Back to geckopin.dev

Privacy Policy

Privacy Policy

Last updated: March 15, 2026

This policy explains how GeckoPin handles information across geckopin.dev, the GeckoPin web app, and the hosted GeckoPin relay service.

1. Scope and Roles

This policy applies to geckopin.dev, the GeckoPin web app, and the hosted GeckoPin relay service.

Third-party AI assistants, MCP clients, browser vendors, analytics providers, map providers, hosting providers, and any linked external services that you choose to use with GeckoPin operate under their own privacy policies.

If you self-host GeckoPin or operate your own relay, you are responsible for your own privacy disclosures for that deployment.

2. What Stays in Your Browser

GeckoPin is local-first. Ordinary use of the web app does not send us your board document just because you opened or edited a board.

  • Board content: board items and content are stored in your browser, including in IndexedDB.
  • Local settings: the app uses localStorage for settings and functional state such as board ID, appearance preference, relay lease state, and relay session bundles needed to reconnect a live board tab.
  • User-triggered local actions: clipboard content, imported files, pasted images, remote image URLs, links, map locations, and exported board files are ordinarily handled locally unless you choose to send them to an external service.

Under the current relay model, the board document remains in the browser and the relay is designed not to persist full board snapshots or queue full board mutations for later delivery.

3. Information We Receive

We receive or generate limited information when you use GeckoPin-hosted services.

  • Website at geckopin.dev: standard web request data, Simple Analytics page and event data, and ordinary browser requests made to supporting services such as Google Fonts and OpenStreetMap tile servers used in the landing page demo.
  • Hosted relay service: server-side session metadata, installation metadata, idempotency metadata, token hashes, board IDs, session IDs, installation IDs, scope, issue times, expiry times, last-seen timestamps, and related operational status needed to route live MCP traffic when you use the hosted relay.
  • Relay telemetry: PostHog events for relay operations, including operational metadata such as tool names, route identifiers, latency, status codes, and scrubbed analytics payloads when relay telemetry is enabled.

4. How We Use Information

We use information to:

  • provide the website, app, and hosted relay functionality;
  • support the app's local-first behavior and relay connection flow;
  • pair AI assistants with a live board tab and route MCP operations securely;
  • prevent abuse, debug errors, maintain reliability, and protect the service;
  • measure website and product usage through Simple Analytics; and
  • measure relay reliability and operations through PostHog when enabled on the relay server.

5. Legal Bases

Where GDPR or UK GDPR applies, we generally rely on the following legal bases:

  • Performance of a contract: delivering the website, app, and relay functionality you request.
  • Legitimate interests: service security, anti-abuse, debugging, reliability, operational monitoring, and product improvement.
  • Consent, where required: if we later introduce tracking technologies beyond the current Simple Analytics setup that require consent under applicable law.
  • Legal obligations: compliance with applicable laws and lawful requests.

6. Sharing and Processors

We do not sell personal information. We share information only where needed to run the service, including with the following providers and service categories.

  • Netlify: website hosting and related delivery infrastructure for geckopin.dev.
  • Railway: hosted relay server infrastructure.
  • Simple Analytics: privacy-friendly, cookieless analytics for website and frontend app events.
  • PostHog: relay operational telemetry when enabled on the relay server.
  • Google Fonts: delivery of the Poetsen One font used by the website.
  • OpenStreetMap: map preview tiles and external map links.
  • DuckDuckGo icon service: favicon lookups proxied through the GeckoPin relay.
  • Third-party AI assistants and MCP clients that you choose to use: for example Copilot, Claude, Cursor, Codex, and similar services under their own policies.
  • Remote image hosts and linked websites: when you choose to load external images, links, or other resources into a board.
  • Authorities or counterparties: where required by law or necessary to protect rights, safety, or service integrity.

In the relay telemetry code path, free-form text is intended to be scrubbed or hashed before being sent to PostHog, while operational metadata needed for reliability reporting is retained.

7. Data Retention

Key retention periods and storage behavior include:

  • Local board data: stored in your browser until you delete it, clear browser storage, or overwrite it with an import.
  • Local preferences and relay session bundles: stored in your browser until removed, replaced, or cleared through browser storage controls.
  • Relay sessions: maximum lifetime of about 1 hour, with an idle timeout of about 10 minutes under the current app constants.
  • Relay idempotency metadata: about 5 minutes under the current app constants.
  • Relay session and installation metadata files: remain in operator-controlled storage until cleaned up or rotated; the current code shows logical expiry and revocation but does not promise immediate physical deletion at expiry.
  • PostHog relay telemetry and server-side operational logs: retained for about 30 days.
  • Clipboard processing: handled transiently in the browser while copy and paste operations are taking place.

8. International Transfers

Information may be processed in countries other than your own, including through our providers and the third-party services you choose to use. This can include hosting, analytics, AI assistant providers, map services, and other external services.

Where applicable law requires safeguards for cross-border transfers, we rely on the provider arrangements and legal mechanisms made available for those services.

9. Your Privacy Rights

Depending on your jurisdiction, you may have rights to request access, correction, deletion, portability, restriction, or objection regarding certain personal data.

If you are in the EEA or UK, this may include rights under GDPR or UK GDPR and the right to lodge a complaint with your supervisory authority.

If you are covered by applicable U.S. state privacy laws, this may include rights to know, access, delete, or correct personal information, subject to the limits of those laws. GeckoPin does not sell personal information.

Because GeckoPin is local-first, much of your board content is under your direct control in your browser and can usually be deleted by clearing browser storage or revoking relay access.

10. Cookies and Local Storage

GeckoPin uses localStorage and IndexedDB for functional product behavior, including board persistence, app settings, relay leadership state, and reconnect data.

GeckoPin also uses Simple Analytics in its current cookieless configuration for website and frontend analytics events.

Based on the current implementation, we do not use a consent banner for this Simple Analytics setup because it is configured as a privacy-focused, cookieless analytics tool rather than as advertising, session replay, or cross-site profiling technology. If we later add more invasive tracking, we will revisit consent requirements.

11. Security

We use reasonable technical and organizational measures designed to protect information and maintain service integrity. No system is completely secure, and you should also use your own browser, device, and account security measures where applicable.

12. Children

GeckoPin is not directed to children under 13, and we do not knowingly collect personal information from children under 13. Where local law sets a higher age threshold for valid consent, that higher threshold may apply.

13. Changes to This Policy

We may update this policy when the product, infrastructure, legal requirements, or data practices change. If we do, we will update the "Last updated" date at the top of this page.

14. Contact

If you have questions about this privacy policy, you can reach us through the contact form on our website.