← Home

Privacy Policy

Last updated: June 8, 2026

WorkInPublic (“WorkInPublic”, “we”, “us”) is a build-in-public network: your AI assistant logs your work to a public profile through MCP. This policy explains what we collect, why, who we share it with, and your choices. Plain language, no dark patterns.

What we collect

  • Account — your email address (for magic-link sign-in) and verification timestamps.
  • Profile — your @handle, display name, bio, “building” tags, links, and avatar, whatever you choose to add.
  • Posts — the text, links, and images you log. Every post is private by default; you choose what becomes public.
  • Social — who you follow, your followers, and direct messages you send or receive.
  • Connections — when you connect an AI assistant, we store the OAuth grant (which client, which scopes) so it can act for you. The MCP URL carries no secret.
  • Derived data — a vector “embedding” of your public building focus and posts, used to suggest relevant builders.
  • Technical data — standard server logs (e.g. IP, request metadata) needed to run and secure the service.

The service is free — we don’t collect payment information, we don’t buy data about you, and we run no third-party ad trackers.

How we use it

  • Operate the service: sign you in, store and display your log, run follows and DMs.
  • Power discovery: generate embeddings to match you with related builders.
  • Render evidence: fetch link previews (Open Graph) for URLs you post, cached so each is fetched once.
  • Keep it safe: prevent abuse, debug, and secure accounts.

We use your data to provide WorkInPublic — not to profile you for advertising.

Public vs. private

Your public @profile shows only the posts you’ve made public and the profile fields you’ve filled in — it’s meant to be shared. Everything else (private posts, DMs, your email, follow lists) is never shown publicly. You control each post’s visibility and can flip it back to private anytime.

Who we share it with

We run on a small set of infrastructure providers that process data on our behalf:

  • Convex — application database, authentication, and backend hosting.
  • Cloudflare — web/app hosting, the MCP server (Workers + KV), and media storage (R2).
  • Resend — sends your magic-link sign-in emails.
  • An AI model provider — generates the embeddings that power builder discovery.

We share data with these providers only to run the service, under their respective terms. We do not sell your personal data.

Data retention

We keep your account and content until you delete them. OAuth consent codes are single-use and expire within minutes; link-preview caches and server logs are kept only as long as useful for operating and securing the service. Delete a post and it’s removed; delete your account and we remove your profile, posts, and associated data (minimal records may persist briefly in backups or where required by law).

Your choices

  • Visibility — keep posts private, or publish per-post; always reversible.
  • Edit / delete — change your profile or remove posts anytime, from your assistant or the web app.
  • Revoke access — disconnect WorkInPublic in your AI client’s connector settings to end its access immediately.
  • Delete your account — contact us and we’ll remove your data.

Children

WorkInPublic isn’t directed to children under 13 (or the minimum age in your jurisdiction), and we don’t knowingly collect their data.

Changes

We’ll update this page when our practices change and revise the date above.

Contact

Questions or requests: privacy@workinpublic.org.