Privacy, in plain English.

Last updated 14 May 2026 · Version 2

What we collect when you join the waitlist

Your email. Required. Used to email you once when we launch, then for occasional updates if you opted in.
What you're building (optional). Free-text. Used to prioritise outreach and shape the product.
The page you signed up from (e.g. /, /pricing) and the referring URL if your browser sent it. Used to know which channel works.
A hash of your IP address. We never store your raw IP. We compute HMAC-SHA256(IP, secret) and keep only the first 64 bits. Used for rate-limiting abusive signup floods, nothing else.
Your User-Agent string (truncated to 300 chars). Used only to spot obvious bot signatures.

What we don't collect

No cookies. No tracking pixels. No third-party analytics on this site at the time of writing.
No raw IP, no geolocation, no device fingerprint.
No data brokers. We don't sell or share any of this with anyone.

Where it lives

Your data sits in a single Postgres database hosted by Supabase (US-East region). Confirmation emails are sent via Resend. Optional bot-check tokens are verified by Cloudflare Turnstile. The site itself runs on Vercel.

How long we keep it

Until you ask us to delete it, or for at most 24 months from your last interaction — whichever comes first. If we shut the project down, we delete everything within 30 days.

Unsubscribe and delete

Unsubscribe from emails: every email we send has an unsubscribe link at the bottom. One click.
Full deletion (right to erasure): same link with ?erase=1 at the end, or just reply to any email saying "delete me" and we'll handle it within 7 days.
What you got (right to access): reply to any email asking and we'll send your row as JSON within 30 days.

Security

The waitlist table is locked down at the database level (Row Level Security with default-deny policies). Only the server-side API can write to it. The site is HTTPS-only with HSTS preload, strict Content-Security-Policy, and a single-purpose API rate-limited by IP hash. The optional bot-check (Cloudflare Turnstile) is on the same-domain frame; if it's unreachable we accept the signup rather than locking out real users.

Static hosting and serverless API both run on Vercel. We do not currently front the site with Cloudflare — your raw IP reaches our edge function, where we immediately HMAC it and forget the original. The hash, not the IP, is what we persist.

Who's behind this

UsageWall is built by Baku (Pablo, in Santiago, Chile). For privacy questions, email hello@agenciabaku.com (we'll switch to a dedicated privacy@usagewall.dev address once we own the domain) or reply to any of our emails.

Changes to this policy

If we change anything material, we'll update the version at the top of this page and email everyone on the list before it takes effect.

← Back to usagewall.dev