Skip to main content

Behind the Scenes

How Little Bear Apps handles privacy, security, and data. No legalese, just plain explanations.

The Quick Version

TL;DR for people who won't read the whole page:

  • No tracking beyond Plausible Analytics (privacy-focused, no cookies)
  • All tools run locally — data stays on your machine
  • Every public repo has security scanning, test coverage, CI checks
  • Open source under MIT license
  • Cookie consent gives real choices — reject is just as visible as accept

Why Bother?

After 13 years working in tech companies, I've watched privacy and security treated as afterthoughts more times than I can count. Legal checkboxes. Marketing spin. "We take your privacy seriously" followed by 47 trackers.

Little Bear Apps is a one-person operation. There's no legal team forcing compliance. No investors demanding growth metrics. No pressure to extract data for monetisation.

"I do it because it's the right way to build software, and because I use these tools myself."

This page isn't checkbox compliance. It's values — written down so you can hold me to them.

Security & Code Quality

Every public repository has the following tooling in place. You can verify each one yourself by looking at each public repository's README badges.

Tool Purpose Verify
GitHub Actions CI runs on every push, tests must pass View .github/workflows/
Codecov Test coverage tracking codecov.io
Socket.dev Supply chain and dependency security socket.dev
CodeQL Static analysis for vulnerabilities GitHub Security tab

Analytics

This site uses Plausible Analytics, not Google Analytics. Here's the difference:

What Plausible collects

  • Page views
  • Referrer (where you came from)
  • Country (not city, not IP)
  • Device type and browser (aggregated)

What Plausible doesn't do

  • No cookies
  • No cross-site tracking
  • No personal data collection
  • No selling data to advertisers

Plausible is EU-hosted, GDPR compliant by design, and the script is ~1KB (compared to ~45KB for Google Analytics).

"I can see page views and referrers. I can't see who you are, and I don't want to."

Plausible website · Plausible data policy

The Badge System

Every tool on this site has badges indicating its maturity and privacy status. These aren't marketing claims — they're commitments.

Maturity Badges

QA Tested

Tested before release. Works for intended purpose. May have bugs or rough edges.

How it's earned: Baseline for any public release.

Personal Use Proven

Running in my own workflows for 6-12+ months. Core functionality is stable.

How it's earned: Time-based, demonstrated stability.

Community Validated

Real users beyond me. Bugs surfaced and addressed. Features added from community feedback.

How it's earned: Earned through actual community use.

Privacy Badges

Fully Local

No data leaves your machine. LBA sees nothing.

What it implies: Third parties (registries, GitHub) see only download stats and repo activity.

Anonymous Analytics

Some anonymised data collected (specified what). No PII.

What it implies: Purpose disclosed, collection minimised.

Account Required

Requires account or cloud features.

What it implies: What's stored, why, and where is fully disclosed.

Per-Tool Breakdown

Specific, concrete details of what each tool accesses, stores, and sends.

Outlook MCP

Reads

Your Outlook mailbox via Microsoft Graph API (delegated permissions):

  • Email, calendar, contacts, and settings you explicitly grant access to

Stores

  • OAuth tokens: ~/.outlook-mcp-tokens.json

Sends

Queries to Microsoft Graph API (graph.microsoft.com). No Little Bear Apps servers involved.

PitchDocs

Reads

Your local codebase and existing documentation files.

Stores

Generated files written to your repo directory.

Sends

Nothing. Pure markdown plugin with no external requests.

Third-Party Services

Every external service the site or tools interact with. No hidden third parties.

Service Purpose What they see Privacy policy
Cloudflare Pages Site hosting Standard server logs View
Plausible Analytics Page views, referrers, country (no PII) View
GitHub Code hosting, repos Repo activity, issues, PRs View
npm Package hosting (Outlook MCP) Download counts View

What I Can't Control

Being transparent means admitting limits. Here's what's outside my control:

  • If you install from npm or PyPI, those registries log download statistics.
  • If you open a GitHub issue, GitHub has that data.
  • If you email, that goes through standard email infrastructure.
  • If you visit this site, Cloudflare sees standard server logs.

"I can't change how third parties work. But I can be upfront about it."

What I Won't Do

Explicit commitments. Things Little Bear Apps will never do:

  • Sell data (there's nothing to sell)
  • Add tracking pixels or ad networks
  • Gate basic functionality behind accounts
  • Use dark patterns in consent flows
  • Pretend "privacy-first" while doing shady stuff in the background
  • Share data with third parties for marketing
  • Use your email for anything other than what you signed up for

Open Source

All tools are released under the MIT License. What that means:

  • Use it for anything, including commercial projects
  • Fork it and modify it however you want
  • No attribution required (though appreciated)
  • Everything on this page can be verified in the source code

Security Issues

Found a security vulnerability? Please report it responsibly:

Explore more

Now that you know how I work, see what I've built.

Last updated: 4 January 2026

This page will be updated when anything changes.