights (for example request access, correction, export, or deletion of your data), contact us:

• Email: support@gitbit.org

When you contact us to request deletion or export of data, please include your organization name and the administrator contact so we can verify and fulfill your request.

Changes to this statement

We may update this Privacy Statement from time to time. If we make material changes, we will provide notice through the Service or by other means prior to the change taking effect. Continued use of the Service after publication of the revised Privacy Statement constitutes acceptance of the changes.