Skip to main content

Behind the Scenes

How Little Bear Apps handles privacy, security, and data. No legalese, just plain explanations.

The Quick Version

TL;DR for people who won't read the whole page:

  • No tracking beyond Plausible Analytics (privacy-focused, no cookies)
  • All tools run locally — data stays on your machine
  • Every public repo has security scanning, test coverage, CI checks
  • Open source under MIT licence
  • Cookie consent gives real choices — reject is just as visible as accept

Why Bother?

After 13 years working in tech companies, I've watched privacy and security treated as afterthoughts more times than I can count. Legal checkboxes. Marketing spin. "We take your privacy seriously" followed by 47 trackers.

Little Bear Apps is a one-person operation. There's no legal team forcing compliance. No investors demanding growth metrics. No pressure to extract data for monetisation.

"I do it because it's the right way to build software, and because I use these tools myself."

This page isn't checkbox compliance. It's values — written down so you can hold me to them.

Security & Code Quality

Every public repository has automated security tooling. Production deploys require manual confirmation, and all GitHub Actions in Python repos are pinned to full SHA hashes to prevent supply chain attacks. You can verify each one yourself.

Tool Purpose Verify
GitHub Actions CI Automated tests, linting, and builds on every push View .github/workflows/
CodeQL Static analysis for security vulnerabilities GitHub Security tab
Dependency scanning npm audit, pip-audit, and bandit SAST across repos View CI workflows
Codecov Test coverage tracking with thresholds codecov.io
Socket.dev Supply chain and dependency security socket.dev
Dependabot Automated dependency updates with auto-merge for patches Org-level config
View on GitHub

Cookies & Consent

Plausible Analytics runs by default because it collects no personal data and sets no cookies — it doesn't need consent under GDPR. But I still give you the choice. A consent banner appears on your first visit with two clear options:

"Essential only"

Opts out of Plausible. Only functional storage remains (things like remembering your theme preference). No analytics, no tracking.

"Accept analytics"

Keeps Plausible Analytics running — still no personal data, still no cookies from Plausible itself. Just aggregate page view stats.

No dark patterns. The reject button is just as visible as accept. No pre-checked boxes. No "legitimate interest" loopholes. No guilt-tripping copy. If your browser sends a Global Privacy Control signal, Plausible is turned off automatically — the banner won't even appear.

"If you say no, it means no."

Analytics

This site uses Plausible Analytics, not Google Analytics. Here's the difference:

What Plausible collects

  • Page views
  • Referrer (where you came from)
  • Country (not city, not IP)
  • Device type and browser (aggregated)

What Plausible doesn't do

  • No cookies
  • No cross-site tracking
  • No personal data collection
  • No selling data to advertisers

Plausible is EU-hosted, GDPR compliant by design, and the script is ~1KB (compared to ~45KB for Google Analytics).

"I can see page views and referrers. I can't see who you are, and I don't want to."

Plausible website · Plausible data policy

The Badge System

Every tool on this site has badges indicating its maturity and privacy status. These aren't marketing claims — they're commitments.

Maturity Badges

QA Tested

Tested before release. Works for intended purpose. May have bugs or rough edges.

How it's earned: Baseline for any public release.

Personal Use Proven

Running in my own workflows for 6-12+ months. Core functionality is stable.

How it's earned: Time-based, demonstrated stability.

Community Validated

Real users beyond me. Bugs surfaced and addressed. Features added from community feedback.

How it's earned: Earned through actual community use.

Privacy Badges

Fully Local

No data leaves your machine. LBA sees nothing.

What it implies: Third parties (registries, GitHub) see only download stats and repo activity.

Anonymous Analytics

Some anonymised data collected (specified what). No PII.

What it implies: Purpose disclosed, collection minimised.

Account Required

Requires account or cloud features.

What it implies: What's stored, why, and where is fully disclosed.

Per-Tool Breakdown

Specific, concrete details of what each tool accesses, stores, and sends.

Outlook Assistant
Reads

Your Outlook mailbox via Microsoft Graph API (delegated permissions):

  • Email, calendar, contacts, and settings you explicitly grant access to
Stores
  • OAuth tokens: ~/.outlook-assistant-tokens.json
Sends

Queries to Microsoft Graph API (graph.microsoft.com). No Little Bear Apps servers involved.

Verify on GitHub →
PitchDocs
Reads

Your local codebase and existing documentation files.

Stores

Generated files written to your repo directory.

Sends

Nothing. Pure markdown plugin with no external requests.

Verify on GitHub →
ContextDocs
Reads

Your local codebase files and existing AI context files (CLAUDE.md, .cursorrules, etc.).

Stores

Generated context files written to your repo directory.

Sends

Nothing. Pure markdown plugin with no external requests.

Verify on GitHub →
Untether
Reads

Your Telegram messages sent to the bot, and AI agent stdout/stderr for progress streaming.

Stores
  • Config: ~/.untether/untether.toml
  • Session state: in-memory only (no database)
Sends

Messages to the Telegram Bot API (api.telegram.org). No Little Bear Apps servers involved.

Verify on GitHub →
WP Navigator (pre-launch)
Reads

Your WordPress site via the WordPress REST API and WP-CLI. Only accesses what you explicitly grant through guardrail policies.

Stores
  • Plugin config: WordPress options table on your site
  • MCP state: in-memory only (no external database)
Sends

Queries to your WordPress site's REST API. Preview-first model — nothing changes without your approval. No Little Bear Apps servers involved.

Verify on GitHub →
Viewpo (pre-launch)
Reads

URLs you provide for responsive testing. Loads them in a real Chromium browser to capture screenshots.

Stores

Nothing persistent — screenshots are generated on-demand and not retained.

Sends

Browser requests to the URLs you test. Screenshot rendering happens on Cloudflare Workers. No data is stored or shared.

Verify on GitHub →

Third-Party Services

Every external service the site or tools interact with. No hidden third parties.

Service Purpose What they see Privacy policy
Cloudflare Pages Site hosting Standard server logs View
Plausible Analytics Page views, referrers, country (no PII) View
GitHub Code hosting, repos Repo activity, issues, PRs View
npm Package hosting (Outlook Assistant) Download counts View
PyPI Package hosting (Untether) Download counts View

What I Can't Control

Being transparent means admitting limits. Here's what's outside my control:

  • If you install from npm or PyPI, those registries log download statistics.
  • If you open a GitHub issue, GitHub has that data.
  • If you email, that goes through standard email infrastructure.
  • If you visit this site, Cloudflare sees standard server logs.

"I can't change how third parties work. But I can be upfront about it."

What I Won't Do

Explicit commitments. Things Little Bear Apps will never do:

  • Sell data (there's nothing to sell)
  • Add tracking pixels or ad networks
  • Gate basic functionality behind accounts
  • Use dark patterns in consent flows
  • Pretend "privacy-first" while doing shady stuff in the background
  • Share data with third parties for marketing
  • Use your email for anything other than what you signed up for

Open Source

The developer tools are released under the MIT License. What that means:

  • Use it for anything, including commercial projects
  • Fork it and modify it however you want
  • No attribution required (though appreciated)
  • Everything on this page can be verified in the source code
View all repos

Security Issues

Found a security vulnerability? Please report it responsibly:

Explore more

Now that you know how I work, see what I've built.

Browse builds Privacy policy Get in touch
Last updated: 19 March 2026

This page will be updated when anything changes.