Legal

Privacy Policy

Last updated 21 June 2026

The headline: we process only the data you explicitly send us plus minimal operational data to run the service. Command and code content sent to Check is processed in memory and discarded immediately. We never sell your data. Here is everything else, plainly.

1. What we collect, exactly

Data	Why	Where it lives	Retention
Your email address	Sign-in, license, receipts and the emails you ask for	Cloudflare KV (encrypted at rest)	Until account deletion
Single-use sign-in codes	Verifying it is really you	Cloudflare KV	Deleted on use or expires in 5 minutes
Session tokens and license keys	Keeping you signed in and metering usage	Cloudflare KV	Sessions: 30 days. Keys: until account deletion.
Credit balance, usage counts, and transaction log	Billing: deducting the per-use price, providing your transaction history	Cloudflare KV	Until account deletion
Payment records	Crediting your top-ups	Stripe. We never see or store card numbers.	Per Stripe's retention policy
IP address and user agent	Login notifications, session tracking, rate limiting, abuse prevention	Cloudflare KV (login records), Cloudflare standard server logs	Login records: until account deletion. Server logs: per Cloudflare's policy.
Device fingerprint (hashed)	Preventing duplicate accounts per device and enforcing free daily check limits	Cloudflare KV	Indefinite (hash only, not reversible to device identity)
Usage analytics (verdict, platform, OS, architecture, truncated command — first 100 characters only)	Service quality, aggregate statistics, your personal dashboard	Cloudflare KV	Last 200 events per account. Older events are dropped.

2. What we do not collect

Your source code. GOL products never request, receive, or store your source code. Check operates on individual commands and code snippets you submit, not your repository.
Full command content after processing. The full text of commands and code context sent to Check is processed in memory and discarded. Only truncated metadata (first 100 characters of the command, the verdict, and the platform) is retained for your analytics dashboard.
Advertising or cross-site tracking profiles. No advertising pixels, no cross-site tracking, no sale of data to anyone, ever.

3. Website analytics

The golproductions.com website uses Google Analytics 4 (measurement ID: G-4E865XW6LD) to understand how visitors interact with the site. Google Analytics collects anonymised data such as page views, session duration, approximate geographic location, device type, and referral source. This data is processed by Google under its own privacy policy. Google Analytics does not have access to your GOL account data, API key, or any data you send through the Check API.

If you prefer not to be tracked by Google Analytics, you can use a browser extension such as the Google Analytics Opt-out Browser Add-on or enable your browser's "Do Not Track" setting.

4. Cookies and local storage

The GOL website uses:

Google Analytics cookies (_ga, _ga_*): website analytics as described above.
Local storage: your session token is stored in your browser's local storage to keep you signed in. It is not sent to any third party.

We do not use advertising cookies or third-party tracking cookies beyond Google Analytics.

5. Services we rely on

Four providers touch slivers of your data so the product can work:

Cloudflare — hosting, Workers runtime, KV storage, and standard server logs (IP addresses for security and uptime).
Stripe — payment processing. We never see or store card numbers.
Resend — transactional email (sign-in codes, login notifications, low-balance alerts).
Google — website analytics via Google Analytics 4 (website only, not the API).

Each processes data under its own privacy policy and our instructions. Your data may be transferred to and processed in countries outside Australia by these providers. Cloudflare, Stripe, Google, and Resend each maintain standard contractual clauses and/or certifications for international data transfers.

6. Emails

We send transactional email only:

Sign-in codes (on your request).
Login notifications (when a new session is created).
Low-balance alerts and spending notifications (if you enable them in settings).
Payment-related notices.

No marketing lists unless you explicitly opt in, and anything optional will have a working unsubscribe.

7. How long we keep things

Data	Retention
Sign-in codes	Deleted on use or auto-expires in 5 minutes
Rate limit counters	Auto-expires in 60 seconds
Daily spending records	Auto-expires in 48 hours
Sessions	Up to 30 days
Usage analytics events	Rolling window of last 200 events per account
Transaction log	Rolling window of last 200 entries per account
Account records (email, keys, balance)	Until you close your account
Webhook idempotency keys	Auto-expires in 7 days

Ask us to close your account and we will delete your data, refunding unused credits as described in the Terms.

8. Your rights

Under the Australian Privacy Principles and applicable law, you have the right to:

Access the personal information we hold about you.
Correct inaccurate personal information.
Delete your account and associated personal information.
Export your transaction history and usage data from the console.
Complain to the Office of the Australian Information Commissioner if you believe we have breached the Australian Privacy Principles.

Email adam@golproductions.com for any of the above. We handle requests in line with the Australian Privacy Principles, and we will respond like humans, not like a ticket queue. We aim to respond within 14 days.

9. Children's privacy

GOL products are not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a user is under 18, we will delete their account and associated data.

10. Security

We take reasonable steps to protect your personal information:

Sign-in requires a single-use emailed code, with optional TOTP two-factor authentication.
API secrets are stored in Cloudflare's encrypted secret store, not in source code.
Payments are processed entirely by Stripe and card details never pass through our servers.
Command and code content is processed in memory and not persisted to storage.
Timing-safe comparison is used for all authentication token validation.
Stripe webhook signatures are verified with HMAC-SHA256 to prevent forgery.
OTP attempts are capped and codes are deleted after use or expiry.

11. Data breach notification

In the event of a data breach that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), as promptly as practicable.

12. Changes

If this policy changes, the date at the top changes with it. Material changes will be flagged in the console or by email at least 14 days before they take effect.

13. Contact

Privacy questions, access requests, or complaints: adam@golproductions.com.