Privacy policy.

What we collect

• Email when you sign in with the email OTP flow. Stored in accounts.email and in auth.users (Supabase).
• Wallet address when you sign in with Phantom (Solana SIWS). Stored in accounts.wallet_address.
• Provider identifier (Google sub-id, GitHub login) when you use OAuth.
• API key usage timestamps in api_usage for rate-limiting. Stores key_id, endpoint, status, ts. Aggregated to per-key counters; raw rows are pruned regularly.

What we do not collect

• Search queries you send to /api/search or /api/decision
• Decision response bodies
• Caller IP addresses (used only in-memory for rate-limit, never stored)
• User-Agent strings
• Package names you searched

Where the data lives

• Supabase (Postgres + Auth). Accounts, api_keys, waitlist_emails, api_usage
• Vercel (hosting + edge cache). Request logs (retained ≤ 30 days, anonymized after)
• OpenAI. Receives the search query and a compact candidate list when /api/decision is called. Does not receive your email, API key, or session. Subject to OpenAI's data policy for API calls (no training on inputs).

Retention

• Account data. While the account exists
• Waitlist emails. 24 months
• API usage rows. 30 days, then aggregated
• Vercel logs. 30 days

Your rights

Request deletion of your account or export of your data by opening an issue at github.com/trynipcode/nipcode/issues with the email used at signup. We respond within 30 days.

Third-party sources

When you query /api/search we forward the query directly to the public source registry (npm, PyPI, crates.io, GitHub, Docker Hub, Hugging Face). Each source has its own privacy policy. We do not store what comes back.

Changes

Material changes will be announced via the GitHub repo and a note in the changelog before they take effect.