Skip to main content

Privacy Policy

We believe in privacy by design. Here's exactly how we handle your data.

Last updated: April 2026

About Us

Little Bear Apps is an Australian-based software company operating globally online. We build privacy-focused developer tools, MCP servers, and browser extensions. You can reach us at hello@littlebearapps.com.

Our Philosophy

We believe your data is yours. Our tools are designed to run locally where possible, we use privacy-respecting analytics, and we're transparent about everything we collect. Most of our work is open source so you can verify our claims.

Your Choices (Consent System)

When you first visit our website, you'll see a consent banner with two options:

  • Accept — We load Plausible Analytics (cookieless, privacy-focused)
  • Reject — No analytics are loaded at all

By default, we load Plausible Analytics because it's genuinely privacy-respecting: no cookies, no personal data, no cross-site tracking. You can reject at any time using the consent banner. Your choice is saved for 6 months.

Privacy Signals (GPC/DNT)

We automatically honour your browser's privacy signals:

  • Global Privacy Control (GPC) — If enabled, we disable all analytics automatically
  • Do Not Track (DNT) — Same as GPC, we respect this legacy signal

When we detect these signals, you'll see a green notice confirming analytics are disabled. No banner will appear because we've already honoured your preference.

What We Collect

Website Analytics (with consent)

If you accept analytics, we use Plausible Analytics, a privacy-focused, EU-based analytics service. Plausible collects:

  • Page views and referrer sources
  • Device type and browser (general categories only)
  • Country-level location (from anonymised IP, which is never stored)
  • Session duration

Plausible does not use cookies, does not collect personal data, and cannot track you across websites. All data is aggregated and anonymised. See Plausible's Privacy Policy.

Contact Form

If you use our contact form, you provide your name, email, and message. This is used solely to respond to your enquiry. Your message is sent via Resend (our email delivery provider) directly to our inbox — we don't store submissions in a database.

The form uses Cloudflare Turnstile to verify you're a real person (no CAPTCHAs, no tracking cookies). You'll also receive a confirmation email acknowledging your message. We won't add you to marketing lists without explicit consent.

Theme Preference

We store your light/dark mode preference in your browser's localStorage. This never leaves your device and is not sent to any server.

Third-Party Services

We use the following services to operate this website:

Service Purpose Privacy Policy
Cloudflare Pages Website hosting, CDN, security, bot verification (Turnstile) Link
Resend Transactional email delivery (contact form) Link
Plausible Analytics Privacy-focused analytics (with consent) Link
GitHub Open source hosting, discussions Link
Gravatar Author profile images on blog Link
YouTube Data API Content analysis via internal developer tools Link
PyPI Python package distribution Link

Third-Party API Data

Our tools fall into two categories when dealing with third-party APIs:

Tools that run on your machine (Outlook Assistant, etc.)

These tools authenticate against a third-party API (for example, Microsoft Graph) using OAuth, directly from your machine. When you use them:

  • You grant consent explicitly through the provider's own consent flow — we cannot request permissions you haven't approved
  • OAuth tokens are stored locally on your machine (for example, Outlook Assistant stores them at ~/.outlook-assistant-tokens.json)
  • Your mail, calendar, contacts, and other API responses are returned directly to your machine and never pass through Little Bear Apps infrastructure
  • You can revoke access at any time via the provider's account permissions page (for Microsoft, visit myapps.microsoft.com → the app → Remove; or for personal Microsoft accounts, account.live.com/consent/Manage)
  • Our use of Microsoft Graph data complies with the Microsoft APIs Terms of Use and is limited to the scopes you consent to

Internal developer tools that access Google APIs

Some of our own internal tools access Google APIs (including the YouTube Data API) for analysis and development purposes. These are not distributed to end users. When authenticated via OAuth:

  • We access only the data explicitly authorised during the consent flow
  • Data is stored securely on Cloudflare infrastructure (encrypted at rest)
  • Data is used solely for internal analysis and is not shared with third parties
  • YouTube API data is retained in accordance with YouTube's Terms of Service
  • Users can revoke access at any time via Google Account Permissions
  • To request data deletion, contact privacy@littlebearapps.com

Our use of Google API data adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Our Developer Tools

Our developer tools (Outlook Assistant, PitchDocs, etc.) are designed to run locally on your machine. Across the whole suite, we commit to the following:

  • No telemetry or usage data sent to Little Bear Apps servers
  • No accounts or registration with Little Bear Apps required
  • No phoning home for updates unless you explicitly enable it
  • No access to the internet unless the tool's primary function requires it (for example, an email or calendar assistant necessarily talks to the email or calendar provider's API)
  • When a tool does call an external API on your behalf, it does so directly from your machine — your data, credentials, and OAuth tokens never transit Little Bear Apps infrastructure

Many of our tools are open source — you can review the code on GitHub to verify these claims.

Outlook Assistant specifics

Outlook Assistant is an open-source MCP (Model Context Protocol) server that connects your AI assistant to your Microsoft Outlook account via the Microsoft Graph API. Because it runs entirely on your machine, the privacy story is straightforward:

  • What data it accesses — Only the scopes you consent to during sign-in. The shared Little Bear Apps app requests read-only scopes (Mail.Read, Calendars.Read, Contacts.Read, People.Read, MailboxSettings.Read). If you configure your own Azure app ("BYO mode"), you choose which scopes to grant.
  • Where data goes — Nowhere except your machine and, at your direction, your AI assistant's context. Little Bear Apps servers never see your mail, calendar, or contacts.
  • Where tokens live — OAuth access and refresh tokens are stored locally at ~/.outlook-assistant-tokens.json with file permissions restricting access to your user account. They are never transmitted to Little Bear Apps.
  • Source code — Fully open source on GitHub. You can verify every API call.
  • Revoking access — For personal Microsoft accounts, visit account.live.com/consent/Manage. For work or school accounts, visit myapps.microsoft.com, find "Outlook Assistant", and remove it. Revoking in Microsoft invalidates the tokens immediately; delete the local ~/.outlook-assistant-tokens.json file to clean up on your machine.
  • Children's use — Outlook Assistant is not intended for users under 13.

Cookies & Local Storage

We use minimal browser storage:

  • localStorage — Consent choice (6 months), theme preference
  • sessionStorage — Tracks if GPC notice was shown this session
  • Cookies — Only essential Cloudflare security cookies (not set by us)

We do not use any tracking cookies or advertising cookies.

Your Rights

Under the Australian Privacy Act and GDPR (if you're in the EU), you have rights including:

  • Access — Request a copy of data we hold about you
  • Correction — Request correction of inaccurate data
  • Deletion — Request deletion of your data
  • Objection — Object to processing (covered by our consent system)

Since we collect minimal data (aggregated analytics only), most of these rights are satisfied by design. For any requests, email privacy@littlebearapps.com.

Australian residents can also lodge complaints with the Office of the Australian Information Commissioner (OAIC).

International Data Transfers

Our services use infrastructure in multiple countries:

  • Cloudflare — Global CDN, data processed in nearest edge location
  • Plausible — EU-based (Germany)
  • Resend — United States (contact form emails)
  • GitHub — United States
  • Gravatar — United States

All services have appropriate data protection measures. Plausible specifically is EU-based and GDPR-compliant by design.

Children's Privacy

Our services are not directed at children under 13. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this policy as our practices evolve. Significant changes will be noted with an updated date at the top. For material changes, we may provide additional notice.

Contact

Questions about this policy? Email us at privacy@littlebearapps.com.

This policy is written in plain language because legal jargon doesn't help anyone. If anything is unclear, please ask.

Terms of Service Behind the Scenes Questions? Get in touch