Privacy

• No ad networks, no third-party analytics, no tracking pixels.
• No selling or sharing of personal data — there's nothing collected to sell.
• No account required to browse, search, or read any package page.

Package pages render READMEs from public source repositories, which often embed images and badges hosted elsewhere. kpkg fetches those images server-side and re-serves them from kpkg.dev, so the third-party host never sees your IP address, browser, or any cookies. The images you load reveal nothing about you to anyone but kpkg.

The public site sets no tracking cookies. A theme preference (light/dark) is stored locally in your browser and never leaves your device. When publishing opens, signing in to the dashboard sets a single signed, HTTP-only session cookie — used only to keep you logged in, readable by no script.

Authentication uses GitHub OAuth and requests only your public profile (your login name) to verify namespace ownership such as io.github.<you>. kpkg never sees your GitHub password and never gains write access to your repositories.

For published packages, kpkg counts resolutions in aggregate (a per-month, per-country tally derived from Cloudflare's edge) so authors can see usage. These counts contain no IP addresses, user agents, or anything that identifies an individual.

kpkg runs entirely on Cloudflare. As the network serving every request, Cloudflare processes traffic and may keep short-lived operational logs on our behalf, as any host does. We don't add our own logging layer on top of that.

Reach out to @android_poet on X. This policy will be updated as kpkg grows; the date above always reflects the current version.