APM
Sign in

>Legal

Privacy Policy

Effective: March 17, 2026

1. Who We Are

APM (Agent Package Manager) is operated by Orthogonal (“we”, “us”, “our”). This policy describes how we collect, use, and protect information when you use the APM registry, website, CLI, and APIs (collectively, the “Service”).

2. What We Collect

Account information

When you create a publisher account via GitHub OAuth, we receive and store your GitHub user ID, username, display name, email address, and avatar URL. We do not receive or store your GitHub password.

Package data

When you publish a package, we store the SKILL.md content, frontmatter metadata, and source repository information. For indexed packages, we store the same data as retrieved from public GitHub repositories.

Usage data

We collect aggregate, anonymized usage data including page views, search queries, package download counts, and API request volumes. We collect IP addresses for rate limiting and abuse prevention; these are not linked to accounts or stored long-term.

CLI telemetry

The APM CLI does not collect telemetry. It makes API requests to the registry to perform package operations. The registry logs these requests as described above.

3. What We Do Not Collect

  • We do not use third-party advertising trackers
  • We do not sell, rent, or trade your personal information
  • We do not use tracking cookies beyond functional session cookies
  • We do not collect the content of your private repositories
  • We do not monitor which skills you install locally

4. How We Use Your Information

  • Authentication — to verify your identity and manage your publisher account
  • Service operation — to host, display, and distribute packages you publish
  • Abuse prevention — to enforce rate limits and detect automated abuse
  • Aggregate analytics — to understand how the Service is used and improve it
  • Communication — to notify you about your account, scope ownership, or policy changes

5. Public Data

The following data is public by design and visible to anyone:

  • Package names, descriptions, and metadata
  • SKILL.md content
  • Publisher usernames and scope names
  • Source repository URLs
  • Download counts and other aggregate metrics

This is inherent to how a public package registry works. Do not publish information you wish to keep private.

6. Third-Party Services

We use the following third-party services to operate APM:

ServicePurposeData shared
VercelHosting, edge networkRequest logs, IP addresses
NeonPostgreSQL databaseAll registry data
GitHubOAuth, code search, source fetchingOAuth tokens, public repo data

Each service has its own privacy policy. We select providers that maintain appropriate security practices.

7. Data Retention

Account data: Retained while your account is active. If you delete your account, we remove your personal information within 30 days. Published packages may remain in the registry unless you explicitly unpublish them before deleting your account.

Indexed packages: Proxy-indexed packages are retained until the source repository removes the SKILL.md file, the repo becomes private, or the owner opts out via .apm-exclude.

Access logs: IP addresses in access logs are retained for up to 30 days for abuse prevention, then deleted.

8. Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and personal data
  • Export — request an export of your data in a machine-readable format
  • Opt out — opt out of proxy indexing via .apm-exclude

To exercise these rights, contact us at hello@orthg.nl. We will respond within 30 days.

9. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (HTTPS/TLS), encrypted database connections, and access controls on our infrastructure. No system is perfectly secure — if you discover a vulnerability, please report it to hello@orthg.nl.

10. Children

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new effective date. Your continued use of the Service after changes constitutes acceptance.

12. Contact

Questions about this Privacy Policy? Contact us at hello@orthg.nl.

Privacy Policy — APM