Privacy Policy

Last updated: May 11, 2026

Paneler is an open-source 3D panel-layout designer for spherical objects such as footbags and juggling balls. This policy explains what we collect when you visit paneler.app, how we use it, and the rights you have over your data. We aim to collect as little personal data as possible.

If anything here is unclear, email [email protected].

Data we collect

We collect only what is required to sign you in and keep the service running:

  • Account profile. When you sign in with Google or GitHub through our identity broker (Dex), we receive your email address and display name from the upstream provider. We do not receive your password.
  • Session cookie. A single signed cookie (__Secure-authjs.session-token) set on the paneler.app root domain so you stay signed in between page loads.
  • Server logs. Standard web-server logs containing IP address, user agent, request path, and timestamp. These are used to debug errors and detect abuse.

We do not run analytics trackers, advertising scripts, or third-party fingerprinting on paneler.app. We do not sell or rent data.

How we use your data

  • Authentication. Your email and name are used to identify your account and display who is signed in.
  • Service operation. Logs are used to keep the site working and investigate errors and abuse.
  • Communication. If you email us about a privacy or support question, we use that email address to reply.

Legal basis (GDPR)

If you are in the EU or UK, we rely on the following legal bases:

  • Contractual necessity — account profile data and the session cookie are required to provide a signed-in experience that you have requested.
  • Legitimate interests — server logs are kept for security, abuse prevention, and basic operational debugging. We balance this against your privacy by keeping logs short and minimal.
  • Consent — for any future optional processing (such as a newsletter), we will ask first.

Your designs

Panel designs you create in the Paneler editor — including panel colors and layout choices — are stored on your own device: either encoded into the URL hash so the page can be reloaded or shared, or saved as a JSON file you download. We currently do not store designs on our servers. Aside from the auth session described above, there is no server-side user content.

Cookies

We use one strictly necessary cookie: __Secure-authjs.session-token, set on the paneler.app root domain by Auth.js when you sign in. It keeps you signed in across pages. It is marked Secure, HttpOnly, and SameSite=Lax, expires after 30 days, and is removed when you sign out.

We do not set analytics or advertising cookies. Identity providers (Google, GitHub) may set their own cookies on their own domains during sign-in; those are governed by their privacy policies, not ours.

Third-party services

The only third parties that receive your data are part of the sign-in flow:

  • Auth.js — open-source library that runs on our servers to manage sessions. It does not transmit data off our infrastructure.
  • Dex — open-source OIDC identity broker we self-host. Dex forwards you to Google or GitHub and returns the resulting identity claims (email, name) to Paneler. dexidp.io
  • Google — if you choose "Sign in with Google," Google authenticates you and shares your email and name with us. See policies.google.com/privacy.
  • GitHub — if you choose "Sign in with GitHub," GitHub authenticates you and shares your email and name with us. See GitHub Privacy Statement.

We do not share your data with any other third parties, and we do not sell data.

Data retention

  • Session cookie — up to 30 days, or until you sign out.
  • Account profile (email, name) — kept while your account exists. If you ask us to delete it, we remove it within 30 days.
  • Server logs — retained for up to 30 days for debugging and abuse investigation, then rotated out.
  • Analytics — none collected.

Data security

All traffic to paneler.app is served over HTTPS. The session cookie is signed, scoped to paneler.app, and marked Secure and HttpOnly so it is not readable by client-side scripts. Account data lives on managed infrastructure with access limited to the project maintainers. No system is perfectly secure, but we keep our attack surface small by collecting very little.

Data breach notification

If we become aware of a breach affecting your personal data, we will notify affected users without unreasonable delay, and within 72 hours where required by GDPR. Notice will include what happened, what data was involved, and what steps to take.

Your rights

Regardless of where you live, you can email [email protected] to:

  • Access the data we hold about you (email and name).
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your account data in a machine-readable format.

Self-service deletion is not yet built into the app, so we process these requests manually. We will respond within 30 days.

EU/UK (GDPR). You also have the right to object to processing, restrict processing, withdraw consent at any time, and lodge a complaint with your local data protection authority.

California (CCPA/CPRA). You have the right to know what personal information we collect, to request deletion, and to opt out of the sale or sharing of personal information. We do not sell or share personal information.

Children

Paneler is not directed at children under 13, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, email [email protected] and we will delete it.

Changes to this policy

If we make material changes, we will update the "Last updated" date above and, where appropriate, notify signed-in users by email. Continued use of paneler.app after a change means you accept the updated policy.

Governing law

This policy is governed by the laws of the State of New York, United States, without regard to its conflict-of-laws rules.

Contact

Privacy questions, requests, or complaints: [email protected].