oM noM// // scan: privacy

Privacy

Plain-English summary of what data the hosted version of oM noM Security Feeds (omnomfeeds.com) collects, why, and where it goes. Last updated 2026-05-20.
2026-05-20
last updated
1
cookie set
6
sub-processors
0
analytics sdks

oM noM Security Feeds is a side project run by a single developer. The hosted version exists so people who don't want to run the open-source binary themselves can read the same feed without setting anything up. The product is intentionally small and the data handling reflects that.

01
// what is collected

Account data. When you sign in with Google, the deployment stores your Google account's email, display name, and Google subject ID. When you sign in via magic link, it stores the email you entered. That's the entire user identity.

Session data. A random 32-byte session token is hashed with SHA-256 and stored server-side; the unhashed value sits in an HttpOnly cookie on your browser. The session row also stores your user agent string (so you can see which device a session belongs to) and an SHA-256 hash of the IP that issued it (used only as a rate-limit fingerprint, never logged in plaintext).

Preferences. Settings you set in the app (theme toggles, refresh interval, bookmarks, watched Bluesky handles you added on top of the curated list) are stored against your account so they sync across devices.

Billing data. If you subscribe to Pro, your Stripe customer ID and subscription ID get linked to your account row so renewals extend access. Payment-card data never touches this server - Stripe handles the entire checkout.

Aggregated reading patterns. Which articles you marked read is stored so the "unread only" filter works across devices. No clickstream tracking, no analytics pixel, no advertising profile.

02
// what is not collected
aNo analytics SDK, no Google Analytics, no Meta Pixel, no Mixpanel, no Hotjar.none
bNo third-party advertising trackers. The site shows no ads.none
cNo fingerprinting. Browser type is read only from the User-Agent string the browser already sends.none
dNo IP address logging in plaintext. IPs are SHA-256 hashed before storage and used for rate limits plus aggregate abuse / bot detection in an admin-only dashboard (only the 12-hex-char hash prefix is ever displayed).hashed
eCountry-level geolocation (ISO 3166 two-letter code, e.g. "US", "AU") is stored alongside each event when the request arrives through Cloudflare's edge. No city, no region, no IP-to-geo lookup at the origin. The country is shown in aggregate ("X% of last week's events came from Y") on the admin dashboard, never per-user.country only
fNo tracking pixels in the magic-link email.none
03
// where data is stored

A single SQLite database on a DigitalOcean droplet in NYC1. The file is owned by the service user, mode 600. Daily backups land on the same droplet's local filesystem with the same permissions. No third-party database. No replication to other regions. No data sold or shared.

04
// third parties (sub-processors)
Google
OAuth sign-in. Only when you choose to sign in with Google. Google's privacy policy.
Resend
Sends the magic-link email when you use email-based sign-in. Resend's privacy policy.
Stripe
Handles all payment processing for Pro subscriptions. Stripe's privacy policy.
Anthropic
Used to generate the optional managed AI daily brief. Only the article titles and short summaries you've already seen in your feed are sent. No personal data is sent. Anthropic's privacy policy.
DigitalOcean
Hosts the server. DigitalOcean's privacy policy.
Cloudflare
DNS for omnomfeeds.com.
05
// data sources fetched on your behalf

The feed is built by pulling public posts from RSS, Bluesky, Mastodon, Reddit (via RSS), and GitHub Security Advisories. Those upstream sources see the server's IP when it polls them. They do not see anything tied to you personally.

06
// your rights

You can:

See your data
Email a request to [email protected] and you'll get a JSON dump of your account row, settings, bookmarks, read marks, and Stripe linkage.
Delete your account
Email a deletion request and the row plus all dependent data is hard-deleted via DELETE FROM users WHERE id = ?. Foreign keys cascade so sessions, settings, bookmarks, read state, watched accounts, and subscription linkage all go with it. Stripe subscriptions are cancelled at the same time. Backups roll out within 14 days.
Export bookmarks
Export your bookmarks + watched accounts. Same email; you'll get a JSON file.
account deletion
# hard delete, foreign keys cascade > DELETE FROM users WHERE id = ?;
07
// cookies

One cookie: the session token (omnom_session). HttpOnly, Secure, SameSite=Lax, 30-day expiry. No third-party cookies are set by this site.

set-cookie
> omnom_session=<token>; HttpOnly; Secure; SameSite=Lax; Max-Age=2592000
08
// self-hosted installs

This page describes the hosted deployment at omnomfeeds.com only. If you run the open-source binary on your own machine, no data leaves your machine except what you explicitly configure (BYOK AI key calls to the model vendor, polling upstream feeds, etc.).

09
// changes

Material changes to this page will be announced in the GitHub repo's release notes and posted at omnomfeeds.com. The "Last updated" date at the top is authoritative.

10
// contact

Questions, deletion requests, anything else - [email protected]. Single dev, side project, plain inbox.

oM noM Security FeedsยทMIT licensed hometermspre-kevgithub