Privacy Policy
Last updated: May 24, 2026
This Privacy Policy explains what personal information OpenPSL collects, how it is used and stored, and what rights you have over your data. We have tried to write this in plain language. If anything is unclear, email openpsl.org@gmail.com.
1. Who is responsible for your data
OpenPSL is operated by Juan Cotrina, an individual based in Peru, acting as the data controller for personal information processed by the service available at https://www.openpsl.org ("OpenPSL", "the service", "we", "us").
Contact for any privacy matter, request, or complaint: openpsl.org@gmail.com.
2. Information we collect
We collect the minimum information needed to run the service. We do not buy data from third parties and we do not collect data about you from across the wider web.
2.1 Information you provide via OAuth sign-in
OpenPSL only accepts sign-in through Google, Microsoft and GitHub. When you sign in for the first time, the provider you choose returns the following information about you to OpenPSL:
- Your name as registered with that provider.
- Your verified email address.
- Your profile image URL (the picture displayed in your provider account), used only to render your avatar inside the application.
- A provider-specific user identifier and short-lived OAuth tokens required to maintain your session.
We never receive your password. We do not request access to your contacts, your drive, your repositories, your calendar, or any other scope beyond your basic profile and email.
2.2 Content you create
Anything you write into a Procedure Pack (title, objective, roles, inputs, steps, decisions, outputs, exceptions, risks, controls, tags, summary, etc.) is stored in our database under your account.
2.3 Technical and usage information
- IP address, browser type and timestamps are written to server access logs maintained by our hosting provider for security and operational purposes.
- A signed session cookie (issued by NextAuth) so you stay logged in between visits. It contains a reference to your account; it does not contain your password (you do not have one).
- Aggregate metrics such as the download counter on each public Procedure Pack. These are counts, not personal identifiers.
2.4 We do not use advertising trackers
OpenPSL does not use Google Analytics, Facebook Pixel, advertising networks, or any third-party tracker. There are no marketing cookies on this site.
3. Why we process your data (legal bases)
Depending on the action, our legal basis for processing your personal data is one of the following:
- Performance of a contract. Processing is necessary to provide the service you signed in for — storing your packs, serving them back to you, allowing exports.
- Your consent. Signing in with an OAuth provider and accepting these terms constitutes your consent to the processing described here. You can withdraw consent at any time by deleting your account.
- Legitimate interest. Keeping access logs and counting downloads is necessary to operate the service securely and to understand which content is useful.
- Legal obligation. Some retention may be required to respond to lawful requests from authorities.
4. How long we keep your data
- Account data (User and Account records): kept while your account exists. Deleted when you request deletion.
- Procedure Packs: kept while you keep them. Each edit retains a version history; the full history is removed when a pack is deleted.
- Server logs: kept for up to 90 days for security and debugging, after which they are rotated out.
- Backups: database backups taken by our hosting provider may retain data for up to 30 days beyond deletion until they age out.
5. Who we share your data with (sub-processors)
We share the minimum necessary data with the following third parties, each of which has its own privacy policy:
- Google LLC — identity provider when you choose "Continue with Google".
- Microsoft Corporation — identity provider when you choose "Continue with Microsoft".
- GitHub, Inc. (a subsidiary of Microsoft) — identity provider when you choose "Continue with GitHub".
- Railway Corp. — application hosting and managed PostgreSQL database. Application data is stored on Railway infrastructure (currently US-based).
We do not sell your personal data, and we do not share it with any third party for marketing purposes.
6. International data transfers
OpenPSL's hosting and database are currently located in the United States. If you sign in from outside the United States, your personal data is transferred to and stored in the United States. Where applicable (e.g. users in the European Economic Area), we rely on the standard contractual clauses adopted by the relevant authorities as the safeguard for that transfer.
7. Your rights
You have the right, at any time, to:
- Access the personal data we hold about you.
- Rectify data that is inaccurate or incomplete.
- Delete your account and all associated data (right to be forgotten).
- Export your data: every Procedure Pack can be downloaded as JSON, Markdown or PDF from its view page or from the editor sidebar.
- Withdraw consent by deleting your account.
- Object to or restrict certain processing.
- Lodge a complaint with your local data protection authority. In Peru, that authority is the Autoridad Nacional de Protección de Datos Personales (ANPD).
To exercise any of these rights, email openpsl.org@gmail.com. We will respond within 30 days. We may ask you to confirm your identity (e.g. by replying from the email address tied to your account) before acting on a request.
8. Security
We take reasonable technical and organizational measures to protect your data: HTTPS in transit, hashed session tokens, OAuth-only authentication (we never store your password because we never see it), restricted database access, and least-privilege credentials in our hosting environment. No system is perfectly secure; if we ever become aware of a personal data breach affecting you, we will notify you and the relevant authorities as required by law.
9. Cookies
OpenPSL uses a single category of cookies: a strictly necessary session cookie issued by NextAuth to keep you signed in. We do not use advertising, analytics or social media cookies. Because all our cookies fall under the "strictly necessary" category, no consent banner is required by law in most jurisdictions, but you can clear them at any time from your browser settings.
10. Children
OpenPSL is not directed at children. We do not knowingly allow users under 16 years old. If you believe a minor has created an account, please contact us and we will remove it.
11. Public content and forks
Procedure Packs you mark as Public are visible to anyone with the URL, listed on the Explore page, and can be forked by any signed-in user. A fork is an independent copy owned by the forking user; your original is not modified. The fork retains a permanent reference to your pack as its ancestor. Do not publish information you would not want to be read, copied or archived by others.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Material changes will also be communicated by a notice on the application before they take effect.
13. Contact
Questions, requests or complaints related to this policy can be sent to openpsl.org@gmail.com.