Privacy Policy

Last updated: April 1, 2026

Consepo ("we", "us", or "our") is operated by Linchpin, LLC, a Rhode Island limited-liability company. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Consepo platform at consepo.com (the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address, name (optional), and profile image (if you sign in via Google or GitHub OAuth). If you use email/password authentication, your password is cryptographically hashed and never stored in plain text.

1.2 Session & Device Data

When you sign in, we record your IP address and user agent (browser and operating-system information) for security and session-management purposes.

1.3 Scan & Report Data

When you initiate a Content Security Policy (CSP) scan, we store the source URL you submit, the crawl configuration you select, and the resulting CSP analysis — including discovered domains, suggested directives, and a generated CSP header. If you enable violation monitoring, we also collect and store CSP violation reports sent by browsers visiting your site. These may include the blocked URI, violated directive, document URI, source-file location, and the original policy.

1.4 Billing Information

Payment processing is handled entirely by Stripe, Inc. We never receive or store your full credit card number. We retain a Stripe customer identifier and subscription metadata (plan, status, and billing-cycle dates) to manage your account.

1.5 API Usage

If you use the Consepo API, we log the API token identifier, HTTP method, request path, and response status code for audit and rate-limiting purposes. API tokens are stored as bcrypt hashes; only a short prefix is retained for display.

1.6 Analytics

With your consent, we use PostHog for product analytics to understand how the Service is used and to improve it. Analytics data is sent to our own subdomain (obs.linchpin.com) and is not shared with third-party ad networks. You can opt out at any time via the cookie-consent banner or your browser settings.

2. Cookies & Local Storage

We use the following client-side storage:

ItemTypePurpose
Session tokenHTTP-only cookieAuthentication — keeps you signed in securely
csp_analytics_consentlocalStorageRecords your analytics opt-in/opt-out preference
csp:hidePromolocalStorageRemembers that you dismissed a promotional banner
Last workspacelocalStorageRemembers the last workspace you viewed for navigation

We do not use third-party advertising cookies. PostHog analytics cookies are only set if you grant consent.

3. How We Use Your Data

  • Provide and operate the Service — running CSP scans, generating reports, delivering violation alerts, and managing your account.
  • Process payments — managing subscriptions and invoices through Stripe.
  • Send transactional emails — account verification, password resets, workspace invitations, scan-completion notifications, and violation digest emails via Resend.
  • Improve the Service — analyzing usage patterns with PostHog (with your consent) to prioritize features and fix issues.
  • Ensure security — detecting abuse, enforcing rate limits, and maintaining audit logs.

4. Internal Data Sharing

Consepo is part of the Linchpin family of products and services. We may share data between internal Linchpin systems for the purposes of account management, billing, analytics, and product improvement. This data is not sold or shared with unaffiliated third parties for their own marketing purposes.

5. Third-Party Service Providers

We use the following third-party services to operate Consepo. Each provider receives only the data necessary to perform its function:

  • Cloudflare — hosting, edge compute, database (D1), and browser-rendering infrastructure.
  • Stripe — payment processing (PCI-DSS Level 1 compliant).
  • Resend — transactional email delivery.
  • PostHog — product analytics (consent-gated; routed through our own domain).
  • Google & GitHub — OAuth identity providers (only if you choose social sign-in).

6. Data Retention

  • Scan reports are retained according to your plan: 7 days (Free), 30 days (Starter), or 90 days (Pro and above).
  • CSP violation records are retained for the same period as the parent report.
  • Account data is retained for the life of your account and deleted upon account deletion, subject to legal obligations.
  • API usage logs are retained for 90 days.

7. Data Security

We implement industry-standard security measures including encrypted connections (TLS), hashed passwords and API tokens, HTTP-only session cookies, and Content Security Policy headers on our own application. Data is stored in Cloudflare’s globally distributed infrastructure.

8. Your Rights & Choices

Depending on your jurisdiction (including under GDPR, CCPA, and similar laws), you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data.
  • Object to or restrict certain processing.
  • Export your data in a portable format.
  • Withdraw consent for analytics at any time.

To exercise any of these rights, contact us at privacy@linchpin.com.

9. Children’s Privacy

The Service is not directed to individuals under 16 years of age, and we do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at:

Linchpin, LLC
Rhode Island, United States
privacy@linchpin.com
401-305-5228