1. Who we are

This site is operated by Yuval Cohen (Mini UV), based in Israel. For privacy questions or data-subject requests, contact support@popx.tools.

2. What we collect

Account data

  • Email address (required to create an account and receive product updates).
  • Account settings and preferences.
  • Subscription status, billing source (Paddle or Patreon), renewal and cancellation events.
  • Download history (which POPX versions you have downloaded).

Sign-in & session

  • If you sign in with Patreon, we receive your Patreon user ID, email, and current Patreon tier via Patreon’s OAuth API.
  • If you use magic-link or password sign-in, we send a one-time link to your email via Resend.
  • We set a signed session cookie (JWT) so you stay logged in. The cookie contains your user ID and subscription status only — no payment data.

Server logs

  • Standard request logs (IP address, user-agent, timestamp, requested path) are processed by our hosting provider for security, abuse prevention, and basic analytics. These logs are short-lived.

What we don’t collect

  • We do not store credit-card or other payment-instrument details. Those are held by Paddle or Patreon.
  • We do not run third-party advertising trackers or build behavioral profiles.
  • We do not sell your data.

3. How we use it

  • To run your account and grant access to the POPX download.
  • To process payments (via Paddle) or validate Patreon membership (via the Patreon API).
  • To send transactional email (sign-in links, receipts, subscription notices, important account updates).
  • To send product updates (new releases, changelog) — only if you have not opted out.
  • To detect and prevent fraud, abuse, and license violations.
  • To comply with legal obligations.

4. Service providers (sub-processors)

We use the following third parties to operate the service:

  • Cloudflare — hosting, edge compute, database (D1), file storage (R2), and CDN.
  • Paddle — payments, subscriptions, sales tax, invoicing (merchant of record for direct billing).
  • Patreon — alternative subscription path; we read your tier status to grant access.
  • Upstash — short-lived caching of subscription state and download tokens.
  • Resend — transactional email delivery.
  • Kit (formerly ConvertKit) — product-update email list, only for users who have not opted out.
  • Discord — community chat (optional; only applies if you join the server).
  • Google Fonts — typography (font requests reach Google).

Each of these providers operates under its own privacy policy.

5. Cookies

We use a small number of essential cookies — primarily a signed session cookie that keeps you logged in, and a CSRF token. We do not use advertising cookies or cross-site tracking.

6. Legal basis (GDPR / UK GDPR)

  • Contract — processing necessary to provide the service you signed up for (account, subscription, downloads, transactional email).
  • Legitimate interests — security, fraud prevention, and basic analytics.
  • Consent — product-update marketing email (you can unsubscribe at any time).
  • Legal obligation — tax records, responding to lawful requests.

7. Data retention

  • Account data: kept while your account exists and for up to 12 months after deletion (for fraud prevention and legal claims).
  • Billing records: retained as long as required by tax law (typically 7 years).
  • Server logs: short-lived, typically rotated within 30 days.
  • Download tokens: 1 hour, then deleted.

8. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you, to object to or restrict certain processing, and to lodge a complaint with your local data-protection authority. To exercise any of these rights, email support@popx.tools from the address on your account.

For payment-related data held by Paddle or membership data held by Patreon, you may need to contact those providers directly.

9. International transfers

Our infrastructure runs on global edge networks, so your data may be processed in countries other than your own (including the United States and the European Union). Where required, our service providers rely on Standard Contractual Clauses or equivalent safeguards.

10. Security

We take reasonable technical and organizational measures to protect your data, including TLS in transit, encrypted storage, signed session tokens, and least-privilege access. No system is 100% secure; if we ever suffer a breach affecting your data, we will notify you as required by law.

11. Children

POPX is not directed to children under 16 and we do not knowingly collect personal information from them. If you believe a child has provided us with personal data, contact support@popx.tools and we will delete it.

12. Changes

We may update this policy. Material changes will be announced on the Site or by email. The “Last updated” date at the top reflects the current version.