Privacy Policy

Version 3.1 (draft) · Last updated 18 May 2026 · Effective Date: pending — see draft banner above

At a glance

We collect the minimum information required to operate the service. Nothing more.
The only personal information required to use GasPackᵐ is an email address.
We do not sell your data. We do not rent it. We do not share it with advertisers or data brokers.
We do not use your data, your private packages, or your source code to train AI or machine-learning models.
We do not use marketing cookies, analytics cookies, or any third-party tracking. Our site uses one cookie — to keep you signed in.
You can ask us — from anywhere in the world — to show you what we hold about you, correct it, export it, or delete it. We honour those requests.
Questions: privacy@gaspackm.org.

1. Who we are

GasPackᵐ is operated by VelocityDog, a United States company. The exact legal entity form will be identified here once entity formation is complete and counsel has reviewed this document. In this policy, "GasPackᵐ", "we", "us", and "our" refer to VelocityDog as the operator of the service.

GasPackᵐ is hosted in, and operated from, the United States. We comply with United States federal and state privacy laws. If you access the service from outside the United States, your information will be transferred to and processed in the United States. See Section 10 — International users for what this means and how we handle cross-border transfers.

You can reach our privacy contact at any time at privacy@gaspackm.org.

2. What we collect, why, and how long we keep it

This is the complete list. If a category of personal information is not in this table, we do not collect it. If we ever begin collecting a new category, we will update this section before we begin processing.

What	Source	Why	How long
Email address	You, at sign-up (or via Google sign-in)	Authenticate you; send transactional notices (security alerts, account confirmations, billing receipts)	Lifetime of your account + 90 days after deletion
Google account identifier (Google "sub")	Google, only if you choose Google sign-in	Link your Google sign-in to your account	Lifetime of your account
Display name / username	You	Show you on packages you publish	Lifetime of your account. Persists on packages you have already published.
Hashed password (only if local auth is enabled)	You	Authenticate you	Lifetime of your account
Account creation timestamp; last sign-in timestamp	Automatic	Account recovery; security; abuse detection	Lifetime of your account
Two-factor authentication credentials (when you enable 2FA)	You	Verify your second factor when you sign in or publish	Until you disable 2FA or close your account
IP address (server logs)	Automatic, on every request	Detect abuse, brute-force attempts, DDoS; debug outages	Maximum 30 days, then deleted
User-Agent, request URL, status code, response time (server logs)	Automatic	Debugging, capacity planning, abuse detection	Maximum 30 days, then deleted
Billing information (only if you subscribe to a paid plan)	Stripe (we do not see or store your card number)	Process payments; surface invoices; honour refunds	Retained by Stripe per their policy; we keep a transaction reference and the invoice metadata for as long as tax and accounting law require
Support correspondence	You, when you write to us	Respond to you; keep an audit trail of the request	24 months from ticket close, then deleted

2.1 Information that becomes public when you publish

When you publish a package to the public GasPackᵐ registry, the following information becomes part of the public record of that package and is visible to anyone, including search engines:

The package name, version history, README, license, and source code.
The display name / username under which you publish.
The publication timestamp.
Anything you voluntarily include in the package manifest (homepage URL, repository URL, a maintainer email if you choose to include one).

Treat anything you publish as permanently public. Even after you remove a package, mirrors, caches, and downstream consumers will continue to hold copies. We will remove the canonical copy from our registry on request — see Section 5.

You can publish under a pseudonymous handle. We do not require, and we do not display, your legal name on published packages.

2.2 Disposition of pre-launch waitlist data

Before 16 May 2026 we operated an email-only early-access waitlist. On that date the waitlist mechanism was removed and the database table holding waitlist email addresses was dropped. All pre-launch waitlist data was deleted as part of that change. We do not retain it in any form.

