Privacy

We collect nothing. No cookies. No analytics. No fingerprinting. No IP logging. No page view tracking. You open the site, we serve pages. That is the entire relationship. There is no difference between a first visit and a hundredth visit from our side — we genuinely cannot tell them apart.

Compare that to almost every other site you use: X tracks your reading habits to train its AI. Reddit logs your IP and browser fingerprint. XDA passes your activity to a network of third-party advertisers. We do none of that because we have no business reason to.

GitHub OAuth sends us three things when you sign in and we store all three:

• Your GitHub username — shown in the navbar so you know you are signed in.
• Your avatar URL — a link to your profile picture hosted on GitHub's CDN. We store the URL, not the image.
• Your GitHub numeric ID — an internal identifier so the server knows it is you across sessions.

That is all. The OAuth scope is read:user which only reads public profile data. No email. No followers. No repositories. No private data. GitHub shows you exactly what we asked for during the sign-in flow.

Stored in our database tied to your GitHub numeric ID. Up to 20 device codenames. You can remove individual devices from the watchlist page at any time. You can delete your account instantly from the navbar or footer when signed in. This removes your profile, watchlist, and all ROM alerts immediately. To also revoke GitHub's access token, go to github.com → Settings → Applications → Authorized OAuth Apps → Droidify → Revoke.

When new ROM builds are found for a device in your watchlist, an alert is created in our database and shown as a badge on the Watchlist nav item. That is it. No emails. No push notifications. No SMS. In-app badge only, visible only to you when signed in.

One cookie. A signed session token that keeps you logged in for 30 days. It is httponly (JavaScript cannot read it), samesite=lax (cannot be sent cross-site), and signed with a server-side secret (cannot be forged). If you never sign in, no cookie is ever set.

• GitHub OAuth — only during sign-in. Their privacy policy applies to that flow.
• jsDelivr CDN — serves the CSS stylesheet. No tracking, no cookies from them.
• HuggingFace — where the server runs. They see standard server logs (IP address, timestamp, URL requested) as any hosting provider does. We do not.

No advertising networks. No analytics platforms. No social media tracking pixels. No "partners" who receive your data.

Your account and watchlist stay until you delete them. Use the Delete account button in the navbar or footer when signed in — it removes everything instantly. No waiting, no email, no GitHub issue required.