TracyHill RP

Privacy Policy

Effective: April 2, 2026

TracyHill RP ("we," "us," or "the Service") is a privately operated, self-hosted application. This Privacy Policy describes how we collect, use, and protect your information when you use the Service.

1. Information We Collect

Account Information

Username — chosen at account creation, used for authentication.
Email address — provided at registration for account verification. Used to send verification codes and account-related notifications.
Password — stored as a one-way bcrypt hash (cost factor 12). We never store or have access to your plaintext password.

Usage Data

Chat conversations — messages you send and receive through the Service are stored as JSON files on the server to provide session continuity.
API keys — if you provide your own API keys for AI providers, they are stored server-side in your user data directory with restricted file permissions (mode 600).
Generated images — images created through the Service are stored on the server.
Campaign and pipeline data — campaign configurations and pipeline state you create are stored as part of your user data.

Automatically Collected Information

IP address — logged for rate limiting and security purposes (e.g., brute-force protection). Not used for tracking or analytics.
User agent string — used solely to label trusted devices in your MFA settings for your convenience.
Session cookies — we use sf.sid (session) and sf.trust (MFA device trust) cookies. Both are httpOnly, secure, and SameSite. No third-party cookies are used.

2. How We Use Your Information

We use the information we collect exclusively to:

Authenticate you and maintain your session.
Send email verification codes for two-factor authentication.
Store and retrieve your chat sessions, campaigns, and generated content.
Proxy your requests to AI providers (Anthropic, OpenAI, xAI, z.ai, Google) using your API keys.
Protect the Service against unauthorized access, brute-force attacks, and abuse.

3. Third-Party Services

The Service integrates with the following third-party services:

Twilio SendGrid — to deliver email verification codes during registration and account management. Your email address is transmitted to SendGrid for this purpose. See Twilio's Privacy Policy.
AI Providers (Anthropic, OpenAI, xAI, z.ai, Google) — your messages are sent to these providers to generate responses, using API keys you provide. Each provider has its own privacy policy governing how it handles API data.

We do not use any analytics services, advertising networks, or tracking pixels.

4. Data Storage and Security

All data is stored on a privately operated, self-hosted server. No data is stored in public cloud databases.
Passwords are hashed with bcrypt. Sensitive files are stored with restricted permissions.
The application enforces HTTPS, HSTS, Content-Security-Policy, and other security headers.
Access is restricted by IP allowlist and firewall rules.
Automated backups are performed at regular intervals.

5. Data Sharing

We do not sell, rent, or share your personal information with any third parties for marketing or commercial purposes. Data is only transmitted to third-party services as described in Section 3, solely to provide the functionality you request.

6. Data Retention

Your data is retained for as long as your account exists. You may request deletion of your account and associated data at any time by contacting the Service administrator. Upon account deletion, all user data files (conversations, API keys, campaigns, and generated images) are permanently removed from the server.

7. Your Rights

You may at any time:

Access your account information through the application.
Change your password.
Revoke trusted devices from your MFA settings.
Request a copy of your stored data.
Request deletion of your account and all associated data.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the "Effective" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

For questions about this Privacy Policy or to exercise your data rights, contact the Service administrator at the email address provided during account setup, or through the application directly.