What we store
- Account data. Your username, email address, and a bcrypt hash of your password.
- API tokens. SHA-256 hashes of any tokens you create via
bpm token create. The raw bearer strings are shown to you once and never stored. - Published packages. Name, version, dependencies, description, and the tarballs you upload.
- Web access logs. Short-lived request logs (URL, timestamp, IP). Used for debugging and abuse prevention; rotated regularly.
Cookies
We set exactly one cookie, bpm_session, for browser logins. It is
httpOnly, SameSite=Lax, and contains a signed JWT.
We do not set analytics or advertising cookies. The bpm CLI does not set cookies at all.
What we don't do
- We do not sell, share, or rent your email or any account data to third parties.
- We do not run third-party analytics, ad networks, or behavioral trackers on this site.
- We do not retain payment information — the registry is free to use.
- The CLI does not phone home, send telemetry, or report your project structure.
Email use
We use your email only for account recovery and rare, account-specific service notifications (for example, a security advisory affecting a package you own). We do not send marketing email.
Account deletion
Email us — or open an issue on the project's repository — to delete your account.
Packages other users depend on may be retained in a tombstoned, read-only form so consumers can still install pinned versions of bnl.lock.
Data residency & backups
The registry runs on infrastructure in the EU. Database snapshots are taken daily and retained for 30 days for disaster recovery.
Contact
Questions about this policy? Open an issue on github.com/bnlang/bpm.