Privacy Policy
Last updated: 12 April 2026
Who we are
FluffyStack (fluffystack.dev) is a cloud service comparison tool. The site is operated by Andi Chandler. If you have questions about this policy, use the feedback form.
What we collect
| Data | When | Why |
|---|---|---|
| Email address | When you sign in via GitHub or Google | Account identity + API key ownership |
| Display name | From your OAuth provider profile | Shown on the Account page |
| Avatar URL | From your OAuth provider profile | Profile picture on the Account page |
| API request count | On every authenticated API call | Usage tracking for rate limiting |
| Feedback text | When you submit feedback | Product improvement |
What we do NOT collect
- We do not use cookies for tracking or advertising
- We do not sell or share your data with third parties
- We do not track which services you add to your list (that stays in your browser's localStorage)
- We do not store your OAuth access tokens — we fetch your profile once and discard the token
- We do not run Google Analytics, Facebook Pixel, or any third-party tracking scripts
Analytics
We use Cloudflare Web Analytics, which is a privacy-first analytics service that does not use cookies, does not track individual users, and anonymises IP addresses. It tells us aggregate page view counts and nothing else. No consent is required under GDPR for this type of analytics.
Local storage
FluffyStack stores the following in your browser's localStorage (not cookies — localStorage never leaves your device):
fluffystack_auth_token— your session JWT (cleared on sign-out)fluffystack-approved-services— your Service Builder listfluffystack-reading-prefs— accessibility preferences (font, spacing, motion)fluffystack-colour-filter— visual stress colour filter choice
All of this is functional — it exists to make the site work, not to track you. You can clear it at any time via your browser settings.
Where data is stored
Account data (email, name, API key) is stored in a Cloudflare D1 database hosted in the Western Europe (WEUR) region. Cloudflare is a US company with EU data processing agreements in place. The API runs on Cloudflare Workers at the edge — your requests are processed at the nearest Cloudflare data centre to you.
Data retention
- Account data is kept for as long as your account exists
- Shared service lists expire after 90 days
- Feedback submissions are kept indefinitely for product improvement
- API status history is pruned after 7 days
Your rights (GDPR / UK GDPR)
You have the right to:
- Access — request a copy of the data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your account and all associated data
- Portability — receive your data in a machine-readable format
- Object — object to processing of your data
To exercise any of these rights, use the feedback form. We will respond within 30 days.
Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Cloudflare Pages + Workers | Hosting + API | Standard HTTP request data |
| Cloudflare Web Analytics | Aggregate page views | None (cookie-free, IP-anonymised) |
| GitHub OAuth | Sign-in | OAuth code exchange only |
| Google OAuth | Sign-in | OAuth code exchange only |
Changes to this policy
We may update this policy from time to time. Material changes will be noted with a new "Last updated" date at the top. Continued use of the site after changes constitutes acceptance.