Skip to content

Privacy Policy

Effective: 2026-04-30

This policy describes how APTcache (“we,” “us,” or “APTcache”) collects, uses, and protects personal information when you use the APTcache service, including the marketing site (aptcache.com), the application (app.aptcache.com), the authorization server (auth.aptcache.com), and any associated APIs (collectively, the “Service”).

1. Data controller

APTcache is currently a pre-launch project operated by an individual maintainer. There is no incorporated legal entity behind the Service at this time. The maintainer is the data controller for personal information processed through the Service for purposes of UK GDPR and EU GDPR. You can reach us about privacy at privacy@aptcache.com. If and when APTcache incorporates as a legal entity, this section will be updated to identify it and provide a registered address.

2. Information we collect

2.1 Account information

When you create an account, we collect:

  • Email address (required for verification, recovery, and security notifications)
  • Display name and optional username
  • A password hash (we never store the plaintext password — see §6 Security)
  • Profile preferences you choose to set (e.g. locale, time zone), used to localise the interface

2.2 Authentication credentials

To support the authentication methods you choose, we may store:

  • Multi-factor authentication seeds (TOTP) — encrypted at rest; the plaintext is shown to you once at enrolment and never re-displayed
  • Passkey (WebAuthn) public keys, credential IDs, and authenticator metadata. We do not and cannot receive the private key
  • Recovery codes (one-time hash) for account recovery if other factors are unavailable
  • Federated identity provider linkages (the OIDC subject ID returned by the provider you chose, e.g. Google, GitHub) — we do not store passwords used at the upstream provider

2.3 Session and device data

For each active session we record the IP address, user-agent string, and timestamps of creation and last use. This information powers the “active sessions” surface in your account settings (so you can revoke unfamiliar sessions) and is used in security decisioning (e.g. detecting suspicious sign-ins).

2.4 OAuth grants and authorizations

When you authorize a third-party application via OAuth/OpenID Connect, we record which client you authorized, which scopes were granted, and when. You can review and revoke these grants at any time from your account settings.

2.5 Audit logs

We log security-relevant events — sign-in attempts (successful and failed), password changes, MFA enrolment and removal, OAuth client authorizations and revocations, account deletion requests, and similar. These logs include the actor user ID, the action, a timestamp, the source IP, and minimal contextual metadata. Audit logs exist to detect and investigate abuse and unauthorized access.

2.6 Diagnostic and operational data

Our infrastructure (Cloudflare Workers and supporting services) records request metadata — method, path, response status, latency, region of origin — necessary to operate the Service, debug issues, and detect attacks. Where these records contain IP addresses or other identifying data they are treated as personal data under this policy.

2.7 What we do NOT collect

  • We do not place advertising or marketing cookies on the Service
  • We do not use third-party analytics that profile you (no Google Analytics, Mixpanel, Segment, or similar on operator-controlled surfaces)
  • We do not sell personal information, in any form, to anyone
  • We do not track you across other websites you visit

3. How we use the information

We use the information described above to:

  • Provide, operate, and maintain the Service
  • Authenticate you and authorise your access to the Service and to any third-party applications you connect
  • Send service-essential email — verification, password reset, security notifications, significant account changes
  • Detect, investigate, and prevent abuse, fraud, and security incidents
  • Comply with legal obligations (e.g. responding to lawful requests, retention required by law)
  • Improve the Service through aggregate, non-identifying analysis (e.g. error rates, feature usage)

4. Lawful basis (UK GDPR / EU GDPR)

For users in the United Kingdom and European Economic Area, we rely on the following Article 6(1) lawful bases:

  • Contract (Art. 6(1)(b)): providing the Service you signed up for, including account management and any features you actively use
  • Legitimate interests (Art. 6(1)(f)): detecting and preventing abuse; maintaining audit logs of security-relevant actions; operating logging and monitoring necessary to keep the Service available and secure. We balance these interests against your privacy and confine logging to what these purposes require
  • Legal obligation (Art. 6(1)(c)): complying with applicable law, including responding to lawful requests from public authorities
  • Consent (Art. 6(1)(a)): the limited cases where we ask for it explicitly (e.g. linking an additional federated identity provider)

5. How we share information

We share personal information only with the third parties below, and only to the extent necessary to operate the Service. We do not sell personal information.