3. What we deliberately do not collect

To make our minimisation commitment falsifiable rather than rhetorical, here is what we do not collect, anywhere, in any product:

We do not collect your real name (unless you put it in your display name).
We do not collect your date of birth or age, beyond a single yes/no eligibility check at sign-up.
We do not collect your physical address, phone number, or any government identifier.
We do not collect your gender, race, ethnicity, religion, sexual orientation, political opinions, union membership, biometric data, genetic data, or health data.
We do not collect precise geolocation. We never call a geolocation API. We never read GPS data. We never derive a city or street from your IP.
We do not collect browser fingerprints. We do not run a fingerprinting library. We do not combine signals (canvas, fonts, screen size, plugins) to identify your browser across sessions.
We do not collect data about which other websites you visit, before, during, or after using GasPackᵐ.
We do not collect data from inside your Google Apps Script projects beyond what is strictly necessary to perform the action you asked the CLI or extension to perform. Your script source code, your spreadsheet contents, your form responses, your Drive files, and your Workspace data never leave your device on their way through GasPackᵐ.
We do not collect data about people you communicate with through Apps Script (recipients of emails sent by your scripts, signers of forms, viewers of documents).

If you ever observe us collecting something this section says we do not collect, please report it to privacy@gaspackm.org and we will treat it as a security incident.

4. Cookies

GasPackᵐ uses one cookie, and it is strictly necessary to keep you signed in:

Cookie	What it does	Duration	Category
`gpm_auth_token`	Holds your authenticated session so you stay signed in across pages	Session, or up to 30 days if you sign in with "remember me"	Strictly necessary

We do not use marketing cookies, analytics cookies, A/B-testing cookies, session-replay tools, heatmap tools, scroll-tracking, advertising tags, or any third-party tracking scripts. We do not embed social-media share widgets or third-party iframes that carry their own cookies.

Because the single cookie we set is strictly necessary to deliver the service you asked for, no consent banner is required and we do not show one.

5. Service providers (subprocessors)

We use a small number of service providers to operate GasPackᵐ. Each is bound by a written data-processing agreement that prohibits using your data for their own purposes.

Provider	What it does	What it sees	Region
Google Cloud Platform	Compute, storage, managed databases, hosting	Everything we store, encrypted at rest with provider-managed keys	United States (primary region)
Stripe	Payment processing for paid plans (when you subscribe)	Your billing details, processed under Stripe's own privacy policy	United States
Google Identity (Google Sign-In)	Optional sign-in method, if you choose to use it	Whatever you authorise Google to share when you sign in — typically your email address and Google account identifier	United States
Google Workspace (Gmail SMTP)	Sends our transactional email — security alerts, account confirmations, billing receipts, one-time codes	Recipient email address and the contents of the transactional message	United States

If we engage a new service provider, we will update this list before any of your data reaches them. We do not use any provider for AI or machine-learning training, and we contractually prohibit our providers from using your data for their own purposes.

6. How we use what we collect

We use the information described in Section 2 only for the following purposes:

To deliver the service you asked for. Sign you in. Send you transactional email. Host and serve the packages you publish. Execute the CLI commands you run.
To keep the service secure. Detect abuse, fraud, brute-force attempts, malware uploads, credential stuffing.
To debug and operate the infrastructure. Investigate crashes, failures, and outages.
To comply with the law. Respond to valid legal process, meet tax and accounting obligations, honour data-subject requests.
To communicate with you about the service. Service announcements, security notices, planned maintenance, material changes to this policy.

We do not use your personal information:

to show you advertising of any kind;
to share or sell to advertisers, ad networks, data brokers, or marketing companies;
to build a behavioural profile of you;
to train artificial-intelligence or machine-learning models;
to make automated decisions about you that produce legal or similarly significant effects;
to evaluate your creditworthiness, employability, insurability, or any other commercial attribute.

We do not sell your personal information. "Sale" here is given the broad meaning in California's CCPA/CPRA — we do not exchange it for money or other consideration. We do not "share" it for cross-context behavioural advertising under the CPRA. We do not engage in "targeted advertising" under any US state privacy law.

