Legal
Privacy Policy
Last updated June 26, 2026
Nitlist is a visual feedback tool: you drop a one-line script on a site you deploy, your clients click an element and leave a note, and it lands on your dashboard. This policy explains what the hosted service collects and why.
01 Hosted vs. self-hosted
Nitlist is open source. This policy covers only the hosted service we run at nitlist.dev. If you self-host the open-source version on your own infrastructure, you operate that deployment and are the data controller — your data never reaches us, and this policy does not apply to it.
02 What we collect
Account information (the developer). Your email address and a password, which is stored only as a salted hash — never in plain text. If you sign in with Google or GitHub instead, we receive the basic profile those providers return (email, name).
Project information. The project names you create, the domains you allow a project to run on, and the API keys we generate for it. Secret keys are stored only as a hash.
Feedback pins (from your reviewers). When a reviewer leaves a note, we store the page URL, the element they selected (a CSS selector and its visible label), the pin's position, the viewport width, the message they typed, and the display name they enter. Reviewers do not create accounts.
Usage counts. Per-project counters — number of pins, a count of unique reviewers, and a last-active timestamp. These are deliberately aggregate; we do not build profiles of your reviewers.
Technical data. Standard server logs (IP address, timestamps, browser user-agent) needed to run and secure the service.
03 What we don't do
- No advertising or third-party tracking cookies.
- No selling or renting of your data.
- No fingerprinting or profiling of your clients' reviewers.
04 Cookies
We use essential cookies only: an authentication cookie that keeps you signed in, and a client-access cookie that lets an invited reviewer through a project's gate. There are no analytics or advertising cookies.
05 How we use information
- Operate the service and show feedback on your dashboard.
- Authenticate you and send transactional email (verification codes, password resets, sign-in codes).
- Enforce per-project limits and protect against abuse.
- Bill you, if you subscribe to the hosted plan.
06 Service providers we share with
We use a small set of subprocessors to run the hosted service:
- Convex — our database and backend host. Your account, project, and pin data is stored there.
- Resend — sends our transactional emails; it receives the recipient address and the message contents (e.g. a verification code).
- Google / GitHub — only if you choose to sign in with them.
- Payment processor — if you subscribe to the hosted plan, a third-party payment provider handles the transaction. We never store full card numbers. [Confirm provider before launch.]
07 Data retention
We keep your account and project data while your account is active. Archived projects are condensed to counts-only summaries and their individual pins are dropped. You can delete a project or your account; deletion removes the associated data, subject to short-lived backups and any retention the law requires.
08 Security
Passwords and secret keys are stored hashed, client access tokens are stored as SHA-256 hashes, and data is encrypted in transit. No system is perfectly secure, but we work to protect your data and limit what we collect in the first place.
09 Your rights
Depending on where you live, you may have the right to access, correct, export, or delete your personal data, or to object to certain processing. Contact us to exercise these rights and we'll respond within the timeframe the law requires.
10 Children
Nitlist is a tool for developers and is not directed to children. We do not knowingly collect personal data from anyone under 16.
11 International processing
Your data may be processed in the regions where our service providers operate. By using the hosted service you understand your data may be transferred to and processed in those regions.
12 Changes to this policy
We may update this policy from time to time. When we do, we'll change the “last updated” date above and, for material changes, give notice through the service.
13 Contact
Questions about privacy? Email privacy@nitlist.dev. [Replace with your real contact and legal entity before launch.]