Short version. We collect the minimum needed to run the registry: your account details, the things you publish, basic usage telemetry, and (for paid plans) billing metadata. We never sell your data. You can export or delete everything at any time by emailing privacy@oxp.sh.
1. Controller & contact
The data controller for personal data processed through oxp.sh is the operator of OXP (“we”, “us”). For privacy questions, GDPR requests, or to contact our Data Protection point of contact, write to privacy@oxp.sh.
2. What we collect & why
We process the following categories of personal data on the legal bases shown:
- Account data
- Handle, email address, hashed password, optional display name and avatar. Used to authenticate you and contact you about the Service. Legal basis: contract performance (Art. 6(1)(b)).
- Identity verification
- GitHub login, GitHub user ID, DNS challenge proofs, and the trust level we computed from them. Used to confirm publisher identity and prevent name squatting. Legal basis: contract performance and our legitimate interest in registry integrity (Art. 6(1)(b) and (f)).
- Published content
- Extension and MCP server metadata, descriptions, README, icons, and binary artifacts you upload. Public extensions are visible to everyone; private extensions are visible only to you and members you grant access. Legal basis: contract performance (Art. 6(1)(b)).
- Usage telemetry
- Aggregated install counts, page views, and search terms. IP address and user-agent are processed transiently for security (rate limiting, abuse detection) and are not retained beyond 30 days tied to your account. Legal basis: legitimate interest in operating and securing the Service (Art. 6(1)(f)).
- Billing data
- Plan selection, subscription status, Paddle customer/subscription identifiers, last-four card digits as displayed by Paddle, billing country, VAT number (if supplied), and invoice history. We do not see or store full payment-card details — those are handled by Paddle.com Market Limited (merchant of record). Legal basis: contract performance and legal obligation (Art. 6(1)(b) and (c) — invoice retention).
- Support correspondence
- Emails and tickets you send us, plus our replies. Legal basis: legitimate interest in providing support (Art. 6(1)(f)).
- Cookies & similar technologies
- Strictly-necessary cookies for sign-in sessions and CSRF protection. We do not use advertising cookies or cross-site trackers and we do not need a consent banner for this set. Legal basis: necessary for the service requested (ePrivacy Directive Art. 5(3) exception).
3. Where the data lives — sub-processors
We rely on a small set of vetted sub-processors. Each is bound by a Data Processing Agreement and standard contractual clauses where applicable:
- Neon, Inc.— managed PostgreSQL hosting in the EU region (Frankfurt). Stores account, billing, and registry metadata.
- Cloudflare, Inc.— R2 object storage and global CDN for extension binaries, icons, and static assets. Cloudflare also provides DDoS protection on the edge.
- Paddle.com Market Limited— payment processor and merchant of record for all paid subscriptions. Paddle collects payment, billing address, and VAT data directly from you and shares with us only the limited subset needed to provision your plan. See paddle.com/legal/privacy.
- Email delivery provider— for transactional messages (verification, security alerts, receipts).
We do not sell, rent, or otherwise share personal data with third-party advertisers. International transfers (e.g. to Cloudflare infrastructure outside the EEA) are covered by the European Commission’s Standard Contractual Clauses.
4. How long we keep it
- Active account data— for as long as your account exists, plus a 30-day grace window after deletion.
- Public extension publications— retained indefinitely so that consumers who installed your extension can continue to receive it. You can request unlisting (the extension is hidden from search and installs) or full deletion (the artifacts are removed). Deletion may be subject to a short archival period for security forensics.
- Billing & invoice records— retained for 10 years after the last transaction to comply with EU tax law.
- Server access logs & security events— maximum 30 days.
- Support correspondence— up to 24 months after the last interaction.
5. Your rights under the GDPR
You have the right to (a) access the personal data we hold on you, (b) request rectification of inaccurate data, (c) request erasure (“right to be forgotten”), (d) request restriction of processing, (e) object to processing based on legitimate interest, (f) receive a copy of your data in a portable, machine-readable format, and (g) withdraw consent where processing is based on consent (without affecting the lawfulness of prior processing).
To exercise any of these rights, email privacy@oxp.sh from the address registered on your account. We will respond within 30 days. If you believe we have mishandled your data you have the right to lodge a complaint with your national supervisory authority. The list of EU authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en.
6. Automated decision-making
We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects on you. Automated checks (e.g. malware scanning of uploaded artifacts, rate-limit blocks) are reviewable by a human on request.
7. Security
We follow industry-standard security practices: TLS in transit, encryption at rest for the database and object storage, hashed passwords (Argon2 or bcrypt), least-privilege IAM, isolated WASM sandboxes for extension execution, signed releases via Sigstore, vulnerability monitoring, and regular backups with tested restores. Report suspected vulnerabilities to security@oxp.sh. In the event of a personal-data breach affecting you we will notify the competent supervisory authority within 72 hours and inform you without undue delay where required.
8. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
9. Changes to this policy
We will announce material changes at least 30 days before they take effect, by email to your registered address and via an in-product banner. The current version and effective date are shown at the top of this page; previous versions are available on request.
10. Contact
Privacy questions and GDPR requests: privacy@oxp.sh. Security: security@oxp.sh.