We share personal information with three categories of recipients, and only these three:

Service providers acting on our behalf, listed in Section 5.
Authorities and courts, when we are legally compelled by a binding legal demand from a US jurisdiction with authority over us, after we have evaluated the request, narrowed it to the minimum required, and (where lawful) given you advance notice.
A successor entity, if we are merged, acquired, or go through bankruptcy. In that case the successor inherits our obligations under this policy and we will give you notice and a chance to delete your account before any transfer takes effect.

8. Retention and deletion

We retain personal information for the periods stated in Section 2. When the period expires, we delete the data.

You can delete your account at any time from your account settings, or by writing to privacy@gaspackm.org. We will action deletion requests within 30 days. Some narrow exceptions apply:

Published packages — we will unpublish on request, but we cannot reach mirrors and downstream caches. Treat anything you publish as permanently public.
Legal obligations — where we are required by law to retain a record (for example, a tax record), we will retain it for the statutory period and delete it afterwards.
Active legal claims — if we need to retain data briefly to defend against an active legal claim, we will quarantine it from active use until the claim is resolved.

Encrypted backup snapshots are rotated on a 35-day cycle. Any data you have asked us to delete will be overwritten in backups within that cycle. If we ever need to restore a system from a backup, any previously processed deletion requests will be re-applied to the restored data to ensure your information remains deleted.

9. Your rights

We grant the same baseline rights to every user, regardless of where you live. Building one consistent system is simpler and safer than building twenty.

Regardless of jurisdiction, you may:

Ask for confirmation of whether we hold personal information about you, and a copy of that information in a structured, commonly used, machine-readable format.
Ask us to correct information that is inaccurate or incomplete.
Ask us to delete your personal information.
Ask us to restrict our processing of your personal information while we resolve a question about it.
Withdraw any consent you have given at any time, without affecting the lawfulness of processing carried out before you withdrew it.
Designate an authorised agent to exercise these rights on your behalf.

We will respond to your request within 30 days. We will not charge you for exercising these rights. To exercise any right, write to privacy@gaspackm.org from the email address associated with your account.

9.1 California (CCPA / CPRA)

If you are a California resident, you have all the rights above, plus:

The right to know the specific categories of personal information we have collected about you in the previous 12 months, the categories of sources, the business purpose for collection, and the categories of third parties to whom we disclose it (the categories disclosed in Section 2).
The right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information, so this right is honoured by default and there is nothing to opt out of.
The right to limit our use of sensitive personal information. We do not collect sensitive personal information as defined by Civil Code §1798.140(ae), so this right is honoured by default.
The right to correct inaccurate personal information.
The right to non-discrimination for exercising your CCPA rights. We will not deny you service, charge you a different price, or offer you a different level of quality because you exercised a privacy right.

We honour the Global Privacy Control (GPC) signal as a valid opt-out preference signal. Because we do not sell or share personal information for cross-context behavioural advertising in the first place, the GPC signal is functionally a no-op for us, but we record its presence and would honour it the moment any future processing fell within its scope.

CCPA categories of personal information we have collected in the previous 12 months:

CCPA category (Civil Code §1798.140(v))	Collected?	Purpose
Identifiers (email, account ID, IP)	Yes	Authentication, communication, security
Customer record information (Civil Code §1798.80)	Yes — display name and (for paid plans) billing references	Identifying you on packages you publish; processing your subscription
Protected classification characteristics	No	—
Commercial information	Only if you subscribe to a paid plan (billing reference via Stripe)	Processing your subscription
Biometric information	No	—
Internet or other electronic network activity	Yes — truncated server logs only	Security
Geolocation data	No	—
Sensory information (audio, visual, etc.)	No	—
Professional or employment information	No	—
Education information (FERPA-defined)	Only in K-12 EdTech deployments under a school agreement	Operating the service for the school
Inferences	No	—
Sensitive personal information (Civil Code §1798.140(ae))	No	—

9.2 Other US states

We extend the universal rights above to residents of Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, and to residents of any future US state with a comprehensive privacy law. Where a state law grants a right we have not enumerated above, we will honour it by reading the universal right list expansively in your favour.

