Privacy Policy
This policy explains what DesignPass.dev collects, why we collect it, and the choices you have. It covers the marketing site, the component library, public registry endpoints, and the updates newsletter.
Last updated July 17, 2026
Who we are
The controller for personal data described here is Ernest Liu (operating DesignPass.dev). DesignPass.dev is a React component library and related website operated by Ernest Liu.
For privacy questions or rights requests, contact us through ernestliu.com. We do not currently publish a dedicated privacy@ inbox; use the contact options on that site and mention DesignPass / privacy in your message.
Information you provide
We collect information you choose to give us, including:
- Newsletter email. When you subscribe, we process the email address you submit so we can send DesignPass updates. In production, delivery and list storage are handled by Beehiiv when that integration is configured. We may send a welcome email, and Beehiiv may reactivate a matching prior subscription according to its tools and our configuration.
- Recommendation choices.After some successful signups we may show a Beehiiv recommendations (Boosts) modal. Recommendation toggles may be selected by default. If you confirm (for example "Done"), your email can be shared with the other publications you leave selected. You can skip or deselect before confirming.
- Messages you send. If you contact us, we keep the content of that conversation so we can respond.
We do not ask you to create an account to browse the library today. We do not collect payment card details on this site. If a paid pro tier ships later, payment processing will be handled by a third-party processor and this policy will be updated before checkout goes live.
Information collected automatically
When you visit the site or call our public endpoints, we and our processors may collect:
- Usage and device data. Pages viewed, referrers, approximate location derived from IP, browser and device type, and similar diagnostics. After you have browsed for a while off the home page, we may show a subscribe dialog; closing or completing it is remembered in local storage (see the cookies notice).
- Google Analytics. We load Google Analytics (gtag) on the site, including typical development and preview hosts, to measure aggregate traffic.
- PostHog product analytics. On designpass.dev / www.designpass.dev (when configured), we use PostHog for product analytics such as page views, component and install interactions, newsletter outcomes, and recommendation modal events. Localhost and typical preview hosts skip PostHog. When you subscribe, we may associate your email with your PostHog person profile so signup analytics stay connected.
- Server and edge diagnostics. We may log fetches of public registry items, component source, and agent docs (for example llms.txt / ai.txt), plus error diagnostics, using hashed anonymous identifiers rather than raw IP as an event property.
- IP addresses for abuse control. Several endpoints (including newsletter subscribe, component source, and cache revalidation) may use your IP in a short-lived in-memory rate limit. We do not send raw client IPs to analytics as event properties.
- Campaign attribution. If you arrive with UTM parameters, we may store those values in session storage and attach them to a signup (and related analytics) so we can see which campaigns work. We may also record an external referring site host with a signup.
Details about cookies and similar technologies are in our Cookie Policy.
How we use information
- Operate, secure, and improve the site, docs, demos, and registry
- Send the newsletter and related product updates you asked for
- Measure which pages, components, and signup paths are useful
- Prevent spam, abuse, and automated misuse of our APIs
- Respond to questions and legal requests when required
We do not sell your personal information for money. We also do not share personal information for cross-context behavioral advertising as those terms are commonly used under California law. Beehiiv recommendations you affirmatively confirm are a separate sharing choice you control in that modal.
Legal bases (EEA/UK)
If the GDPR or UK GDPR applies, we typically rely on: (a) legitimate interests to operate and secure the site, measure product usage, and improve the library; (b) consent or your request for newsletter email and for any recommendation sharing you confirm; and (c) legal obligation when we must retain or disclose information. You may withdraw marketing consent by unsubscribing.
Third-party services
We rely on vendors to run the product. They process data to provide their service:
- Vercel for hosting, edge infrastructure, and related platform logs
- Beehiiv for newsletter subscriptions, issue delivery, welcome email, and (when shown) post-subscribe recommendations / Boosts
- PostHog for product analytics on the production site
- Google Analytics for web analytics
- Google Fonts / font CDNs when a page loads a hosted font (for example Geist via Next.js font loading, or a component that fetches a Google Font). The font provider may receive your IP and user agent as part of the request.
Each vendor has its own privacy policy. Newsletter unsubscribe and suppression are handled through Beehiiv's tools (usually the unsubscribe link in an issue).
Consent and controls
We do not currently show a cookie consent banner. Analytics and related scripts may load on first visit as described in the Cookie Policy. You can block or clear cookies and site data in your browser, use content blockers, or unsubscribe from email. We do not currently change script loading based on browser "Do Not Track" or Global Privacy Control signals.
Retention
Newsletter emails are kept while the subscription is active, and afterward as needed for suppression lists or legal compliance. Analytics data is retained according to each vendor's settings and our operational needs. In-memory rate-limit and local-dev subscriber stores reset when the server process restarts. Contact us if you want us to delete or correct personal data we control.
Your rights
Depending on where you live, you may have rights to access, correct, delete, or export personal data, to object to or restrict certain processing, and to lodge a complaint with a supervisory authority. California residents may have additional rights under the CCPA / CPRA regarding access, deletion, and opt-out of certain sharing. You can unsubscribe from marketing email at any time via the link in those messages.
To exercise other rights, contact us through ernestliu.com and describe the request. We may need enough information to verify you control the email or other data at issue.
International transfers
We and our vendors may process data in the United States and other countries. By using the site or subscribing, you understand that your information may be transferred to jurisdictions with different data-protection rules than your own.
Children
The site is not directed at children under 16, and we do not knowingly collect personal information from them. Do not subscribe with an email if you are under 16. If you believe a child has provided information, contact us and we will delete it.
Security
We use HTTPS and standard hosting controls. No method of transmission or storage is completely secure. You are responsible for securing systems where you install registry code. Security researchers can find reporting guidance at /.well-known/security.txt.
AI systems and public files
We publish machine-readable guidance for AI systems at /ai.txt. That file states preferences about training, retrieval, and attribution. It does not change this Privacy Policy. See the human-readable AI usage policy for how those preferences relate to the library.
Changes
We may update this policy as the product changes. The "Last updated" date at the top will change when we do. Material changes may also be called out on the site or in the newsletter when practical. Continued use of the site after an update means you accept the revised policy, except where applicable law requires a different standard for a specific change.