LTM-PLATFORM-PRIV-0001 · 2026-04-23

Privacy policy.

SERVICE

platform.ltm-cli.dev

CONTROLLER

Dennis de Vulder · Utrecht, NL

CONTACT

privacy@ltm-cli.dev

LAW

Dutch law · EU jurisdiction

LAST UPDATE

2026-04-23

§ 1

Who we are

platform.ltm-cli.dev is the managed backend for the ltm protocol, operated by Dennis de Vulder as sole data controller. The service is free, EU-hosted, and open source (Apache-2.0). For any privacy question you can reach us at privacy@ltm-cli.dev.

§ 2

What we collect

Account data. Your email address, your OAuth provider (GitHub or Google) and the uid it returns, and the display name if the provider includes one.
Session data. An encrypted session cookie and a CSRF token, both set when you sign in. Strictly necessary — no consent requested.
Packet data. Whatever your CLI pushes — goals, decisions, attempts, tags, and similar metadata described in the ltm protocol spec.
Sign-in metadata. Your current and most-recent sign-in timestamp, sign-in count, and the IP address of each of those two events. We do not keep a longer history — each new sign-in overwrites these fields. Surfaced back to you on your Account page so you can spot unfamiliar access.
Analytics (only if you accept). Google Analytics 4 (property G-GPMG1DLW28) records page path, referrer, screen size, user-agent, and a truncated/anonymised IP. Denied by default under Consent Mode v2; only activated after you click Accept on the cookie banner.

§ 3

What we do NOT collect

No advertising tags, no marketing pixels, no cross-site identifiers, no email fingerprinting, no Segment, no Mixpanel. The one third-party service we load is Google Analytics 4 (consent-gated, see §2 and §9); that is the entire telemetry surface. If you decline analytics, the platform is HTML + a Rails backend and nothing else.

§ 4

Why we process it

We process your account data and packet data to run the service you signed up for — this is contractual necessity under GDPR Article 6(1)(b). We process sign-in metadata to protect your account against unauthorized access, which is legitimate interest under Article 6(1)(f), balanced by keeping only the current and previous sign-in on the user row and surfacing both to you on your Account page. We process Google Analytics signals only on consent — GDPR Article 6(1)(a) and ePrivacy Article 5(3) — recorded as the ltm_cookie_ack cookie which you can withdraw at any time by clearing your cookies for this site.

§ 5

Where your data lives

Database: PostgreSQL hosted by Supabase, EU region (Paris).
Application servers: Hetzner Cloud, Nuremberg, Germany.
Object storage: none — we do not store files outside the database.
Your account and packet data are not copied, mirrored, or processed outside the European Union.
Analytics is the exception: if you opt in, Google Analytics signals are processed by Google Ireland Ltd, with onward transfer to the United States governed by the EU–US Data Privacy Framework. Decline the banner to keep everything EU-only.

§ 6

Who we share it with

We do not sell, rent, or trade your data. The only entities with technical access to your account and packets are our two hosting providers — Hetzner and Supabase — acting strictly as data processors under EU GDPR-compliant DPAs. Google Ireland Ltd is a separate, consent-gated processor for the analytics signal described in §2 and §9; the ltm service itself never sends Google your account or packet data.

You may opt in to packet sharing with another registered ltm platform user by entering their email address on a packet page. Sharing is always explicit and initiated by you: no packet is shared by default, and no other user can pull a packet they have not been granted. Shares are read-only — recipients cannot modify, re-share, or export a packet you have shared with them. You can revoke a share at any time from the packet page; the recipient can likewise remove a share from their own account. Deleting the packet, or deleting your account, removes every share on it immediately and irreversibly — recipients lose access with no grace period. The share record (one row linking a packet to a recipient user id) lives in the same EU-hosted database described in §5 and is not shared with any third party.

§ 7

How long we keep it

Packets: until you delete them (deletion hard-removes the row), or until you delete the account. Account deletion cascades to every packet.
Account data: until you delete the account.
Sign-in metadata: only the current and previous sign-in are kept — each new sign-in overwrites the "previous" slot. There is no longer-term log.
Backups: Supabase retains rolling point-in-time backups per their standard policy; a deleted account is fully purged from backups within 30 days.

§ 8

Your rights (Articles 15–22)

You have the rights to access, rectification, erasure, portability, restriction, and objection. You can exercise most of them directly on the platform:

Export (Art. 20). Download every packet and your profile as a JSON file from /account.
Erasure (Art. 17). Delete your account and all stored packets from /account. The deletion is immediate and irreversible.
For rectification, restriction, or objection — or any right you can't exercise in-product — email privacy@ltm-cli.dev. We answer within 30 days. You may also lodge a complaint with your national supervisory authority (in the Netherlands: Autoriteit Persoonsgegevens).

§ 9

Cookies

The platform uses three cookies:

Session cookie — strictly necessary. Keeps you signed in across requests. Set on sign-in, cleared on sign-out.
CSRF token — strictly necessary. Protects form submissions against cross-site request forgery.
ltm_cookie_ack — records your analytics consent choice ("granted" or "denied") so the cookie banner stops reappearing. 1-year lifetime. Clear it in your browser to see the banner again.

If you accept analytics, Google Analytics 4 additionally sets its own first-party cookies (_ga and _ga_*) used only to distinguish visitors for aggregated reporting. These are never set if you decline, and never set before you make a choice — Consent Mode v2 keeps them fully gated.

§ 10

Changes to this policy

When we make a material change we email every active account at least 14 days in advance and show a banner on the platform for 30 days after the change takes effect. The "last updated" field at the top of this page always reflects the current version.

§ 11

Changelog

2026-04-23 — v1.2. Documented opt-in, revocable, read-only packet sharing between registered users (§6). No change to third-party processors.
2026-04-22 — v1.1. Added consent-gated Google Analytics 4 under Consent Mode v2 (see §2, §5, §6, §9). Clarified sign-in retention (current + previous only, no 90-day log, no user-agent). Clarified packet deletion is hard-delete.
2026-04-21 — v1.0. Initial policy.