Privacy Policy | BrewPage

Privacy Policy

BrewPage is a no-signup publishing service. We keep the data footprint small on purpose. This page describes what we collect, why, how long we keep it, and how to remove it. Effective date: 2026-05-04.

1. What BrewPage is

BrewPage (brewpage.app, also reachable at brewdata.app) is a free service that hosts HTML pages, Markdown notes, multi-file sites, JSON documents, key-value entries and arbitrary files. There is no user account: anyone can publish anonymously and anyone with the resulting URL can read the public content. The service is operated by the individual maintainer listed on the project's GitHub repository.

2. Data you publish

Anything you paste into the editor or upload (HTML, Markdown, files, KV values, JSON documents, ZIP bundles) is stored on our servers until the TTL you chose expires (default 15 days, max 30 days) or until you delete it. Uploaded blobs are stored in MinIO (S3-compatible object storage); text content is stored in PostgreSQL.

  • Do not publish personal data of other people, secrets, credentials, API keys, medical data, or any content you do not have the right to distribute.
  • Content in the public namespace with no password is listed in the gallery and indexed by search engines. Anything else is private (reachable only with the short URL, and if a password is set, also with that password).
  • After TTL expiry the nightly cleanup job removes the DB row and the underlying MinIO blob. There is no recovery.

3. Owner Tokens

Every publish returns a random Owner Token. It is the only credential that allows editing or deleting the resource. On the server we store only a bcrypt hash of the token — the plaintext exists only in the original response and, as a convenience, in your browser's localStorage for 30 days. Clearing your browser storage or using the Clear token button on /advanced removes it from your device. If you lose your Owner Token, the resource cannot be reassigned; it will auto-delete at TTL expiry.

4. Access logs

Every external HTTP request is logged to a table called access_events. We record:

  • Client IP address.
  • Request method, path, response status, latency.
  • User-agent and referer headers.
  • A small whitelisted subset of other request headers.

Sensitive headers — Cookie, Authorization, X-Admin-Password, X-Owner-Token, X-Password — are stripped before storage.

Access logs are kept for 30 days. A nightly cleanup job deletes older rows.

We use these logs for abuse investigation, rate-limit enforcement, debugging and aggregate analytics (views per day / namespace / source class). We do not sell them and we do not combine them with third-party profiles.

5. Rate limiting and abuse mitigation

Uploads are limited to 60 / hour / IP; reads to 300 / minute / IP. When a request is blocked or flagged the IP and path are kept in the access log for investigation.

For confirmed abuse (spam, phishing, malware, copyright, illegal content) we remove the resource and may block the IP. Reports: /report-abuse.

6. Cookies and local storage

  • No first-party functional cookies are set by BrewPage itself.
  • localStorage is used for: the theme preference (brewpage-theme), your Owner Token (brewpage-owner-token, up to 30 days), the list of your recent publications, and the currently active tab on Advanced.
  • Google Analytics 4 and Yandex Metrika set their own cookies (see Section 7).

7. Third-party analytics

The site includes two analytics scripts:

  • Google Analytics 4 (tag G-4JEB2R6550). Loaded from googletagmanager.com; processes pageviews, events and basic device/geo info under Google's privacy policy.
  • Yandex Metrika (counter 108328573). Loaded from mc.yandex.ru; click-map and link-tracking enabled, web-visor session recording is off. Operates under Yandex's privacy policy.

Both can be blocked with any standard content blocker (uBlock Origin, Brave Shields, browser tracking protection) without affecting the service. Do-Not-Track and Global Privacy Control headers are respected where the vendor honours them.

8. Who else processes your data

  • Contabo GmbH — the VPS hosting provider where BrewPage runs.
  • GitHub (Microsoft) — source code hosting and container registry (GHCR).
  • EuroDNS — DNS provider for the domains.
  • Google and Yandex — analytics, Search Console, webmaster tooling.
  • Font CDNs — Google Fonts and cdnjs.cloudflare.com for third-party libraries.

These providers see request metadata (IP, user-agent, URL) as part of serving their portion of the page. We do not share your published content with them beyond what is inherent to hosting.

9. Your rights

  • Delete your content: use the trash icon on the result card, or DELETE /api/html/{ns}/{id} (and equivalents for files / sites / kv / json) with your Owner Token. See /advanced.
  • Lost token / can't delete: submit /report-abuse with category I can't delete my page.
  • Abuse by someone else: submit /report-abuse with the relevant category.
  • GDPR access / erasure / portability: email the maintainer (contact via the GitHub repo kochetkov-ma/brewpage-openapi). We'll answer within 30 days.
  • Opt out of analytics: block googletagmanager.com and mc.yandex.ru at the browser or network level.

10. Security

The site is served over HTTPS only (HSTS preload, TLS certificate via Let's Encrypt). Admin endpoints require a password. Uploaded content is served with a sandboxed iframe (allow-scripts only) on browser-viewed short URLs.

Absolute security cannot be guaranteed; do not publish secrets to a public URL.

11. Children

BrewPage is not directed to children under 13 (or the local minimum age). Do not use the service if you are below that age.

12. Changes to this policy

Material changes are announced on the homepage's New panel and on the project's GitHub releases page. The effective date above is updated whenever this text changes.

13. Contact

Open an issue on github.com/kochetkov-ma/brewpage-openapi, or submit via /report-abuse.