Privacy Policy

Last updated: June 1, 2025 · Applies to all PyPI Watch users

1. Information We Collect

We collect only the minimum data necessary to operate the service:

Email address — provided during registration; used for alert delivery and account management.
Package names — the PyPI package names you choose to monitor.
IP address — recorded in server access logs automatically on each request.
Usage logs — timestamps of API requests, alert delivery status, and error events for operational diagnostics.
Payment information — processed exclusively by Stripe. We store only the Stripe customer ID and subscription status; we never see or store raw card data.

We do not collect names, phone numbers, physical addresses, or any information beyond what is listed above.

2. How We Use Your Information

Your data is used solely for the following purposes:

Providing the PyPI hash-monitoring service and delivering alerts to your email address.
Processing subscription payments via Stripe.
Preventing abuse, unauthorized access, and fraudulent activity.
Diagnosing technical issues and improving service reliability.

      We do not sell, rent, or share your personal data with third parties
      for marketing or advertising purposes.
    

3. Third-party Services

PyPI Watch integrates with the following third-party services to operate. Each provider has its own privacy policy governing their data handling:

Stripe

Payment processing. Your card data is stored and handled exclusively by Stripe under PCI-DSS compliance.

Resend

Transactional email delivery. Your email address and alert content are transmitted to Resend to send notifications.

Railway

Cloud hosting and database infrastructure. All application data (including your email and package list) resides on Railway servers.

Anthropic (Claude)

AI-powered risk analysis. When a hash change is detected, the event details (package name, filename, hash values) are sent to Claude for analysis. No personal data is included in these requests.

4. Data Retention

We retain your data for as long as your account is active. Upon account cancellation or deletion:

Your email address, package list, and alert history will be deleted within 30 days.
Server access logs containing IP addresses are retained for up to 90 days for security purposes, then purged.
Stripe retains payment records independently under their own retention policy.

5. Your Rights (GDPR & CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you.
Right to deletion — request that we delete your account and associated data ("right to be forgotten").
Right to rectification — request correction of inaccurate data.
Right to portability — request your data in a machine-readable format.
Right to opt out (CCPA) — California residents may opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at support@pypiwatch.com. We will respond within 30 days.

6. Cookies

PyPI Watch does not use cookies for tracking or analytics. No third-party tracking scripts, advertising pixels, or session cookies are set on this site.

7. Security

We apply reasonable technical and organizational measures to protect your data, including encrypted connections (HTTPS) and access controls on our infrastructure. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email before taking effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

9. Contact

For privacy-related inquiries, data requests, or concerns, please contact us at support@pypiwatch.com.