Legal
Privacy Policy
This policy explains what data Liminate collects, why, how it is stored, who it is shared with, and the choices you have. It covers the Liminate family of products served at liminate.dev — Receipts, Agreements, and Mood Ring.
1Who we are
Liminate is operated by R. Michael Thomas ("Liminate", "we", "us"). For any privacy question or request, contact hello@liminate.dev. For the purposes of data-protection law, we act as the data controller for the information described here.
2What we collect
We collect only what the products need to function. There is no third-party advertising or analytics tracking on our products.
Account information
If you sign in, we use GitHub OAuth for authentication. When you authorize the connection, we receive and store your GitHub numeric ID, GitHub username, and the email address associated with your GitHub account. We do not receive your GitHub password.
Content you submit
- Receipts: the contract source text you submit for verification, an optional label, and the verification results. Saved contracts are stored under your account.
- Agreements: the agreement text you author, and the evidence and decision records produced when you evaluate against an agreement.
- Mood Ring: the journal entry text you write and the reading produced from it. These entries are private to your account.
Billing information
Payments are processed by PayPal. We never see or store your card number or PayPal credentials. We store only a record of the transaction — PayPal order or subscription identifiers, amount, type, and the resulting plan or credit balance on your account.
Technical information
We store API keys you generate in hashed form (SHA-256) — the raw key is shown to you once at creation and is never stored. We record a session cookie when you are signed in, and we use your IP address transiently for rate limiting. We do not keep server access logs for analytics or profiling.
3How we use it
- To run the verification, evaluation, and reading functions you request.
- To authenticate you and keep you signed in.
- To store the contracts, agreements, decisions, and entries you choose to save, and to show you your history.
- To process payments and apply the plan or credits you purchase.
- To enforce plan limits and rate limits, and to protect the service from abuse.
We do not sell your personal information, and we do not use your submitted content to train any model.
4Legal basis (EU/UK users)
Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the service you signed up for), legitimate interests (to secure the service and prevent abuse), and consent where required. You may withdraw consent at any time by contacting us.
5Who we share it with
We share data only with the service providers needed to operate the products. We do not sell or rent personal information to anyone. Our sub-processors are:
| Provider | Purpose | Data involved |
|---|---|---|
| Railway | Application hosting & database | All stored data resides on hosted infrastructure |
| PayPal | Payment processing | Payment details (handled by PayPal), transaction identifiers |
| GitHub | Sign-in (OAuth) | GitHub ID, username, email at authentication |
A current list is maintained on our Security & Sub-processors page. We may also disclose information if required by law.
6Cookies
We use a small number of strictly necessary cookies and no others. There are no advertising or third-party analytics cookies, so no consent banner is required.
- Session cookie — keeps you signed in. Stored for up to 30 days.
HttpOnly,SameSite=Lax, and secure over HTTPS. - Sign-in return cookie — a short-lived cookie (about 10 minutes) used during the GitHub sign-in flow to return you to the right page.
7Retention
We keep your account and saved content for as long as your account exists. Transaction records are kept as needed for financial and legal record-keeping. When you delete a saved item, or your account, the corresponding data is removed from our active database (see your rights below).
8Your rights & choices
You can:
- Export your data. Receipts provides an export of your saved contracts (including a
.limnfile export) from within the app. - Delete your content. You can delete saved contracts, agreements, agreement decisions, Mood Ring entries, and API keys from within the app.
- Delete your account. Email hello@liminate.dev to request deletion of your account and associated data.
- Access, correct, or object. Where data-protection law gives you these rights, contact us and we will respond.
If you are in the EU/UK, you may also lodge a complaint with your local supervisory authority. If you are a California resident, you may exercise the rights described in the next paragraph.
California (CCPA/CPRA): we do not sell or share your personal information as those terms are defined under California law, and we do not use it for cross-context behavioral advertising. You may request access to or deletion of your information by contacting hello@liminate.dev.
9Security
Data is transmitted over HTTPS. API keys are stored hashed, never in plaintext. Saved content is scoped to your account. For our security practices and how to report a vulnerability, see the Security & Sub-processors page. No system is perfectly secure, and we cannot guarantee absolute security.
10Children
Liminate is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect their data. If you believe a child has provided us information, contact us and we will delete it.
11Changes
We may update this policy. When we do, we will revise the "Last updated" date above. Material changes will be reflected on this page.
12Contact
Questions or requests: hello@liminate.dev.