whomi.bio
~/legal$cat api-disclosure.md

Third-Party API Disclosure

// last updated: May 27, 2026

1. Why this Disclosure Exists

whomi.bio is built around showing live developer credibility on your bio page. To do that, we connect to public APIs operated by other companies. This document explains exactly what we fetch, how we use it, and where to find each third party's own privacy practices.

2. GitHub API

  • What we fetch: public profile data including username, avatar, bio, follower count, public repositories, contribution graph, top languages, and stars.
  • What we do NOT fetch: private repositories, private gists, your GitHub email (unless you opt in during OAuth), or any data marked private.
  • Authentication: OAuth 2.0. We store only a short-lived refresh token, encrypted at rest. We never see your GitHub password.
  • How we use it: refresh your bio's stats hourly so visitors see current contribution graphs and repositories.
  • GitHub privacy policy: docs.github.com/en/site-policy/privacy-policies

3. Stack Overflow API

  • What we fetch: public profile data including reputation score, top tags, top answers, and badge counts.
  • What we do NOT fetch: private votes, draft answers, or private profile fields.
  • Authentication: API token (you provide it; we encrypt at rest).
  • How we use it: display your Stack Overflow signal on your bio.
  • Stack Overflow privacy policy: stackoverflow.com/legal/privacy-policy

4. LeetCode

  • What we fetch: public profile data including problems solved, contest rating, ranking, and badges.
  • What we do NOT fetch: your code submissions, private problem lists, or any non-public data.
  • Authentication: public profile only; no credentials stored.
  • How we use it: display your problem-solving signal on your bio.
  • LeetCode terms: leetcode.com/terms

5. What We Will Never Do

  • We will never store your password to any third-party service.
  • We will never read or expose private data from these APIs.
  • We will never share fetched data with advertisers.

6. Disconnecting an Integration

You can disconnect any integration at any time from /dashboard → Integrations → [Service Name] → Disconnect. Disconnecting removes the cached statistics from your bio and revokes the refresh token within 1 hour.

7. Changes to Third-Party APIs

Third-party services may change their APIs, terms, or availability at any time. If a service becomes unavailable, the related section of your bio displays a graceful fallback message until the connection is restored.

8. Contact

Questions about a specific integration: legal@whomi.bio.

© Hackastra Infosec FZ-LLC · UAE Free Zone · Operator of whomi.bio