Privacy Policy
Last updated: 2026-05-15
ToolDecker ("we") respects your privacy. This notice complies with EU GDPR, UK GDPR, California CCPA/CPRA, and China's PIPL.
1. What we collect
- Account: email (via OAuth or Magic Link), optional phone (CN SMS login), username, avatar URL.
- Submissions: tool URLs, descriptions, images you submit.
- Technical logs: country-level IP (via Cloudflare cf-ipcountry), User-Agent, click events, referrer.
- Cookies: session cookie (authjs.session-token, HTTP-only), locale preference (td-locale), CSRF token. We use no third-party analytics or advertising cookies.
2. Why we collect
- To provide login and account services (legal basis: contractual necessity, GDPR Art 6(1)(b)).
- Site security (rate limiting, SSRF guards, content moderation) (Art 6(1)(f) legitimate interest).
- DMCA / complaint handling (Art 6(1)(c) legal obligation).
- We do not sell your personal data to third parties.
3. How long we keep it
- Account data: until you delete it (/api/user/delete).
- Event logs: TTL-deleted after 90 days.
- Audit logs: 3 years (compliance).
- You can export everything (/api/user/export) or delete in one click (/api/user/delete) per GDPR Art 15 & 17.
4. Data transfer
- Servers in Hong Kong (VPS), CDN via Cloudflare (global edges).
- We don't proactively transfer data to non-recognized third countries; the only exception is OAuth token exchange with Google / GitHub.
5. Your rights (GDPR / CCPA / PIPL common subset)
- Access: export all personal data → /api/user/export or email hello@tooldecker.com.
- Rectification: log in and update account info directly.
- Erasure (right to be forgotten): /api/user/delete or email; executed within 30 days.
- Portability: export format is JSON.
- Object: email hello@tooldecker.com with subject 'Object'.
- Complaint: you may lodge a complaint with your local DPA (e.g. EU EDPB, UK ICO).
6. Contact
- Data protection: hello@tooldecker.com
- GitHub Issues (redacted content only): lueallen515/tooldecker