Privacy

Last updated: 2026-04-28

The short version

We don't want your data. The things we run on this site fall into three categories: pages with privacy guarantees baked into the code (the strongest), pages that use Vercel Web Analytics for traffic counts (typical privacy posture for a marketing site), and tools you paste sensitive material into (which we tell you about up front).

/molt and /molt/drift

These routes are designed so we never see anything sensitive. Per the Molt spec §12.1:

  • We never ask for an API key, OAuth token, or other credential. The wizard outputs a secrets.json.template file with placeholders for you to fill in locally.
  • All config generation runs in your browser. The defaults engine is client-side JavaScript; no roundtrip to our server.
  • The optional share URL contains your categorical choices (habitat, hardness, diet) only. Hostnames, workspace slugs, chat IDs, and vault paths never enter the URL hash and never leave your browser.
  • Telemetry is opt-in only. When enabled, the only data sent is an aggregate counter increment keyed by (habitat, diet, hardness, day) with the IP stripped at the edge before persistence.
  • We do not load Vercel Analytics, Sentry, or any third-party beacon on /molt or /molt/drift. The Content-Security-Policy header enforces this at the browser layer.

/audit and the audit funnel

The audit is performed by a human reading the config you send. We ask you to redact secrets before sending. We retain the redacted config and the resulting findings only as long as needed to deliver the audit and any follow-on engagement, then delete them.

Other pages

The marketing pages (homepage, /security-mistakes, /checklist, /demo-vs-production, /tail-pack, /boil) use Vercel Web Analytics for anonymized traffic counts. No PII, no cross-site tracking, no advertising cookies. Vercel's privacy posture is documented at vercel.com/legal/privacy-policy.

Logs we keep

Vercel access logs (IP, User-Agent, path, timestamp) are kept for 30 days for diagnostics. We do not aggregate, sell, or share these with third parties.

Contact

Questions, takedown requests, or curiosity: penny@pennywiseops.com.