LTM-PLATFORM-PRIV-0001 · 2026-04-21

Privacy policy.

SERVICE

platform.ltm-cli.dev

CONTROLLER

Dennis de Vulder · Utrecht, NL

CONTACT

privacy@ltm-cli.dev

LAW

Dutch law · EU jurisdiction

LAST UPDATE

2026-04-21

§ 1

Who we are

platform.ltm-cli.dev is the managed backend for the ltm protocol, operated by Dennis de Vulder as sole data controller. The service is free, EU-hosted, and open source (Apache-2.0). For any privacy question you can reach us at privacy@ltm-cli.dev.

§ 2

What we collect

Account data. Your email address, your OAuth provider (GitHub or Google) and the uid it returns, and the display name if the provider includes one.
Session data. An encrypted session cookie and a CSRF token, both set when you sign in. No other cookies.
Packet data. Whatever your CLI pushes — goals, decisions, attempts, tags, and similar metadata described in the ltm protocol spec.
Sign-in events. Timestamp, IP address, and user-agent string for each successful sign-in. Used for security notifications only, kept 90 days on a rolling basis.

§ 3

What we do NOT collect

No analytics, no advertising, no third-party trackers, no email fingerprinting, no cross-site identifiers. There is no Google Analytics tag, no Segment, no Plausible, no Mixpanel. The platform ships to you as HTML + a Rails backend, and that is the entire surface area.

§ 4

Why we process it

We process your account data and packet data to run the service you signed up for — this is contractual necessity under GDPR Article 6(1)(b). We process sign-in events to protect your account against unauthorized access, which is legitimate interest under Article 6(1)(f), balanced against a short retention window and a visible audit log on your Account page.

§ 5

Where your data lives

Database: PostgreSQL hosted by Supabase, EU region (Paris).
Application servers: Hetzner Cloud, Nuremberg, Germany.
Object storage: none — we do not store files outside the database.
Nothing is copied, mirrored, or processed outside the European Union. No US transfer is involved at any layer.

§ 6

Who we share it with

Nobody. We do not sell, rent, share, or otherwise disclose your data to third parties. The only entities with technical access are our two hosting providers (Hetzner and Supabase) acting strictly as data processors under EU GDPR-compliant DPAs.

§ 7

How long we keep it

Packets: until you delete them, or until you delete the account.
Account data: until you delete the account.
Sign-in events: 90 days, then automatically deleted on a rolling basis.
Backups: Supabase retains rolling point-in-time backups per their standard policy; a deleted account is fully purged from backups within 30 days.

§ 8

Your rights (Articles 15–22)

You have the rights to access, rectification, erasure, portability, restriction, and objection. You can exercise most of them directly on the platform:

Export (Art. 20). Download every packet and your profile as a JSON file from /account.
Erasure (Art. 17). Delete your account and all stored packets from /account. The deletion is immediate and irreversible.
For rectification, restriction, or objection — or any right you can't exercise in-product — email privacy@ltm-cli.dev. We answer within 30 days. You may also lodge a complaint with your national supervisory authority (in the Netherlands: Autoriteit Persoonsgegevens).

§ 9

Cookies

We set two cookies, both strictly necessary under the ePrivacy Directive (so no consent banner is required): a session cookie to keep you signed in, and a CSRF token to protect form submissions. That is the full list. No analytics, no marketing, no third-party cookies.

§ 10

Changes to this policy

When we make a material change we email every active account at least 14 days in advance and show a banner on the platform for 30 days after the change takes effect. The "last updated" field at the top of this page always reflects the current version.

§ 11

Changelog

2026-04-21 — v1.0. Initial policy, shipped with v0.2 of the platform.