pakx

legal

Privacy Policy

Last updated 2026-05-21.

What we collect

  • GitHub identity — your GitHub user id, login, display name, avatar URL, and primary email, supplied by GitHub when you sign in. Stored in our database to associate published packages with your account.
  • API tokens — we store an irreversible hash of each token you issue from /dashboard/tokens. The plaintext token is shown to you once at issue and never again.
  • Published packages and their metadata (name, version, description, kind, sha256, size). Tarballs are stored in Vercel Blob.
  • Server logs — short-lived request logs (IP, user-agent, path, status) kept for abuse detection. Rotated within 30 days.
  • No analytics SDKs. We do not embed Google Analytics, Segment, Posthog, or similar third-party trackers on the marketing site or dashboard at this time.

Why we collect it

To run the Service: authenticate you, issue and verify CLI tokens, host published packages, and prevent abuse. We do not sell personal data and we do not use it to train any machine-learning model.

Where it lives

  • Account + package metadata — Neon Postgres (EU region).
  • Tarballs — Vercel Blob.
  • Hosting + edge logs — Vercel.

Sharing

We share data only with the infrastructure providers above and only as needed to operate the Service. We will respond to lawful requests from authorities with jurisdiction. We will not voluntarily disclose your data otherwise.

Your rights

On request we will:
  • Export the data associated with your account via GET /api/v1/me/export. Bearer-protected JSON download covering your user row, hashed tokens, owned packages + versions, and Stripe pointer.
  • Delete your account via POST /api/v1/me/delete with a JSON body of {"confirm": "<your-github-login>"}. We revoke every token immediately and schedule the hard delete after a 30-day grace window — email security@pakx.dev during the window to undo. Packages other users depend on are tombstoned so existing manifest pins keep resolving.

Cookies

The dashboard sets a session cookie set by Auth.js when you sign in with GitHub. It is strictly necessary for the authenticated parts of the Service to function and is not used for tracking.

Children

The Service is not directed at children under 13. We do not knowingly collect data from anyone under 13.

Changes

Material changes to this policy will be announced on pakx.dev.

Contact

Privacy questions or deletion requests: github.com/pakxdev/pakx/issues.