Legal · v1.0
Privacy Policy
How my applications and services collect, use, and protect your information — including data accessed through Google APIs.
Scope
This Privacy Policy describes how I, Luke Huxley, the individual operator of the applications, websites, and services described on this site (collectively, the "Service"), handle personal information. It applies to anyone who interacts with the Service, including by signing in with a Google account.
This policy works alongside the Terms of Service. Capitalised terms not defined here have the meanings given in those Terms.
What I collect
I try to collect as little as I need to make a feature work. The categories below cover everything the Service may collect:
| Category | Examples | Source |
|---|---|---|
| Account identifiers | Your email address, Google account ID, display name, and profile picture URL | You, via your identity provider (e.g. Google sign-in) |
| Authorisation tokens | OAuth access and refresh tokens scoped to the permissions you grant | Your identity provider, on your authorisation |
| Google user data | Only the data covered by the OAuth scopes you have approved (see Section 4) | Google APIs, on your authorisation |
| Content you submit | Text, files, settings, and other input you provide to the Service | You |
| Technical logs | IP address, user-agent string, request timestamps, error traces | Automatically, when you use the Service |
I do not intentionally collect special-category data (such as health, religion, or political views), and I do not buy personal data from third parties.
How I use it
I use the information I collect only to:
- Provide, operate, and maintain the user-facing features of the Service.
- Authenticate you and keep your session secure.
- Diagnose problems, prevent abuse, and improve reliability.
- Communicate with you about the Service when you have asked me to or when I am required to.
- Comply with applicable law.
I do not use your information for advertising, profiling for marketing, or training generalised machine-learning models.
Google user data
When you authorise the Service to access your Google account, the Service uses Google API Services and is bound by the Google API Services User Data Policy, including the Limited Use requirements. The following commitments apply to all data the Service receives from Google APIs ("Google user data").
Limited Use commitments
- The Service's use of Google user data is limited to providing or improving user-facing features that are prominent in the Service's user interface.
- The Service does not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with appropriate notice to users.
- The Service does not use Google user data to serve advertisements, including retargeting, personalised, or interest-based advertising.
- The Service does not allow humans to read Google user data, except: (a) with your explicit consent for specific data; (b) where necessary for security purposes (such as investigating abuse); (c) to comply with applicable law; or (d) where the data has been aggregated and anonymised so that it can no longer be associated with an individual user, and is used for internal operations consistent with the User Data Policy.
- The Service does not use Google user data to develop, improve, or train generalised or non-personalised AI or machine-learning models.
Scopes I request
The Service only requests OAuth scopes that are required for a feature you have asked for. You will see the requested scopes on Google's consent screen before you grant access; the Service does not request additional scopes silently after that point.
Revoking access
You can revoke the Service's access to your Google account at any time at myaccount.google.com/permissions. Once you revoke access, the Service can no longer call Google APIs on your behalf and any cached Google user data is deleted within the timeframe described in Section 7.
In plain English
Your Google data is used to make the feature you authorised work, and nothing else. It is not sold, not used for ads, and not used to train AI models.
Sharing & transfers
I do not sell or rent personal information. I share it only in these limited cases:
- Infrastructure providers who host the Service or store its data on my behalf, under contracts that require them to protect the data and use it only as I direct.
- Identity providers (such as Google) that you have chosen to sign in with — the relationship is yours, but technically the data passes through their systems.
- Legal compliance, when I am required by law, court order, or a binding regulatory request, and only to the extent necessary.
- Business transfers, if the Service is ever acquired or merged into another entity, in which case I will give you reasonable notice before your information becomes subject to a different privacy policy.
Storage & security
Personal data and authorisation tokens are stored on infrastructure provided by reputable cloud platforms, with access restricted to me. I take reasonable technical and organisational measures to protect your information, including:
- TLS encryption for data in transit.
- Encryption at rest for stored credentials and OAuth tokens.
- Principle-of-least-privilege access controls.
- Routine review of dependencies and patches for known vulnerabilities.
No system is perfectly secure. If I become aware of a security incident affecting your information, I will notify you and any required authority as soon as reasonably practicable.
Data retention
I keep personal information only as long as needed for the purposes described in this policy:
- Account identifiers and OAuth tokens are kept while your account is active and deleted within 30 days of you deleting your account or revoking the Service's access.
- Cached Google user data is kept only as long as needed to fulfil your most recent request, and is deleted promptly thereafter — typically within 24 hours, and within 30 days at the outside.
- Technical logs are retained for up to 90 days, then deleted or aggregated into non-identifying metrics.
- Records I am legally required to keep (such as billing or tax records, if applicable) are retained for the period the relevant law requires.
Your rights
Depending on where you live, you may have rights under privacy laws such as the GDPR (EU/UK), the CCPA/CPRA (California), or similar regimes. These typically include the right to:
- Access the personal information I hold about you.
- Correct information that is inaccurate or incomplete.
- Delete information, subject to legal retention requirements.
- Object to or restrict certain processing.
- Receive a portable copy of your information.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email me using the address in Section 13. I will respond within the timeframe required by the applicable law (typically 30 days).
Cookies & local storage
The Service uses a small number of strictly necessary cookies and browser local-storage entries to keep you signed in and to remember preferences such as your chosen colour theme. It does not use third-party advertising or analytics cookies.
Children
The Service is not directed at children under 13, and I do not knowingly collect personal information from children under 13. If you believe a child has provided me with personal information, please contact me and I will delete it.
International transfers
The Service may be operated from, and your information may be processed in, countries other than the one you live in. Where such transfers are subject to data-protection law, I rely on appropriate safeguards (such as standard contractual clauses) to protect your information.
Changes to this policy
I may update this policy from time to time. If I make a material change, I will update the "Last updated" date at the top of this page and, where reasonable, notify you through the Service. Your continued use of the Service after the change becomes effective constitutes acceptance of the updated policy.
Contact
Questions, requests about your data, or anything else privacy-related — email me directly. I read every message.
Get in touch