Privacy Policy
Last updated: June 27, 2026
1. Who we are
Dembrandt (dembrandt.com) is an open-source CLI tool and web application for extracting and tracking design tokens from websites.
2. What data we collect
We collect minimal data:
- Email address — if you subscribe to our newsletter, or when you create an account in the Dembrandt App via GitHub OAuth. Newsletter email is stored by EmailOctopus. App account email is stored in our database.
- Extraction results — if you use the Dembrandt App with an API key, your extraction snapshots (design token data extracted from URLs you submit) are stored in your account. These contain no personal data; they reflect the public design tokens of the URLs you provide.
- API keys — hashed API keys associated with your account, used to authenticate CLI requests.
- Usage analytics — anonymized page views and interactions, collected via Google Analytics only after you give explicit consent. IP addresses are anonymized and no cross-site tracking is performed (
client_storage: none). - Technical data — standard server logs (IP address, browser, referrer) retained briefly by our hosting provider Vercel for security and debugging purposes.
We do not collect names, payment information, or any sensitive personal data.
3. Legal basis for processing
- Newsletter — consent (you opted in).
- App account and extractions — contract (account creation and use of the service).
- Analytics — consent (you accepted cookies).
- Server logs — legitimate interest (security, uptime).
4. Third-party processors
We use the following sub-processors:
- Vercel — hosting and serverless compute (USA, EU data transfer covered by DPA)
- Vercel Blob — storage of extraction snapshots (USA, same DPA)
- GitHub — OAuth authentication for app accounts (USA, GDPR compliant)
- EmailOctopus — newsletter delivery (UK, GDPR compliant)
- Google Analytics — anonymized analytics, consent-gated (USA, EU data transfer covered by Google's DPA)
5. Cookies
We only set analytics cookies after you give consent via the cookie banner. You can withdraw consent at any time by clicking the cookie settings link in the footer, which clears stored consent and stops analytics from loading.
The newsletter form may load a reCAPTCHA widget from Google to prevent spam. This may set cookies from Google. See Google's Privacy Policy for details.
6. Data retention
- Newsletter email — kept until you unsubscribe. Every email contains an unsubscribe link.
- Analytics data — retained for 14 months in Google Analytics, then automatically deleted.
- Server logs — retained by Vercel per their data retention policy (typically 30 days).
7. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you
- Request correction or deletion of your data
- Withdraw consent at any time
- Object to processing or request restriction
- Lodge a complaint with your local data protection authority
To exercise any of these rights, open an issue at github.com/dembrandt/dembrandt/issues. We will respond within 30 days.
8. Children
This service is not directed at children under 16. We do not knowingly collect data from minors.
9. Changes to this policy
We may update this policy occasionally. Material changes will be communicated via the newsletter or a notice on this page. The date at the top of this page reflects the most recent update.
10. Contact
Questions about this policy: dembrandt@tutamail.com