Privacy Policy

Last updated:

What we collect

• Twitch profile: when you sign in, we receive your Twitch user ID, login, display name, email (if you grant the scope), and profile picture URL. We store these to identify your account.
• API keys (LLM providers): the keys you upload for OpenAI / Anthropic / Google / xAI / OpenRouter are stored encrypted at rest with AES-256-GCM using a key derived per-user from a server-side master secret. We display only a redacted preview after upload and never return the plaintext key to your browser.
• Conversations: the messages you send and the responses you receive are stored so you can revisit them. You can delete any conversation, or all of them, from the chat sidebar.
• Settings: your theme preference and default provider/model.
• Audit log: we record event timestamps for login, logout, key changes, and chat requests (with provider/model/status code). We do not store prompt or response text in the audit log.
• Rate-limit counters: short-lived hourly counters keyed by user ID, used to prevent abuse.

What we do NOT collect

• We do not collect or store your Twitch OAuth tokens beyond the brief moment used to look up your profile.
• We do not run cross-site advertising trackers.
• We do not sell, rent, or share your data with third parties for marketing.

How your prompts are processed

When you send a chat message, the Site retrieves relevant Star Citizen catalog snippets and forwards the message — together with those snippets and a system prompt — to the LLM provider you selected, authenticated with your own API key. Your prompts and the model's responses pass through that provider and are subject to their privacy policy and data retention. We do not control how the provider uses your data.

Where data is stored

All data is stored on Cloudflare's network using Cloudflare D1 (relational data), Cloudflare KV (encrypted API keys and sessions), and Cloudflare Vectorize (embeddings of public catalog content; no user data is stored in Vectorize). Backups and replication are handled by Cloudflare.

Cookies

We use one HttpOnly, Secure, SameSite=Lax session cookie to keep you signed in, plus a short-lived OAuth state cookie during sign-in. We do not use third-party cookies.

Your choices

• Remove a stored API key at any time from Settings.
• Delete a conversation from the sidebar (confirmation required).
• Log out at any time from the user menu.
• Delete your account and all data: contact us via OldManObservers.com and we will remove your user record, conversations, audit log entries, and encrypted keys.

Security

API keys are encrypted before they touch the database with a key derived from a master secret that is never stored alongside the ciphertext. Sessions are opaque tokens signed with HMAC-SHA-256. All traffic is HTTPS. We use a per-user hourly rate limit and reject requests with a mismatched origin on mutating endpoints.

Children

The Site is not directed at children under 13 and we do not knowingly collect personal information from them.

Changes

If we change this policy, we will update the "Last updated" date above. Material changes will be highlighted at sign-in.

Contact

Questions or deletion requests: OldManObservers.com.