Privacy
What we collect, and why.
Last updated 2026-07-07. Plain English. No dark patterns.
What you give us when you sign up
- Email address — required for sign-in. Stored in Supabase Auth. Used to send you transactional emails (sign-in, password reset, deploy notifications if you opt in).
- Password — only stored as a one-way bcrypt hash. We can't read it. We can't email it to you.
- Optional name — shown in the dashboard if you provide one. Not used anywhere else.
What we collect when you use Krexel
- The files you deploy — uploaded to Cloudflare R2, keyed by your account ID. We don't index or read your source code; we only store it long enough to push it to Cloudflare Pages.
- Deploy metadata — timestamp, target domain, build status, log lines (last 200 per deploy). Stored in Cloudflare KV, scoped to your account.
- API keys — the tokens Krexel mints so your AI can deploy on your behalf. The plaintext is shown to you once, then we only store a bcrypt hash + a prefix for identification.
- Cloudflare account tokens — if you link your own Cloudflare account so we can deploy under your projects, we encrypt the token with AES-GCM-256 before storing it in KV. Plaintext is held only for the duration of the link request.
- Custom domain DNS records — you tell us which domain to attach and we look up its DNS. We never modify your DNS on your registrar — you do that yourself, following our CNAME instructions.
What we do NOT collect
- No third-party analytics on krexel.com (Vercel Analytics only — first-party, no cross-site tracking).
- No cookies except the session cookie and a deployment token cookie.
- No tracking pixels, no Facebook/Meta/Google ad pixels.
- No fingerprinting, no device enumeration beyond what your browser sends in a normal request.
Who can see your data
- You — full read via the dashboard.
- Supabase — our auth provider. They store auth records and (if you opt in) user metadata. Subject to Supabase's own privacy policy.
- Cloudflare — stores your deployed files (R2) and deploy logs (KV). Subject to Cloudflare's privacy policy.
- Resend — our transactional email provider. Sends sign-in links, password resets, and (if you opt in) deploy notifications. We send your email address to Resend; they do not use it for marketing.
- Nobody else. We don't sell data. We don't share with advertising networks. We don't provide data to third-party analytics.
Security measures
- All traffic is HTTPS (HSTS enabled).
- Passwords hashed with bcrypt.
- Cloudflare tokens encrypted at rest with AES-GCM-256.
- API keys hashed with bcrypt; plaintext shown once.
- Per-IP rate limiting on sign-up and sign-in (10 requests / 60 s).
- All input fields regex-restricted at the API edge — characters outside the safe set are rejected before they reach a handler.
- PII (email) is hashed before being written to logs.
Data retention
- Active deploys — kept while your account is active.
- Deployed files — kept while your account is active plus 30 days after cancellation, then deleted from R2.
- Deploy logs — last 200 lines per deploy, kept for 90 days, then pruned.
- Account record — kept until you delete it.
Your rights
You can download everything we have on you (deploy metadata, API key list, account info) from Settings → Export.
You can delete your account from Settings → Danger zone. Deletion is immediate and irreversible. Deploys, files, and logs are wiped within 24 hours; Supabase auth record deleted at the same time.
For anything else — GDPR data request, deletion confirmation, correction — email privacy@krexel.com. We respond within 7 days.
Changes to this policy
If we change anything material, we'll email every active account 30 days before the change takes effect. Previous versions of this page are archived and can be requested by emailing privacy@krexel.com.
Questions? privacy@krexel.com.