Privacy Policy

Last updated: 2026-05-03

What we collect

Account info: your email address and Google account ID, received from Google when you sign in.
Skills you publish: the Markdown body, title, description, and visibility setting (public, unlisted, shared, or private).
Library activity: which public skills you save to your library.
API keys: a one-way argon2id hash of any API keys you create. We never store the plaintext key after issuing it.
Server logs: standard request logs (IP, user agent, status code, path) kept for 30 days for abuse detection and debugging.

What we don't collect

No analytics, no third-party trackers, no advertising cookies.
No cross-site tracking beacons or fingerprinting.
We do not collect or process the contents of any AI tool that consumes your skills.

How we use it

Only to provide the service: render your skills to viewers you authorize, sync your library to MCP-aware AI tools, and enforce access rules (private, shared with email, unlisted, public). We do not sell, rent, or share your data with anyone.

Third parties we rely on

Relay is a thin layer on top of these subprocessors. Each handles a narrow function and is bound by their own privacy and security obligations:

Supabase — database, authentication, and storage (EU/US regions).
Vercel — application hosting and edge delivery.
Google — OAuth identity provider when you sign in with Google.
Resend — transactional email (only used to notify you about your own account; no marketing).

Cookies

A single Supabase session cookie is set after you sign in. It is HttpOnly, Secure, and SameSite=Lax. We do not set tracking, advertising, or analytics cookies.

Public skills are public

Skills with visibility set to public appear in the sitemap and can be indexed by search engines. The Markdown body, title, description, and your published handle are visible to anyone with the link. Treat the body like a public README.

Your rights

You can access, export, or delete your data at any time. To delete your account and all associated skills and library entries, email hello@fedeponte.com from the address tied to your account. We respond within 7 days.

Data retention

Account and skill data is retained until you request deletion. Server request logs are rotated after 30 days. Argon2id-hashed API keys are deleted when you revoke them.

Children

Relay is not intended for users under 16. We do not knowingly collect data from children.

Changes

If we materially change this policy we will update the date at the top and notify signed-in users via email before the change takes effect.

Contact

Questions, deletion requests, or data export: hello@fedeponte.com.