Privacy Policy

Last updated: 2026-03-05

Overview

Kerminal ("we", "us") operates kerminal.com. We respect your privacy and collect only the minimum data necessary to operate the service. This policy explains what we collect, how we use it, and your rights.

What We Collect

Account Data

When you register, we collect:

  • Email address — used for authentication and account recovery
  • Password — stored as a bcrypt hash; we never store or see your plaintext password

Analytics Data

When you visit our site, we collect the following for our self-hosted analytics (no third-party analytics services are used):

  • Page URL and referrer — to understand traffic sources
  • Country — derived from your IP address using a local MaxMind GeoLite2 database. The lookup happens entirely on our server; your IP is never sent to any external service
  • IP hash — a truncated SHA-256 hash of your IP address for session grouping. We never store your raw IP address
  • Device type, browser, and OS — parsed from your User-Agent header
  • Screen and viewport dimensions
  • Browser language
  • Timestamp

What We Do NOT Collect

  • No cookies are used for tracking
  • No raw IP addresses are stored
  • No third-party trackers, ads, or analytics services (no Google Analytics, no Facebook Pixel)
  • No fingerprinting beyond basic User-Agent parsing

How We Use Your Data

  • Account data — solely for authentication and access control
  • Analytics data — to understand site usage, improve content, and monitor service health. Analytics data is viewed only in aggregate

Authentication

We use JSON Web Tokens (JWT) for session management. Tokens are stored in HttpOnly cookies that cannot be accessed by JavaScript. Access tokens expire after 15 minutes and are automatically refreshed. Refresh tokens expire after 7 days.

Data Storage and Security

  • All data is stored in Google Cloud Firestore in the asia-northeast1 (Tokyo) region
  • Communication is encrypted via HTTPS/TLS
  • Passwords are hashed with bcrypt before storage
  • IP addresses are hashed with SHA-256 before storage; raw IPs are never persisted
  • Access to infrastructure is restricted to authorized personnel

Third-Party Services

We use the following third-party services in our infrastructure:

  • Google Cloud Platform — hosting and data storage (GCP Privacy Policy)
  • MaxMind GeoLite2 — local country lookup database. No data is sent to MaxMind; the database runs locally on our server (MaxMind Privacy Policy)
  • Resend — transactional email delivery for account verification (Resend Privacy Policy)

Data Retention

  • Account data — retained until you request deletion
  • Analytics data — retained indefinitely in aggregate form. Since no personally identifiable information is stored (IPs are hashed, no cookies), analytics records cannot be traced back to individuals

Your Rights

You have the right to:

  • Access your account data
  • Delete your account and associated data
  • Export your data in a portable format

To exercise any of these rights, contact us at privacy@kerminal.com.

Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the site after changes constitutes acceptance of the updated policy.

Contact

For privacy-related questions or concerns, contact us at privacy@kerminal.com.