5.1 Subprocessors

  • Cloudflare, Inc. — hosting (Workers, KV, D1, R2, Durable Objects), DNS, edge security (WAF, rate limiting), and inbound email routing for role addresses. Data may be processed in any Cloudflare data centre globally
  • Resend, Inc. — transactional email delivery (verification, recovery, security notifications). Resend processes your email address and the message contents
  • Federated identity providers you choose — when you sign in with Google, GitHub, or another OIDC/SAML provider, that provider receives the request and returns a subject identifier and any claims you authorise it to share. Their privacy policy governs that interaction, not ours

5.2 Other disclosures

We may disclose personal information when required to:

  • Comply with a subpoena, court order, or other lawful legal process
  • Protect the rights, property, or safety of APTcache, our users, or the public
  • Investigate or prevent fraud, abuse, or security threats
  • Effect a merger, acquisition, or sale of assets — in which case we will give you prior notice and the opportunity to delete your account

6. Data retention

  • Account data: retained while your account is active. When you delete your account, we delete your profile and credentials. Audit log entries naming a deleted account are pseudonymised (account ID retained, profile fields purged) so the security forensic record remains intact while personal identifiers are removed
  • Active sessions: up to 30 days of inactivity, then automatically expired
  • OAuth refresh tokens: up to 30 days of inactivity, then automatically revoked
  • Audit logs: retained for 12 months, after which security-relevant events older than that are aggregated or deleted
  • Diagnostic logs: short-lived (typically less than 7 days) at the infrastructure layer

7. Security

We protect your information through multiple layers:

  • TLS 1.2+ in transit, with HSTS preload eligibility on every host
  • Passwords stored as Argon2id hashes with a per-user salt and parameters reviewed against current OWASP guidance
  • Multi-factor authentication available (TOTP, WebAuthn passkeys, recovery codes), with step-up enforcement on sensitive actions
  • OAuth-issued tokens are short-lived JWTs (RFC 9068) bound to the resource server, optionally sender-constrained via DPoP (RFC 9449); refresh tokens use rotation with reuse detection
  • Rate limiting at the edge and in the application; security-relevant headers (CSP, HSTS, X-Frame-Options, Referrer-Policy) on every browser response
  • Independent security disclosure programme — see Vulnerability Disclosure Policy and security.txt

8. Cookies

APTcache uses only strictly necessary cookies. Specifically: a session cookie set after sign-in, scoped to its host (auth.aptcache.com or app.aptcache.com), HttpOnly, Secure, SameSite=Lax. We do not use advertising, profiling, or third-party analytics cookies, so no consent banner is required under the ePrivacy Directive.

9. International transfers

APTcache runs on Cloudflare’s global edge. Your data may be processed in any country where Cloudflare operates, including outside the UK and EEA. Transfers outside the UK/EEA rely on the UK International Data Transfer Addendum or the EU Standard Contractual Clauses, with the additional safeguards Cloudflare publishes in its Trust Hub. Resend processes email content in the United States under equivalent safeguards.

10. Your rights

Depending on where you live, you have the following rights with respect to your personal information. To exercise any of them, contact us at privacy@aptcache.com.

10.1 UK and EU residents (UK GDPR / EU GDPR)

  • Access — confirm whether we hold your data, and obtain a copy
  • Rectification — correct inaccurate data
  • Erasure (“right to be forgotten”) — delete your account and associated data
  • Restriction — limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting prior lawful processing
  • Lodge a complaint — with the UK Information Commissioner’s Office (ico.org.uk) or your local EU supervisory authority

10.2 California residents (CCPA / CPRA)

  • Right to know what personal information we collect and how we use it
  • Right to request deletion of your personal information
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of your personal information — we do not sell or share personal information for cross-context behavioural advertising, so this opt-out is effectively the default
  • Right to non-discrimination for exercising any of these rights

11. Children

APTcache is not directed at children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, please contact privacy@aptcache.com and we will take prompt steps to delete it.

12. Changes to this policy

If we make material changes we will give notice — typically by email to the address on your account, or by a banner on the Service for at least 30 days before the new policy takes effect. Non-material changes (clarifications, contact updates, layout) take effect on publication. Every version is dated; superseded versions are available on request.

13. Contact

Privacy enquiries: privacy@aptcache.com
Security disclosures: security@aptcache.com (see Vulnerability Disclosure Policy)