Sign in

Privacy Policy

Last updated: March 2026

Who operates this

Crit is operated by Tomasz Tomczyk as an independent open-source project.

Local use

When you use Crit locally (without sharing), no data leaves your machine. Documents and comments are stored only in files on your computer.

CLI update check

On startup, the Crit CLI contacts api.github.com to check for a new version. This request includes your IP address and current Crit version as the User-Agent header. GitHub's privacy policy governs how GitHub handles this data. You can disable the update check by setting CRIT_NO_UPDATE_CHECK=1.

Shared reviews

When you share a review, the following is stored on our servers:

  • The document content (markdown text)
  • Any comments included at the time of sharing
  • The time the review was created

Comments added by anyone who visits the shared link are also stored on our servers, subject to the same 30-day retention policy.

This data is accessible to anyone with the share link. The link is a secret URL that serves as the primary access control. GitHub login is optional and not required to view or comment on shared reviews.

GitHub login

On crit.md, you can optionally sign in with your GitHub account. If you do, we store:

  • Your GitHub username and display name
  • Your primary GitHub email address
  • Your GitHub avatar URL
  • Your GitHub user ID (used as a stable identifier)

This information is used solely to identify you across sessions and to display your name on reviews and comments you create. We do not share it with third parties. You can delete your account by emailing tomasz@crit.md.

Anonymous session

When you view a shared review, we set a session cookie containing a randomly generated anonymous identifier. This lets you edit or delete comments you left in that session. The identifier is not linked to any personal information and is not used for tracking.

Tracking

We do not use analytics or advertising trackers on this site.

The homepage includes an embedded YouTube video. If you visit the homepage, YouTube (Google) may set cookies and collect data according to Google's privacy policy.

If you sign in with GitHub, your browser connects to GitHub's OAuth service. GitHub's privacy policy governs that interaction. Aside from the YouTube embed, GitHub OAuth, and the error monitoring described below, no other third parties receive data from this site.

Error monitoring

The hosted deployment uses Sentry to capture application errors and crashes. When an error occurs, your browser may send Sentry: the error message and stack trace, the page URL, browser and OS metadata, and an anonymized session ID. Shared review documents, comment text, request bodies, and session cookies are not sent.

Self-hosted deployments do not use Sentry unless the operator explicitly configures their own DSN.

Server logs

Our server records standard HTTP access logs (IP address, timestamp, path, response code). These are used solely for debugging and abuse prevention. IP addresses are also used in memory for rate limiting. These are not persisted beyond what appears in access logs. Server logs are retained for approximately 30 days and then deleted.

Infrastructure

This service runs on Fly.io. Fly.io may retain their own infrastructure-level logs.

Data retention

Shared reviews are retained for 30 days from the date of last activity, then deleted automatically. You can delete a shared review at any time using the Unpublish button in Crit.

Contact

For privacy questions, open an issue on GitHub. For sensitive requests (such as data deletion), email tomasz@crit.md.