// privacy
Privacy notice
This is a self-hosted tool. "We" means the operator who deployed it on their own server.
What is stored
- Account email. The email you sign in with is stored in
auth/users.jsonalong with sign-in timestamps and your role (admin or user). - Tools you create. Your tool title, description, chosen library tool, and config are stored in
data/tools.json, tagged with your email as the owner. - Activity logs. Security-relevant events (sign-ins, tool create/publish/delete, API errors, rate-limit triggers) are stored in
data/logs.jsonwith a timestamp, event type, your email, your IP address, and a truncated browser user-agent. - Rate-limit counters. Short-lived timestamps per email/IP are kept in
data/ratelimit.jsonto enforce limits.
What is never stored
- Raw one-time codes are never logged or stored in plaintext. Each code is kept only as a salted hash (
password_hash), is single-use, and expires after 5 minutes. - Passwords (there are none — sign-in is code-based) and your Claude API key (kept in server configuration, never in stored data).
How long it is kept
- Activity logs are pruned automatically: events older than 30 days are removed, and only the most recent 2000 events are retained.
- One-time codes are discarded the moment they are used or expire.
- Deleting a tool removes its record and its review artifact immediately.
Donations & payments
Donations are processed by Stripe using Stripe Checkout. Card details are entered on Stripe's own hosted page and never touch this server. We store only Stripe's checkout session id, the donation amount and currency, the payment status, and (if Stripe provides it) the email you gave Stripe for your receipt — used to reconcile donations. We never receive or store card numbers. See Stripe's privacy policy for how they handle payment data.
Sign-in code emails
Codes are delivered by email using the server's mail configuration (PHP mail() or SMTP). The email contains only the 6-digit code and its expiry. No tracking pixels or third-party analytics are used.
Third parties
When you draft a tool, your text description is sent to the Anthropic Claude API to recommend a matching library tool. No account email or IP is sent with that request. Review Anthropic's terms for how they handle API requests.