Privacy Policy

Last updated: 2026-04-19

This policy describes what the CodeCanyon Field Log service ("the Service") collects, why, and what your rights are.

1. What we collect

We collect the minimum needed to operate the Service:

  • Account data — your email address and a bcrypt hash of your password. We never store the plaintext.
  • Session metadata — a session identifier (cookie), the user-agent string, and IP address of the request that created the session. Used to detect hijacked sessions and to build the "active sessions" list.
  • Request logs — method, path, status code, timing, request ID, and user-agent. Retained 30 days for debugging and abuse investigation.
  • Abuse signals — per-principal and per-IP request counts. Retained only while relevant to an active rate-limit or ban window.

We do not collect marketing identifiers, behavioral analytics, or cross-site tracking data. We do not sell any data to third parties.

2. Cookies

We set two first-party cookies:

  • cc_session — HttpOnly, SameSite=Lax. Holds the session identifier. Required for login.
  • cc_csrf — not HttpOnly. Holds a random CSRF token used to protect state-changing requests from cross-site abuse.

No third-party cookies are set by the Service.

3. Third parties

The Service loads fonts from Google Fonts and the Chart.js library from jsDelivr. Your browser contacts those CDNs; we do not share any personal data with them beyond what the browser exposes (IP, user agent). We plan to self-host both to remove this dependency.

Outbound email is delivered via an SMTP provider configured per deployment (e.g. Postmark, SendGrid, SES). That provider receives the recipient address and the message body.

4. Email

We email you only for account-related events: verification, password reset, security notices. We do not send marketing.

5. Your rights

  • Access — request a copy of the data we hold.
  • Deletion — close your account and have associated data erased within 30 days.
  • Correction — update your email address from account settings.
  • Portability — export your data in a machine-readable format.

To exercise these rights, contact us at the address below.

6. Retention

  • Account data: until the account is closed.
  • Session records: until they expire (30 days default) or are revoked, then purged within 7 days.
  • Request logs: 30 days.
  • Password-reset and verification tokens: until consumed or expired, then purged within 7 days.

7. Security

Passwords are hashed with bcrypt (cost 12). Sessions use cryptographically random identifiers and the Secure cookie flag in production. Transport is HTTPS only in production.

8. Changes

We'll announce material changes to this policy by email in advance. Minor clarifications will update the date at the top of this page.

9. Contact

For any privacy question, including exercising the rights above, contact the Service operator. The contact address is listed in the deployment configuration; reach out via the email you used to sign up or through any channel the operator has published.