Privacy Policy

1. Introduction

pkglnk ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at pkglnk.dev.

2. Information We Collect

2.1 Account Information

When you sign in with GitHub, GitLab, or Bitbucket, we collect:

• Your username and display name from the provider
• Your email address
• Your avatar URL

You can connect multiple Git platforms to your account to manage packages from different sources.

2.2 GitHub Profile Data

With your consent during GitHub OAuth, we collect publicly available information from your GitHub profile for platform analytics:

• Account creation date (to understand our user base demographics)
• Public repository count
• Follower and following counts
• Company affiliation (if publicly listed on your GitHub profile)
• Location (if publicly listed on your GitHub profile)
• Bio (if publicly listed on your GitHub profile)
• Organization memberships (names only)

Note: All of this information is publicly visible on your GitHub profile. We do not collect any private GitHub data.

2.3 Unity Project Data

To provide relevant analytics about the Unity development community, we scan your repositories (with your OAuth consent) to count:

• Number of repositories containing Unity projects
• Number of Unity Package Manager (UPM) packages you maintain

Note: We only count repositories and packages; we do not access, store, or analyze the content of your code.

2.4 Package Analytics

When your packages are installed via our proxy, we collect:

• Anonymous installation counts
• Hashed IP addresses (with daily rotating salt for privacy)
• Unity version information (when available)
• Timestamp of installation

Important: We hash IP addresses by default. This means we cannot identify individual users from analytics data. Raw IP addresses are never stored.

2.5 Web Analytics

We use Vercel Web Analytics, a privacy-focused analytics service, to understand how visitors use our site. Vercel Web Analytics collects:

• Pages visited
• Referring website
• Browser type and device type

Privacy note: Vercel Web Analytics does not use cookies and does not store IP addresses (Vercel masks them before processing). No cross-site tracking occurs. You can opt out of web analytics at any time from your account settings. See Vercel's analytics privacy policy for details.

3. How We Use Your Information

We use the information we collect to:

• Provide and maintain our service
• Display analytics about your packages
• Generate aggregated platform statistics (e.g., user demographics, Unity ecosystem metrics)
• Understand our user base to improve the service for Unity developers
• Send you important service updates (if you opt in)
• Improve and optimize our service
• Detect and prevent fraud or abuse

Aggregated Analytics: We use GitHub profile data and Unity project metrics to generate aggregated, anonymized statistics about our user base. These statistics help us understand who uses pkglnk and how to better serve the Unity development community. Individual user data is never shared publicly or with third parties.

4. Data Sharing & Subprocessors

We do not sell your personal information. We share data with the following service providers (subprocessors) who process data on our behalf:

We may also disclose information if required by law or to protect our rights.

4.1 International Data Transfers

Your data may be transferred to and processed in the United States, where Supabase and Vercel operate. These transfers are governed by Standard Contractual Clauses (SCCs) as maintained by each processor under their Data Processing Agreements (DPAs) linked above, in compliance with GDPR Article 46.

5. OAuth Permissions

We support sign-in via GitHub, GitLab, and Bitbucket. Here are the permissions we request for each:

5.1 GitHub

• read:user - Read your public profile information
• user:email - Read your email address for account identification
• read:org - Read your organization memberships (names only)
• public_repo - Access your public repositories to detect Unity packages

Revoke access: GitHub application settings

5.2 GitLab

• read_user - Read your public profile information
• read_api - Read-only access to the API (for listing your projects)

Revoke access: GitLab application settings

5.3 Bitbucket

• account - Read your account information
• repository - Read your repositories

Revoke access: Bitbucket application settings

Revoking access for any provider will prevent us from syncing new data from that platform, but previously collected data will remain until you delete your account.

6. Lawful Basis for Processing (GDPR)

Under GDPR, we process your personal data on the following legal bases:

• Consent: When you sign in with GitHub OAuth, you explicitly consent to our collection and use of your profile data as described in this policy.
• Legitimate Interests: We have a legitimate interest in understanding our user base to improve our service for the Unity development community. We balance this against your privacy rights by only collecting publicly available data and using it for aggregated analytics.
• Contract: Processing is necessary to provide you with our service (package analytics, repository tracking).

7. Data Retention

We retain your data only as long as necessary for the purposes described in this policy. You can request deletion of your account and all associated data at any time.

Specific retention periods:

• Account data: Until account deletion
• GitHub profile data: Synced on each login; deleted with account
• Organization memberships: Synced on each login; deleted with account
• Package install analytics: Retained based on your account tier (30 days for free accounts, 365 days for pro). IP addresses are hashed with SHA-256 before storage — raw IP addresses are never persisted in our database.
• Vercel Web Analytics: Retained for 30 days by Vercel per their data retention policy
• OAuth tokens: Encrypted at rest (AES-256-GCM); deleted when your account is deleted or when you disconnect a platform

8. Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have the right to:

• Access: Request a copy of your personal data. You can download your data at any time from your account page using the "Export My Data" button.
• Rectification: Request correction of inaccurate data. Your profile data is synced from your Git platform (GitHub, GitLab, or Bitbucket). To correct it, update your profile on the source platform and it will sync automatically on your next login.
• Erasure: Request deletion of your personal data. You can delete your account and all associated data from your account page.
• Portability: Request transfer of your data in a machine-readable format (JSON)
• Object: Object to processing of your personal data. You can opt out of web analytics from your account settings.
• Withdraw consent: Withdraw consent at any time by disconnecting platforms or deleting your account. See Section 5 for OAuth revocation links.

To exercise these rights, visit your account page or contact us at privacy@pkglnk.dev. We will respond to your request within one month, as required by GDPR Article 12. You also have the right to lodge a complaint with your local data protection authority.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• All connections encrypted via TLS (HTTPS)
• OAuth tokens encrypted at rest using AES-256-GCM
• IP addresses hashed with SHA-256 before database storage
• Database access restricted via row-level security policies
• Secure authentication via OAuth 2.0 (no passwords stored)
• Regular security reviews of our codebase and infrastructure

10. Cookies

We use essential cookies for authentication and session management. We do not use tracking cookies or third-party advertising cookies.

10.1 Essential Cookies We Use

10.2 Why We Use These Cookies

These cookies are strictly necessary for the website to function. Without them, you would not be able to log in or link multiple Git platform accounts. Because these are essential functional cookies (not tracking or advertising), we do not require consent to use them under GDPR and similar privacy regulations.

10.3 Third-Party Analytics

We use Vercel Web Analytics, which is a privacy-focused service that does not use cookies. It uses sessionStorage for page-view attribution within a single browser tab, which is automatically cleared when the tab is closed. No cross-site tracking occurs. You can opt out of web analytics from your account settings.

We do not use any advertising, marketing, or cross-site tracking cookies. Our authentication provider (Supabase) sets cookies only for maintaining your login session, as listed above.

10.4 Managing Cookies

You can delete cookies through your browser settings at any time. However, deleting authentication cookies will log you out and you will need to sign in again.

11. Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect information from children under 13.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

13. Contact Us

If you have questions about this Privacy Policy, please contact us at privacy@pkglnk.dev.

For data protection enquiries or to exercise your GDPR rights (access, erasure, portability, rectification, or objection), email privacy@pkglnk.dev. We will respond within one month, as required by GDPR Article 12.