Maryland (MODPA). The collection inventory in Section 2 is the inventory we would defend to the Maryland Attorney General under MODPA's strict data-minimisation rule. MODPA also prohibits the sale of sensitive data; we do not sell any data, sensitive or otherwise.

Colorado, Connecticut, Oregon, Texas. We honour the universal opt-out preference signal recognised under each of these laws.

10. International users

GasPackᵐ is hosted in the United States. Our data is stored in, and processed in, the United States. If you access the service from outside the US, your data will be transferred to and processed in the US, where it will be subject to United States law (including United States legal process).

By using GasPackᵐ from outside the United States, you consent to this transfer. Where it applies, we rely on legally provided mechanisms — including the European Commission's Standard Contractual Clauses and equivalent transfer instruments — to lawfully transfer personal data across borders, supplemented by the safeguards described in Section 12 (Security) and by the minimisation commitments in this policy.

We also commit to:

Honouring the universal data-subject rights in Section 9 for everyone, regardless of where you live. If you write to privacy@gaspackm.org asking to access, correct, export, or delete your data, we will respond.
Engaging only with service providers (Section 5) who themselves rely on recognised lawful transfer mechanisms for any personal data they process on our behalf.
Telling you candidly what we can and cannot offer if your local law would require something we are not doing — write to privacy@gaspackm.org and we will respond.

GasPackᵐ operates from the United States as a US business; our compliance posture is anchored in US federal and state privacy law. If you are subject to a foreign privacy regime and require formal compliance documentation (for example, a Data Processing Agreement incorporating Standard Contractual Clauses), contact privacy@gaspackm.org and we will work with you in good faith.

11. Children under 13 (COPPA)

GasPackᵐ is not directed at children under 13. We do not knowingly collect personal information from a child under 13 in any consumer context. If you are under 13, please do not create an account.

If we discover that we have collected personal information from a child under 13 outside an educational deployment where a parent or school has provided verifiable consent, we will delete that information promptly and terminate the account.

In a K-12 educational deployment under a school agreement, the school may consent on the parent's behalf as permitted by the Federal Trade Commission's COPPA School Authorisation guidance (16 CFR Part 312), and we process student data only as a school official under FERPA. See the Terms of Service for the educational protections that apply.

12. Security

We operate the service to a defence-in-depth standard:

TLS 1.2+ for all data in transit, with HSTS on our public hostnames.
AES-256 encryption at rest for managed databases and object storage.
Least-privilege access controls, with production access requiring multi-factor authentication.
Network segmentation between public-facing services and the database tier.
Static analysis (Semgrep) and dependency vulnerability scanning on every build.
Secrets stored in a managed secrets vault, never in environment variables or source code.

No service can promise that a breach will never occur. If a breach affecting your personal information does occur, we will notify affected users without undue delay, tell you what happened, what data was involved, what we have done about it, and what you can do.

13. Changes to this policy

When we make a material change to this policy — for example, adding a new category of personal information, adding a new purpose, or engaging a new service provider — we will:

Update the "Last updated" date at the top of this page.
Post the new version on our website.
Notify you by email or by a prominent in-application notice at least 30 days before the new version takes effect, except where an immediate update is required by law or by an active security incident.

If you do not agree with a material change, you may delete your account before the change takes effect. Your continued use of the service after the effective date constitutes acceptance of the new policy.

We will never quietly amend this policy to weaken your rights.

14. Contact

For any privacy question, write to:

privacy@gaspackm.org

For school-specific privacy questions and Data Processing Agreements: edu-privacy@gaspackm.org.

We aim to acknowledge every message within five business days.