Privacy policy
Last updated July 11, 2026.
What we collect
What we collect depends on how you use the site:
- If you just browse — routine edge and origin access logs (IP address, user agent, URL, timestamp, and similar request metadata), kept for security, abuse prevention, and reliability. We do not use browse-only logs to build advertising profiles.
- If you create an account — your email address. If you sign in with Google or GitHub, we receive the name, email, and avatar those providers share. If you use email and password, Supabase stores a password hash. We never see your password in plain text.
- If you're granted alpha access — an access-status flag on your account (
app_metadata.status), optional admin role (app_metadata.role), and build or configuration data you create in the workbench so you can return to it. - If you send a run request or email us — your email address and whatever you include (workload, power budget, form factor, environment, or other message content).
- Bot and abuse checks — when Cloudflare Turnstile or bot products are enabled, Cloudflare may process short-lived challenge signals needed to tell humans from automated clients.
- Cookie preference — a local record of your cookie choice (see Cookies). It stays in your browser. We do not receive it on our servers.
- Analytics — not active today. No PostHog, Google Analytics, or similar product script is loaded. The homepage banner can record an analytics opt-in locally. Nothing is collected from that opt-in until we name the tool here and gate it behind consent.
How we use it
We use this information to operate accounts and alpha access, respond to run requests and email, keep the site secure and available, enforce invite and admin gates, and improve the product. If we add paid hardware or software checkout, we will use order information to fulfill and support that order, and we will update this policy before that goes live.
Processors and service providers
We do not sell your personal information. We use processors that only see what they need to provide their service:
- Cloudflare, Inc. — CDN, DNS, DDoS and bot protection, Pages hosting, and optional Turnstile. May set strictly necessary security cookies such as
__cf_bmorcf_clearance. See Cloudflare's cookie documentation. - Supabase — authentication (GoTrue), account records, and related session storage for signed-in users.
- Amazon Web Services (AWS) — backend API, jobs, and data stores used by the platform when those services are enabled for your environment.
- Google / GitHub — OAuth sign-in when you choose those providers. We only receive the profile fields noted above.
- Email delivery — transactional mail (for example confirmation or invite messages) when SMTP is configured. The provider will be named here when production mail is live.
- A future payment processor — not in use yet. Before checkout goes live, we will name the processor and describe what it sees.
We may also disclose information if required by law, or to protect the security of the site and our users.
Cookies and local storage
For a US- and Canada-focused alpha with no non-essential analytics loaded, a full GDPR-style consent wall is not required for Cloudflare security cookies or Supabase session storage. Those are treated as strictly necessary for the service you request (security and sign-in). The homepage still offers a lightweight preference banner so we can gate future analytics without redesigning the footer. You can reopen it via "Cookie preferences".
Categories today:
- Strictly necessary — always on. Auth session, edge access cookie, Cloudflare security cookies, and related local storage.
- Analytics — off by default. Nothing loads from an opt-in until this policy names the tool.
First-party storage the site sets:
| Name | Type | Purpose | Duration |
|---|---|---|---|
| outfra_at | Cookie | Signed-in access token for edge gates on workbench and admin paths. | Matches session; cleared on sign-out. |
| outfra.sb_session | localStorage | Supabase access and refresh tokens when live auth is configured. | Until sign-out or revoke. |
| outfra.session | localStorage | Local stub session when Supabase keys are not configured. | Until sign-out. |
| outfra.alpha_approved | localStorage | Client cache of alpha approval for UI gating. | Until access status changes. |
| outfra.returning | localStorage | Remembers a prior sign-in on this browser for login copy. | Until site data is cleared. |
| outfra.consent | localStorage | Stores your cookie preference choice. | Until you change it or clear site data. |
| outfra.auth_error | sessionStorage | One-shot sign-in error across a redirect. | Cleared after display or tab close. |
| outfra.login_draft_email | sessionStorage | Email draft on the login form. Passwords are never stored. | Cleared after email sign-in or tab close. |
| outfra.revealed | sessionStorage | Tracks which page sections already animated this session. | Cleared when the tab closes. |
Cloudflare may also set processor cookies such as __cf_bm (bot management, typically about 30 minutes) and cf_clearance (after a challenge). Those are security cookies set by Cloudflare, not advertising cookies. Details: Cloudflare cookies.
Your preference is stored only in localStorage under outfra.consent. Change it any time via "Cookie preferences" in the footer.
Retention
Account data is kept while the account is active and for a reasonable period after closure for security, dispute, and legal compliance. Contact and run-request email is kept as long as needed to respond and for ordinary business records. Edge and security logs are retained according to Cloudflare and AWS defaults for the environment, typically on the order of days to weeks unless a longer window is required for an incident. Workbench project data is kept until you delete it or we close the alpha program and notify you. When data is no longer needed, we delete or anonymize it.
Your rights and regional notices
outfra.ai is intended for users in the United States and Canada. We are not currently structured to serve the EU or UK under GDPR or ePrivacy. If you are outside the US or Canada, do not create an account until we expand this policy.
Self-serve export and deletion
If you have an account, the fastest way to review or remove your data is to do it yourself. Sign in and open the Data & privacy section of account settings, where you can:
- Download your data — a full export of what we hold on you: your identity record, account metadata, and the build and configuration data you created in the workbench.
- Delete your account — removes your account and the data tied to it, subject to the retention notes above (for example security logs on their normal schedule).
If you can't sign in — say you've lost access to your email or OAuth provider — email [email protected] from an address you can verify and we will handle the request manually.
California residents (CCPA/CPRA)
Depending on revenue and data volume, California's privacy law may or may not formally apply yet. We still offer these rights. California residents may ask us to disclose, delete, or correct personal information we hold. The self-serve tools above cover disclosure (the export) and deletion directly. For corrections, or if you can't sign in, email [email protected]. We do not sell or share personal information for cross-context behavioral advertising today, so a "Do Not Sell or Share" link is not required for that purpose. If that changes, we will add the link and honor Global Privacy Control where required.
Canada (PIPEDA)
For users in Canada, we collect and use personal information for the purposes in this policy, with consent shown by creating an account or contacting us. You may see what we hold or delete it yourself with the self-serve tools above, or email us below if you can't sign in.
Children's privacy
outfra.ai is not directed at children under 13. We do not knowingly collect personal information from them. If you believe a child has created an account or sent us information, email us and we will delete it.
Security
We use HTTPS, processor access controls, and least-privilege service roles where configured. No method of storage or transmission is completely secure. We cannot guarantee absolute security.
Changes to this policy
If collection changes materially (analytics going live, checkout, new processors), we will update this page in plain language and refresh the date at the top before that change ships.
Questions
Email [email protected].