Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Lightweight, self hosted Git service written in Go that sets strictly necessary session and CSRF cookies when an end user signs into the web interface.
Gitea is an open source, self hosted Git service written in Go. Organisations install it on their own infrastructure to host repositories, manage issues, run CI pipelines and review code internally. Because every Gitea instance is operated by the deploying organisation, the controller and the data location are entirely defined by that operator and not by an external vendor.
When a user authenticates against the Gitea web interface, the server sets cookies named i_like_gitea (the session cookie), _csrf (CSRF protection token), lang (language preference) and gitea_incredible (remember me token when enabled). Gitea also stores commit metadata, repository activity, issue comments and access logs. These are processed under the responsibility of the operating organisation.
The Gitea session, CSRF and language cookies are strictly necessary to deliver the service requested by the user, so they fall under the ePrivacy exemption of Article 5(3) and do not require prior consent. The remember me cookie is functional and may also be exempt as long as it is enabled at the explicit request of the authenticated user. Standard user account data is processed on the basis of contract performance or legitimate interest, depending on context.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because Gitea is self hosted, there is no automatic transfer to a third country. The data location is fully determined by the operator. If you host the instance in the EU on your own hardware or with an EU based cloud provider, all processing stays within the EEA. If you choose a non EU hosting provider, you must apply the usual Chapter V safeguards.
Restrict the Gitea web interface to authenticated users, enforce HTTPS and Secure HttpOnly cookies, configure short session timeouts and limit access logs to the retention period your security policy requires. Document Gitea in your record of processing activities, mention it in the employee or contributor privacy notice and provide an internal procedure for data subject requests.
Websites using Gitea must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is rarely required for an internal Gitea instance because cookies are strictly necessary and data stays under the operators control. A DPIA may still be needed when Gitea is exposed publicly, processes special category data or is hosted by a non EU cloud provider.
Sample consent text
This site uses Gitea, a self hosted Git service. It sets strictly necessary session and CSRF cookies when you sign in to your account. No consent is required for these cookies, but you can review our privacy notice for more details.
Third-party domains contacted
gitea.comgitea.iodl.gitea.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| i_like_gitea | necessary | Session | Primary session cookie that authenticates the user against the Gitea web interface and links subsequent requests to the active session. |
| _csrf | necessary | Session | Cross site request forgery protection token used by Gitea to validate that form submissions originate from the legitimate authenticated session. |
| lang | preferences | 1 year | Stores the language preference selected by the user so the Gitea interface is displayed in the same language on subsequent visits. |
| gitea_incredible | functional | 30 days | Remember me token set only when the user activates the Stay signed in option; it keeps the session valid across browser restarts. |
Gitea collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Gitea sets i_like_gitea for the active session, _csrf for CSRF protection, lang for the language preference and gitea_incredible for the remember me option when the user enables it. All are first party cookies on the domain of the Gitea instance.
No prior consent is required for the strictly necessary cookies because they are essential to deliver an authenticated session. The remember me cookie is functional and is only set after the user actively requests it, so no consent banner is needed for a typical Gitea deployment.
User account data is usually processed on the basis of contract performance under Article 6(1)(b) of the GDPR for employees and contributors, or legitimate interest under Article 6(1)(f) for internal security and audit logs. Cookies rely on the ePrivacy exemption.
Gitea itself does not transfer data anywhere. If you host the instance in the EU you stay inside the EEA. Transfers only happen when you choose a non EU hosting provider or use external integrations such as webhooks pointing to third country services.
A DPIA is generally not required for an internal Gitea instance because cookies are strictly necessary and the volume of personal data is limited. A DPIA may be triggered when Gitea hosts repositories that contain personal data on a large scale, sensitive categories or is exposed publicly.
Host the instance on EU infrastructure, enforce HTTPS, set Secure and HttpOnly flags on every cookie, configure SSO with strong authentication, restrict logs to a defined retention period and document the processing in your record of processing activities.
Other self hosted Git platforms such as Forgejo, GitLab Community Edition or cgit also keep data on infrastructure you control. They share the same favourable privacy profile because the operator decides where data is stored and which cookies are activated.
List the four Gitea cookies, mark them as strictly necessary or functional, indicate the retention period configured on your instance and explain that they are required to deliver the authenticated Git web interface. Add a link to the operator privacy notice.