Privacy Policy

1. Introduction

Welcome to NEB Starter ("we," "our," or "us"). NEB Starter is an open-source starter kit and demonstration application that showcases modern web and mobile development practices. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our demonstration website at neb-starter.vercel.app and use our example mobile application.

NEB Starter is provided as an educational and development tool. This demonstration application allows developers to test authentication features and explore the codebase.

2. Information We Collect

2.1 Information from Google OAuth

When you sign in with Google, we collect the following information from your Google account:

• Basic profile information: Your name, email address, and profile picture
• Email address: Used for account identification and communication
• Google user ID: Used to link your account across sessions

We only request the minimum necessary permissions: openid, profile, and email scopes from Google's OAuth API.

2.2 Information from GitHub OAuth

When you sign in with GitHub, we collect:

• Public profile information: Your username, display name, and avatar
• Email address: Your primary email address associated with your GitHub account
• GitHub user ID: Used for account identification

2.3 Information from Apple Sign-In

When you sign in with Apple (mobile app only), we may collect:

• Name: If you choose to share it
• Email address: Either your real email or Apple's private relay email
• Apple user identifier: A unique identifier for your Apple ID

2.4 Authentication and Session Data

To maintain your signed-in state, we store:

• Session tokens and authentication credentials
• Account linking information to connect social accounts
• User role information (user or admin)
• Login timestamps and session duration

2.5 Device and Usage Information

We automatically collect certain technical information:

• Device type, browser type, and operating system
• IP address and general geographic location
• Pages visited and features used within the application
• Error logs and performance metrics

2.6 Biometric Data (Mobile App)

Our mobile app supports passkey authentication using your device's biometric features (Face ID, Touch ID, fingerprint). This biometric data is processed and stored locally on your device only - we never have access to your actual biometric information.

3. How We Use Your Information

We use the collected information for the following purposes:

• Authentication: To verify your identity and maintain your signed-in state
• Account Management: To create and manage your user account and preferences
• Demonstration: To showcase the features and capabilities of the NEB Starter Kit
• Security: To protect against unauthorized access and ensure application security
• Improvement: To understand how the demonstration is used and identify areas for improvement
• Communication: To send important updates about the service (if necessary)
• Compliance: To comply with legal obligations and respond to lawful requests

4. How We Share Your Information

We do not sell, trade, or rent your personal information. We may share your information only in these limited circumstances:

4.1 Service Providers

We share information with trusted third-party services that help us operate the demonstration:

• Vercel: Web hosting and deployment platform
• Neon: PostgreSQL database hosting
• Google, GitHub, Apple: Authentication providers

4.2 Legal Requirements

We may disclose your information if required by law or to protect our rights and the safety of our users.

4.3 Open Source Nature

While your personal data remains private, please note that NEB Starter is an open-source project. The code and configuration (without personal data) are publicly available on GitHub.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data is encrypted in transit using HTTPS/TLS
• Database Security: Data at rest is encrypted in our PostgreSQL database
• Authentication Security: We use Better Auth, a security-focused authentication library
• Access Controls: Strict access controls limit who can access your data
• Regular Updates: We keep all systems and dependencies updated with security patches

6. Data Retention

We retain your information for the following periods:

• Account Data: Retained while your account is active
• Session Data: Automatically expires after 7 days of inactivity
• Cache Data: Automatically expires within 5 minutes to 1 hour
• Authentication Tokens: Expire based on provider settings (typically 1-24 hours)

When you delete your account or request data deletion, we will remove your personal information within 30 days, except where we are required to retain it by law.

7. Your Rights and Choices

You have the following rights regarding your personal information:

• Access: Request a copy of your personal information
• Correction: Update inaccurate information through your profile settings
• Deletion: Request deletion of your account and associated data
• Portability: Request your data in a machine-readable format
• Withdrawal: Disconnect social accounts or revoke OAuth permissions

To exercise these rights, you can use the account settings in the application or contact us directly.

8. Google OAuth Compliance

Our use of information received from Google APIs adheres to theGoogle API Services User Data Policy, including the Limited Use requirements.

We specifically:

• Only request the minimum necessary scopes (openid, profile, email)
• Use Google user data only for providing our authentication service
• Do not share Google user data with third parties except as disclosed in this policy
• Do not use Google user data for advertising or similar commercial purposes
• Provide users with a way to revoke access to their Google data

9. Cookies and Local Storage

We use cookies and local storage for:

• Authentication: Maintaining your signed-in state
• Preferences: Remembering your theme and language settings
• Security: Preventing cross-site request forgery (CSRF) attacks
• Performance: Caching data for faster loading times

Most cookies are essential for the application to function properly. You can manage cookie preferences through your browser settings.

10. Children's Privacy

NEB Starter is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will delete it promptly.

11. International Users

NEB Starter is hosted in the United States. If you are accessing the service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Changes become effective immediately upon posting.

13. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

We will respond to privacy-related inquiries within 30 days.

14. Open Source Information

NEB Starter is an open-source project distributed under the MIT License. While the source code is publicly available, this does not affect the privacy of your personal data, which remains protected under this Privacy Policy.

Developers using NEB Starter to build their own applications are responsible for implementing their own privacy policies and ensuring compliance with applicable privacy laws.