chekd
← chekd.net
LegalPrivacy Policy

chekd — Privacy Policy

Draft — not yet in force

DRAFT — not yet published. Not legal advice. Effective date: [TBD on publish]. Policy version: 2026-06-22.1 (must match POLICY_VERSION in the product; both are bumped to the publish date before going live). This document requires counsel review before it takes effect: the effective date, every [BRACKETED] operator/contact placeholder, retention periods, the opt-in data-sharing description, and the payment/Merchant-of-Record wording must all be confirmed before publication.

The one-sentence version: your chekd runs never leave your machine unless you explicitly turn on data sharing — which is paid-plan-only, all-or-nothing, off by default, and separate from paying us.

1. Who we are

chekd is operated by [operator legal name — LLC pending; currently a solo developer in Florida, USA] (“chekd”, “we”, “us”). Contact: [email protected].

2. What this policy covers

This policy covers (a) the chekd desktop/CLI app and its cockpit, (b) purchasing and license keys, (c) the optional paid data platform, and (d) the chekd.net website. Payments themselves are processed by LemonSqueezy as Merchant of Record under their own privacy policy and buyer terms — see §3.2 and §5.

3. What we collect, surface by surface

3.1 The app, in its default mode: 100% local. Nothing uploads.

chekd walks your web app in a browser on your machine and stores findings, corrections, and taste data as plain files in your own project / ~/.chekd. It makes no network upload of your app content, findings, selectors, corrections, or usage. This is not just a promise: our build runs an automated network-invariant test that fails if any upload path is reachable while collection is off. There is no telemetry, no crash reporting, and no analytics in the app’s default mode.

3.2 Buying chekd: purchase and license data (this is the small slice we do always process)

When you buy a chekd Plus subscription, LemonSqueezy (the Merchant of Record) collects your payment details — we never see your card number. LemonSqueezy then sends us the minimum needed to deliver your license, and we store it: your email address, order ID, license key, plan, and issue date (in Cloudflare Workers KV, in the United States). We use this only to deliver your key, look it up for support (“I lost my key”), and handle refunds. License keys verify offline on your machine — using chekd does not phone home to check your license.

3.3 The optional data platform: paid-plan, opt-in, all-or-nothing (currently not live)

If — and only if — you are on the paid plan and you affirmatively switch on data collection, chekd may upload a best-effort scrubbed copy of: the page content it captured, the findings it produced, and the DOM selectors involved. The switch is all-or-nothing (no partial sharing), off by default, and separate from your purchase — paying for chekd is never, by itself, agreeing to share data.

Before anything is uploaded, a client-side scrubber attempts to remove secrets (API keys, tokens, auth headers), email addresses, and values you typed into forms; the upload endpoint also refuses requests unless the body is marked scrubbed, the license is valid, and the server-side consent log contains current grants for every named purpose under the active policy version. We collect selectors and findings in preference to raw content. Every consent you give is logged per-purpose, timestamped, and stamped with the version of this policy in force — and you can turn the switch off at any time.

3.4 The chekd.net website

The website currently sets no cookies and runs no analytics. It is hosted on Cloudflare, whose infrastructure keeps standard short-lived server logs (IP address, request path) for security and delivery; we don’t build profiles from them. If we ever add analytics or cookies, we will update this policy first.

4. Why we collect it (named, distinct purposes)

Data-platform uploads (§3.3) are used for these specific purposes, and no others:

Purchase/license data (§3.2) is used only to deliver, support, and administer your license.

We do not sell your data, we do not share it for cross-context behavioral advertising, and we deliberately avoid a vague “to improve our services” catch-all — every purpose is specific enough to be meaningfully agreed to. Adding a new purpose later requires your fresh, affirmative opt-in (§11).

5. Legal bases

Where the GDPR or UK GDPR applies:

Where US state privacy laws apply, data-platform collection is strictly opt-in, and you may opt out (turn it off) at any time.

6. Who we share it with (sub-processors)

We do not share your collected data with any other third parties. We will update this list before adding a sub-processor that touches your data.

7. Where it’s stored & how long

Collected data is stored in the United States (Cloudflare KV/D1/R2), encrypted in transit (TLS) and at rest.

8. Your rights & controls

Regardless of where you live, you can:

Email [email protected] to exercise any right; we will verify the request (typically by matching your license email) and respond within the timeframe the applicable law requires (e.g., 30 days under GDPR, 45 days under CCPA-style laws). We will never discriminate against you — in price, features, or support — for exercising a privacy right. EU/UK users additionally have the GDPR rights to rectification, restriction, objection, portability, and to lodge a complaint with a supervisory authority. Where a law gives effect to browser opt-out signals (such as Global Privacy Control), note that chekd’s surfaces do no cross-site tracking for such signals to opt out of.

9. International users

chekd stores data in the US and does not currently target the EU/EEA for data collection. If you opt in to the data platform from the EU/EEA/UK, your data is transferred to and stored in the United States, and turning on the switch is your explicit consent to that transfer (GDPR Art. 49(1)(a)); you can withdraw it at any time. A Data Processing Addendum is available for business customers on request.

10. Security & incidents

Data in our custody is encrypted in transit (TLS) and at rest, access to production systems is limited to the operator, and payment card data never touches our systems (LemonSqueezy/Stripe are PCI-compliant processors). No system is perfectly secure; if a breach affects your personal data, we will notify you and the relevant authorities as the applicable law requires.

11. Changes

If we make a material change to what we collect or why, we will re-request your consent — your prior opt-in does not roll over to a new purpose or practice (this is enforced in the product: consents are stamped with a policy version, and a version bump forces re-consent). We’ll update the policy version and effective date at the top of this policy, and keep prior versions available on request.

12. Children

chekd is not directed to children under 13 (or the higher minimum age your jurisdiction sets for consent) and we do not knowingly collect their data. If you believe a child has given us personal data, email [email protected] and we will delete it.

13. Contact

[email protected] · [operator mailing address — TBD; a PO box or registered-agent address is fine, but a real postal address is expected in a published policy].