Legal

Privacy Policy

Effective date: June 27, 2026 Last updated: June 27, 2026

AuthPlane is an open-source OAuth 2.1 authorization server built for the Model Context Protocol (MCP). This Privacy Policy explains what data we collect when you visit authplane.ai, why we collect it, and what rights you have over it.

If you have questions about this policy, contact us at: privacy@authplane.ai.

1. Who We Are

AuthPlane is operated by Codigo Inc. References to "AuthPlane", "we", "us", or "our" in this policy refer to Codigo Inc.

2. What Data We Collect

2.1 Cloudflare Web Analytics

We use Cloudflare Web Analytics to understand how visitors use the site. Cloudflare Web Analytics is cookieless and does not use fingerprinting. It does not track you across sites and does not collect personally identifiable information. The data processed includes:

  • Page views and navigation paths
  • Approximate country of origin (derived from IP address, which is not stored)
  • Browser type and operating system
  • Referrer URLs

No cookies are set by Cloudflare Web Analytics. No consent is required for this tool under GDPR.

2.2 Contact and Waitlist Forms

If you submit a contact form or sign up for the AuthPlane waitlist or newsletter, we collect:

  • Your email address
  • Your name (optional)
  • Any message content you voluntarily provide

This data is used solely to respond to your inquiry or send you product updates you requested. We do not use it for advertising or sell it to third parties.

2.3 Cookies

authplane.ai uses two categories of cookies:

  • Strictly necessary cookies — session-level cookies required for the site to function (for example, security tokens and load balancing). Always on. They do not track you and do not require your consent under GDPR.
  • Analytics cookies — set by Google Analytics 4 (see §2.4 below) only if you accept via the consent banner on your first visit. If you decline, no analytics cookies are set.

We do not use advertising cookies, tracking pixels, or third-party marketing cookies.

2.4 Google Analytics 4 (GA4) — consent-based

We use Google Analytics 4 (GA4) to collect aggregated usage data about how visitors interact with our website. GA4 sets cookies and sends data to Google LLC servers in the United States.

GA4 is only activated if you give your consent via the cookie banner on your first visit. If you decline, the GA4 script is never loaded and no GA4 cookies are set.

Data collected by GA4 includes:

  • Pages visited and navigation paths
  • Time spent on pages
  • Approximate geographic location (country / city level)
  • Device type, browser, and operating system
  • Referrer source

GA4 data is processed by Google LLC under its own privacy policy at policies.google.com/privacy. Legal basis: consent (GDPR Article 6(1)(a)).

You can withdraw your consent at any time by clicking Cookie preferences in the site footer (or by clearing your browser's localStorage for this domain).

2.5 Server Logs

Like all websites, our hosting infrastructure (Cloudflare Pages) automatically records standard server log data, including:

  • IP address (used transiently for routing and security; not stored beyond standard log retention)
  • HTTP request metadata (method, path, status code, timestamp)
  • User-agent string

This data is used for security monitoring and infrastructure management only.

For visitors in the European Economic Area (EEA), we rely on the following legal bases:

  • Legitimate interest (Article 6(1)(f)): anonymous analytics and server log processing for site security and performance improvement.
  • Contract performance (Article 6(1)(b)): processing your contact form submission to respond to your request.
  • Consent (Article 6(1)(a)): if you sign up for our newsletter or waitlist, we process your email address based on your explicit opt-in.

4. How Long We Keep Your Data

We keep your data only as long as necessary for the purpose it was collected:

  • Analytics data: aggregated and anonymized, retained indefinitely in aggregate form.
  • Server logs: retained for up to 30 days for security purposes, then deleted.
  • Contact form submissions: retained for up to 12 months or until your request is resolved, whichever is sooner.
  • Waitlist / newsletter subscriptions: retained until you unsubscribe.

5. Who We Share Data With

We do not sell your personal data. We share data only with the following service providers, and only as necessary to operate the site:

  • Cloudflare, Inc. — hosting, CDN, and privacy-respecting analytics. Cloudflare acts as a data processor under a Data Processing Agreement. See Cloudflare's privacy policy at cloudflare.com/privacypolicy.
  • Google LLC — Google Analytics 4, only if you accept analytics consent. Google acts as a data processor for this data. See Google's privacy policy at policies.google.com/privacy.

If we use additional third-party tools in the future (such as an email delivery provider for the newsletter), we will update this policy before doing so.

6. Your Rights Under GDPR

If you are in the EEA, UK, or Switzerland, you have the following rights:

  • Right of access: you can request a copy of the personal data we hold about you.
  • Right to rectification: you can ask us to correct inaccurate data.
  • Right to erasure: you can ask us to delete your personal data.
  • Right to restriction: you can ask us to limit how we process your data.
  • Right to data portability: you can ask for your data in a machine-readable format.
  • Right to object: you can object to processing based on legitimate interest.
  • Right to withdraw consent: if processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at privacy@authplane.ai. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority.

7. International Data Transfers

authplane.ai is served globally through Cloudflare's infrastructure. If you access the site from outside the United States, your data may be transferred to and processed in the US or other countries. Cloudflare maintains Standard Contractual Clauses (SCCs) and other transfer mechanisms compliant with GDPR Chapter V.

8. Children's Privacy

AuthPlane is a developer infrastructure product intended for adults. We do not knowingly collect personal data from anyone under 16. If you believe a minor has submitted data through our site, contact us at privacy@authplane.ai and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy as the product evolves. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

10. Contact

For any privacy-related questions or requests:

This document does not constitute legal advice. Consult a qualified attorney for compliance specific to your jurisdiction.

← Home