privacy policy

What we collect

• GitHub account basics (via GitHub OAuth when you sign in): your GitHub user id, login, display name, and avatar URL — used only to identify your account.
• API key metadata: a SHA-256 hash of your key, a non-secret display prefix (e.g. gpmcp_1a2b3c4d), creation time, last-used time, and a request count. The raw key is shown to you once and never stored.
• Session cookie: an httpOnly cookie so you stay signed in to this website.

What we do NOT collect

• No GreatPerks/Pintours credentials. You sign in to GreatPerks in your own browser; the Service never sees your username or password.
• No payment/card data, ever. Card details are entered into the payment gateway’s own PCI-isolated form in your browser; they are never passed to, typed by, or stored by the Service. There are no card fields in any tool input.
• No attraction, order, date, or buyer-detail content. Recipes execute on your machine and the data they read or write stays there — it does not pass through or get stored on our servers. We do not store recipe inputs or outputs.

How we use it

Solely to operate the Service: authenticate you, gate the MCP endpoint with your key, and show you basic usage (request count, last used). We do not sell your data or use it for advertising.

Third-party processors

• GitHub — OAuth sign-in.
• Convex — database for account + key metadata.
• Vercel — hosting of this website and the MCP endpoint.

Retention & your choices

Key metadata is retained until you revoke the key (revoked rows are kept for audit). You can rotate or revoke your key anytime on the keys page. To delete your account and associated data, contact us at jerry@42nights.dev.

Security

Keys are stored only as SHA-256 hashes and the endpoint fails closed (no valid key → no access). Still, no system is perfectly secure; treat your key like a password and rotate it if exposed.

Changes

We may update this policy; material changes will be reflected by the “last updated” date above.

Contact

Questions: jerry@42nights.dev.