Legal

Privacy

Last updated: 12 June 2026

The short version

We collect the bare minimum to run a sign-in flow and an audit trail: your email, a one-way hash of your password, the prefix of each API key (never the full key), and the IP + user-agent of auth-relevant requests (signup, login, key create/revoke). That's it. No analytics, no tracking pixels, no ad networks, no third-party cookies. Delete your account by emailing us — see /contact.

1. What we collect

Email address

Used to identify your account and contact you about security issues or material changes to the service.

Password (hashed)

Stored as a bcrypt hash. The plaintext never touches the database and we cannot recover it for you.

API key prefix + hash

When you mint an API key, we show you the plaintext exactly once and then store only a SHA-256 hash plus the first ~12 characters (the prefix) for display in your dashboard.

Audit log entries

For each sign-in, sign-up, key creation, key revocation, and rate-limit denial we store the timestamp, IP address, and user-agent string. This is for security debugging and abuse prevention. Audit rows are admin-only — no public endpoint exposes them.

Last-used timestamps

We update a "last used" timestamp on your API key when it authenticates a request, so your dashboard can show "last seen 3 hours ago". No per-request log is stored.

2. What we don't collect

No analytics, telemetry, or tracking pixels on the marketing site. No Google Analytics, no Plausible, no Posthog.

No third-party cookies. The only cookies we set are HttpOnly session cookies (signed with itsdangerous) and a theme preference cookie — both first-party, both essential.

No content of the requests you make against our APIs. We log aggregate latency + outcome for tool calls, but not the query parameters, paths, or response bodies.

No advertising identifiers, fingerprinting, or device IDs.

3. Where data lives

Our primary database is hosted Postgres in the EU (Supabase, Frankfurt region). The application is deployed on Coolify behind Cloudflare. Backups are taken by the database host; backup retention is governed by their policies.

4. Retention

Account data (email, password hash, keys) stays until you delete the account.

Audit logs currently have no automatic expiry. We may add a 90- or 180-day rolling delete in the future; if we do, we'll announce on the changelog.

Revoked keys stay in the database (with a ``revoked_at`` timestamp) so your dashboard can still show the history. The key hash is useless once revoked.

5. Your rights

If you're an EU/UK resident the GDPR / UK-GDPR gives you the right to access, correct, and delete your data, and to object to processing. To exercise any of these, email us via /contact — we'll confirm receipt within a week.

6. Sharing data

We don't sell, rent, or otherwise share your data. The only third parties that see fragments of it are the infrastructure providers needed to run the service: the database host (Postgres rows), the deployment host (HTTP logs), and the CDN (request headers). All are bound by their respective data- processing agreements.

7. Changes

We'll bump the "last updated" date at the top of this page whenever we change anything material. For substantive changes, we'll also email active users.

8. Contact

Email us at the address listed on /contact for any privacy-related question.