Privacy Policy

Data We Collect

• Email address (for authentication)
• IP address (for session management and rate limiting)
• OAuth provider ID (Google)
• Minimal activity logs: request path, HTTP status code, and response time only

Purpose and Lawful Basis

• Contract performance — processing your email and OAuth ID is necessary to provide authentication and account access.
• Legitimate interest — IP logging and activity logs are used for security monitoring and service improvement.

Retention Periods

• Sessions: 90 days
• Activity logs: 90 days
• Magic link tokens: 24 hours
• Rate limit records: 1 hour

Third-Party Processors

• Google OAuth — used for sign-in authentication
• Resend — email delivery service for magic links

Cookies

• session_token — httpOnly, used for authentication, 30 day expiry
• google_oauth_state — httpOnly, temporary CSRF protection during OAuth flow, 10 minute expiry

Data Minimization

We do not collect names, profile pictures, or browser user agents. Activity logs only store the request path, HTTP status code, and response time — no request bodies, query parameters, or personal identifiers.

Your Rights

You can export your data or delete your account from the Settings page. For any other data-related requests, contact us at the email below.

Contact

For privacy inquiries: privacy@recoilanalytics.com

Recoil Analytics is a bootstrapped independent project, not a registered company.