os-alt

self-host the SaaS you're paying for

← all SaaS

Privacy

Plain-English summary of what this site collects and why. Last updated 2026-05-11.

TL;DR

  • No cookies. No third-party advertising or tracking pixels.
  • One first-party pageview beacon per page load to /api/track.
  • Your email is only stored if you actively submit the digest form.
  • Logs are kept ~30 days. Email-list opt-out is one click in any email.
  • To delete anything: email hello@osalt.dev.

Cookies

os-alt sets no cookies. There is no advertising network, no Google Analytics, no Facebook pixel, no session cookie. Because nothing is set, no cookie banner is shown.

Pageview & event tracking (/api/track)

Each page on this site fires a single first-party beacon to /api/track. Specific named clicks (the sponsor slot, the calculator submit button, the badge copy button, outbound migration links, calculator widget views, insight clicks) also send a small event payload. The endpoint runs on our own Vercel infrastructure and writes one row per hit into a private Supabase Postgres database.

What gets stored, per row:

  • Path visited on this site.
  • Referrer header (where you came from), if your browser sent one.
  • Country code (e.g. DE, US) derived from your IP at the Vercel edge — not the IP itself.
  • UA hash — a SHA-256 of your user-agent string concatenated with today's UTC date, truncated to 16 hex chars. The hash rotates daily, so the same browser produces different hashes on different days. Cannot be reversed to your user-agent or to you.
  • Event name (only for the named clicks above) and a small structured meta object describing the click (e.g. which sponsor slot fired). Capped at 2 KB.

What is not stored:

  • Your raw IP address.
  • Your user-agent string in cleartext.
  • Any cookie or device identifier.
  • Mouse movements, keystrokes, form contents, or any kind of session replay.

Vercel, our hosting provider, also sees your raw IP address while it terminates the TLS connection and writes a short-lived edge log (typically retained ≤30 days). We do not read or copy that log into our own systems. See Vercel's privacy policy. Supabase, the database host, sees only the rows above. See Supabase's privacy policy.

Email signups (the monthly digest)

If you submit the email form on this site, we store:

  • The email address you typed.
  • The page where you signed up (so we can tell which content drives signups).
  • A contact id from Resend, our email delivery provider, who actually sends the emails.

We send one confirmation email immediately, then roughly one digest per month. Every digest contains a one-click unsubscribe link that removes you from the Resend audience and prevents further sends. You can also email hello@osalt.dev asking us to delete your row from the Supabase subscribers table.

CAN-SPAM / GDPR: we send only to addresses that typed themselves into a form on this site (no purchased lists), every message identifies the sender (digest@west0n.top), every message links to a working unsubscribe, and we honor deletion requests on a same-day-or-next-day cadence.

Server logs

Our hosting providers (Vercel for the web app, Supabase for the database) keep operational logs of HTTP requests for normal reliability and abuse-prevention reasons. These logs typically include source IP, request method, path, status code, and timing. Standard retention is ~30 days. We do not export, sell, or cross-reference these logs.

Embeds & outbound links

The embed widgets served from this origin (/embed.js, /embed/calc.js) include the same /api/track beacon so we can see which third-party sites embed them. Same fields, same retention as above.

Outbound links to vendor sites under /go/<slug> are simple HTTP 302 redirects. Some carry an affiliate or UTM parameter that identifies os-alt as the referrer to the vendor. They do not set any cookie on this domain. The vendor's own privacy policy applies after the redirect.

Your rights

Wherever you are in the world, you can email hello@osalt.dev and ask us to:

  • Tell you what rows we hold tied to your email.
  • Delete any of them.
  • Stop sending you email.

We treat this as a binding request — we don't require you to prove who you are beyond replying from the address in question. EU/UK residents have these same rights under GDPR / UK GDPR (Articles 15, 16, 17, 21). California residents have analogous rights under CCPA. We don't sell personal information to anyone.

Changes to this notice

If we change what we collect or how we use it, we'll bump the "Last updated" date at the top of this page and call out the change in the next monthly digest. The full revision history is visible on GitHub.