Privacy Policy

Last updated: May 30, 2026

TL;DR: HitMeUp is designed with zero-knowledge cryptography. Encrypted messages are encrypted locally on the user's device before transmission. We do not possess the cryptographic keys required to decrypt these messages.

1. Information We Collect

HitMeUp is built to prioritize developer privacy. HitMeUp accesses only the GitHub account information necessary for authentication and user identification, such as username and GitHub user ID. The only data processed and stored on our servers is:

OAuth Authentication details: We authenticate users via GitHub OAuth. We store your public GitHub username and GitHub ID to route messages. We never access your repository code, passwords, or personal credentials.
Encrypted Message Ciphertext: We store message payloads in a database so they can be retrieved by recipients. These payloads are encrypted using AES-256-GCM. We have no mechanism to decrypt these payloads because we do not have access to your private key.
Encrypted Backup Vault Blobs: If you use the backup vault, we store a ciphertext containing your private key (encrypted locally with a key derived from your custom PIN via PBKDF2 with 600,000 iterations). We cannot decrypt this backup.
Public Keys: We store your public ECDH keys so that other users can initiate encrypted communication channels with you.

2. Cryptographic Architecture

We ensure data security by performing all encryption/decryption operations on-device using the native browser Web Crypto API:

ECDH (P-256): Elliptic Curve Diffie-Hellman is used to derive a shared symmetric key between two users.
AES-256-GCM: Used to encrypt each message. A new random Initialization Vector (IV) is generated for every message.
PBKDF2: Key derivation with 600,000 iterations and a random salt is used to secure your private key when stored in the backup vault.

3. Data Deletion and Control

The extension stores cryptographic keys, session information, and application preferences locally using Chrome extension storage. Removing the extension typically removes locally stored extension data, including locally cached cryptographic material.

Users may contact us to request deletion of server-stored account data.

4. Changes to This Policy

We will notify users of any material changes to this Privacy Policy by updating the "Last updated" date above. Since we do not collect email addresses, we encourage you to review this page periodically.

5. Contact Us

If you have questions about this policy, please contact us at: