What we collect, where it goes.

Browsing. Pages you visit, search queries you type, and clicks are recorded as aggregate analytics by Fathom via a small script in our pages. Fathom does not use cookies and does not track you across other sites. We use it to see traffic shape, not to identify individuals.

Natural-language search. When you type a query into /find (or your AI agent calls our MCP vibehunt_search tool), the query text is sent to OpenRouter so that a model can embed it (Google Gemini Embedding) and rank candidates (Google Gemini Flash Lite). OpenRouter and Google process the query under their own privacy policies. We cache the ranked result keyed by the normalized query for ~10 minutes to avoid duplicate calls. We never store the query against any user identifier.

Stars. When you tap ★ on a capability, your device generates a passkey (WebAuthn) and signs a star locally. The public key derives a did:key: identifier that travels with the star. We store the cap ID and the did:key on our server so the star follows you across devices. We never see your private key, email, or any biometric — those stay on your device. There is no way to map a did:key back to a real-world identity.

Submitted manifests. When a maintainer submits a Capability manifest URL, our server fetches the JSON from their domain (HTTPS only, ≤256 KB), validates it, runs did:web verification, and adds it to the registry. The manifest is public by design — it's how discovery works.

Embedding enrichment. For semantic search to work well, we fetch each cap's GitHub README (when applicable) and a cleaned HTML extract of its homepage, then embed that text via OpenRouter / Google Gemini. We send only public content to the embedding API. The cached extract is kept for 7 days at most before refresh.

Submissions log. Every successful submission appends one row to a public audit log with the manifest URL, a one-line note, and the date. This file ships with the registry source so anyone can see what was indexed and when.

No accounts, no email, no SMS, no profile fields.

No advertising network, no tracking pixels beyond the one Blipstat script.

No selling data. We have nothing to sell — there are no user identities tied to anything we collect.

No fingerprinting beyond what your browser sends in normal HTTP requests.