Privacy

Privacy Policy

Effective May 1, 2026

artifact-host is a static-site deploy service operated by Champlin Enterprises, LLC (“we,” “us,” or “Champlin Enterprises”). This policy explains what we collect, why, how long we keep it, and your rights.

The short version. We collect the bare minimum needed to run the service: your email (so we can send your API key), the files you deploy, and standard server access logs. We don’t sell your data. We don’t use ad trackers. There are no third-party analytics scripts on this site.

1. What we collect

Account information

Email address — provided when you call signup. Used to send your API key, magic-link sign-in tokens, and important service notices.
API key — generated server-side and shown to you once. Stored as a hash. Used to authenticate your tool calls.

Content you deploy

Files in your deployments — HTML, CSS, JS, images, and any other static assets you upload via deploy_site or update_site. We store these so we can serve them at your subdomain.
Site metadata — subdomain name, custom domain (if any), deploy timestamps, file count and total size.

Server access logs

Like nearly every web server, ours records standard request information for traffic to your sites and to our API:

IP address, user agent, referrer, request path, status code, response size, timestamp.

We use these logs to render your dashboard analytics (page views, top pages, top referrers) and to debug abuse or service issues. Logs are retained for 30 days, then rotated.

Opt-in tracking pixel

If you embed our 1×1 pixel (<img src="/p/your-site.gif">) on a deployed page, we count the request to estimate page views beyond what server logs cover (e.g., bot-filtered views). The pixel sets no cookies, runs no JavaScript, and stores only a per-site counter. You can remove it at any time by editing your site.

Cookies

We set a single first-party session cookie when you sign in to the dashboard. We do not set advertising cookies, do not use Google Analytics, and do not embed third-party trackers on this marketing site.

2. How we use the information

To create and operate your account.
To deliver the deploy service: store your files, serve them at your subdomain, route custom domains, generate analytics.
To send transactional email (welcome, magic-link sign-in, security notices). We do not send marketing email.
To detect and prevent abuse, fraud, and security incidents.
To comply with legal obligations.

3. Sub-processors

We share data only with vendors that help us run the service. We do not sell your data.

Mailgun — transactional email delivery (welcome, magic-link, account notices). Mailgun receives your email address and message contents.
Hosting infrastructure — our servers run on infrastructure managed by Champlin Enterprises on a Plesk-managed VPS. Files and database records are stored at rest on those servers.

4. How long we keep things

Account & sites — until you delete them or close your account.
Server access logs — 30 days, then rotated.
Pixel hit counters — aggregate counts retained until you delete the site.
Backups — encrypted backups may persist for up to 30 days after deletion.

5. Your rights

You can:

Access your data — the dashboard shows your sites, deploys, and analytics. Email us for anything else.
Delete a site at any time with delete_site or via the dashboard. The files are removed within minutes.
Close your account — email kevin@kevinchamplin.com from the address on file. We delete your account and sites within 7 days; backups expire within 30.
Request a copy of the data we hold about you — we’ll send it within 30 days.
Correct inaccurate data — reply to any service email.

If you are in the EU, UK, or California, you have additional rights under GDPR, UK GDPR, and the CCPA/CPRA. Contact us using the email above to exercise them.

6. Security

Connections to the API and the dashboard use TLS. API keys are stored hashed. We deploy rate limits on signup, magic-link, deploy, and API endpoints. We do not guarantee perfect security — no service can — but we treat security incidents seriously and will notify affected users without undue delay if a breach occurs.

7. Children

artifact-host is not directed at children under 13 and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.

8. International users

Our servers are located in the United States. If you use the service from outside the US, you consent to your data being transferred to and processed in the US.

9. Changes to this policy

We’ll post any material changes here with an updated effective date. Significant changes that affect how we use your data will be announced via email to active accounts before they take effect.

10. Contact

Questions, requests, or concerns about this policy:

Champlin Enterprises, LLC
Attn: artifact-host privacy
Email: kevin@kevinchamplin.com