Privacy Policy

Last updated: February 2026

This Privacy Policy explains how LPM ("we", "us", "our") collects, uses, shares, and protects your personal information when you use the Licensed Package Manager platform at lpm.dev (the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Email address and password (password stored as a hash by our auth provider)
Username and display name
Profile information you choose to provide: bio, website URL, location (country), social media links, and profile picture

1.2 Billing & Payment Information

When you subscribe to a plan or make a purchase, we collect:

Billing email address
Card brand, last 4 digits, and expiration date (for display purposes only)
Stripe customer and subscription identifiers

Full card numbers and CVVs are processed exclusively by Stripe and never touch our servers. See Stripe's Privacy Policy.

1.3 Package & Registry Data

When you publish or install packages, we collect:

Package metadata (name, version, description, keywords, dependencies)
Package source code and tarball files
Download logs including: package version, registry token used, user ID (if authenticated), IP address, and user-agent string

1.4 Usage & Analytics Data

With your consent (via our cookie consent banner), we collect:

Pages visited and navigation patterns
User identifier, email, username, name, and subscription tier (for identified users only)
Browser errors and exceptions
Session recordings with all form inputs masked

Without consent, no analytics data is collected. Analytics are powered by PostHog with opt_out_capturing_by_default enabled.

1.5 Session & Security Data

For security and fraud prevention, we automatically collect:

IP address and user-agent string on login, signup, and authentication events
Active session records (session ID, last activity timestamp)
Rate limiting data (IP-based, transient)

1.6 Audit Logs

We maintain audit logs of significant account and organization actions, including:

The action performed (e.g., member added, token created, package published)
Who performed the action (actor ID)
IP address and user-agent of the actor
Timestamps and relevant metadata

1.7 Organization Data

If you create or join an organization, we collect:

Organization name, slug, description, website, location, and logo
Member list with roles (owner, admin, maintainer, member)
IP allowlist configurations (if set by organization admins)

2. How We Use Your Information

We use the information we collect to:

Provide the Service: Authenticate your account, host and distribute packages, process transactions, manage subscriptions and entitlements
Communicate with you: Send transactional emails (invitations, payout notifications, account alerts) and respond to support requests
Ensure security: Detect fraud, enforce rate limits, maintain audit trails, and protect against unauthorized access
Improve the Service: Analyze usage patterns (with consent), fix bugs, and develop new features
Process payments: Calculate and distribute Pool revenue shares, process marketplace purchases, manage billing
Comply with legal obligations: Maintain records as required by law, respond to legal requests

Basis	Processing Activities
Contract	Account management, package hosting, payment processing, subscription management
Consent	Analytics tracking, session recording, non-essential cookies
Legitimate interest	Security monitoring, fraud prevention, audit logging, service improvement
Legal obligation	Tax record retention, responding to lawful requests

We do not sell your personal information. We share data with the following third-party service providers who process it on our behalf:

3.1 Service Providers

Provider	Purpose	Data Shared
Supabase	Authentication, database hosting, file storage	All account data, auth credentials (hashed), uploaded files
Stripe	Payment processing, subscription management	Email, name, payment method tokens, purchase metadata
PostHog	Product analytics (with consent only)	User ID, email, name, plan tier, page URLs, session recordings
Resend	Transactional email delivery	Recipient email, message content

3.2 AI Features

Package metadata and chat conversations may be processed by:

Anthropic (Claude) for package analysis and chat
OpenAI for embeddings and search

You can opt out of AI processing for your private packages in your account preferences. Pool and marketplace packages require AI processing for quality assurance and discoverability. Source code is extracted temporarily for analysis and discarded - it is not stored or used for AI model training.

3.3 Other Disclosures

We may also share information:

With your consent or at your direction
To comply with legal obligations, court orders, or government requests
To protect the rights, safety, and property of LPM, our users, or the public
In connection with a merger, acquisition, or sale of assets (with advance notice)

4. Cookies & Tracking Technologies

4.1 Essential Cookies

Supabase sets authentication cookies to maintain your login session. These are strictly necessary and do not require consent.

PostHog analytics are disabled by default. On your first visit, a cookie consent banner asks for your permission. Your choice is stored in your browser's localStorage as cookie_consent.

Accept: PostHog tracking begins (pageviews, identified user properties, session recordings with masked inputs)
Decline: No analytics data is collected

You can change your choice at any time by clearing your browser's localStorage.

4.3 Third-Party Analytics (User-Configured)

Package owners can optionally connect their own analytics providers (Google Analytics, Plausible, Fathom, Umami) to their package pages. These are controlled by the package owner, not by LPM.

5. Data Retention

Data Type	Retention Period
Active account data	Retained while account is active
Deleted account data	30-day restoration window, then permanently removed
Audit logs	Retained for compliance and security purposes
Package download logs	Retained for analytics and anti-gaming verification
Session records	Deleted on logout; inactive sessions cleaned periodically
Stripe webhook events	Retained for payment dispute resolution and auditing
PostHog analytics	Subject to PostHog's retention settings
Soft-deleted packages	30 days, then permanently removed

When you delete your account:

Your account is soft-deleted with a 30-day restoration window
Stripe subscriptions are canceled at period end
Active sessions and registry tokens are revoked immediately
Private packages are scheduled for deletion
Your avatar is deleted from storage
Organization memberships (non-owner) are removed
After 30 days, your data is permanently purged

Usernames associated with public packages (marketplace or Pool) are locked to prevent impersonation after deletion.

6. Your Rights

6.1 All Users

You can:

Access and update your profile information at any time via your dashboard settings
Delete your account from the dashboard settings (Danger Zone section)
Manage email preferences at /dashboard/settings/preferences to opt out of non-essential emails
Control analytics cookies via the cookie consent banner (accept or decline)
Revoke registry tokens at any time from your dashboard

If you are in the EEA, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your data (subject to legal retention requirements)
Restriction: Request we limit processing of your data
Portability: Request your data in a structured, machine-readable format
Object: Object to processing based on legitimate interest
Withdraw consent: Withdraw analytics consent at any time without affecting prior processing

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

6.3 California Residents - CCPA/CPRA Rights

If you are a California resident, you have the right to:

Know what personal information we collect, use, and disclose
Delete your personal information
Opt-out of the sale of personal information (we do not sell your data)
Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at [email protected].

7. International Data Transfers

Your data may be processed in countries outside your own, including the United States, where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including:

Standard Contractual Clauses (SCCs) where required
Service provider compliance with applicable data protection frameworks

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

TLS encryption for all data in transit
Database-level encryption at rest
Row-Level Security (RLS) policies ensuring users can only access their own data
Password hashing (handled by Supabase auth)
Registry token hashing (plaintext tokens are never stored)
Rate limiting on authentication endpoints
Content Security Policy (CSP) headers
Webhook signature verification for payment events
IP-based rate limiting for API and auth endpoints

No system is 100% secure. If we become aware of a security breach affecting your personal data, we will notify affected users and relevant authorities as required by applicable law.

9. Children's Privacy

LPM is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we may also send an email notification.

11. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

Email: [email protected]
Support: [email protected]

We aim to respond to all privacy requests within 30 days.