Quicky.Page

Privacy

Last updated: May 20, 2026.

Quicky.Page is an instant publishing canvas. Most usage is anonymous; an optional account adds cloud-saved pages and is the identity behind the remote MCP connector at quicky.page/mcp. This page lists every category of information the service touches and what we do with it.

What we store

  • Page content — the blocks you publish (text, links, images, embeds, optional theme/meta) under a short id. Stored in Upstash Redis. Public to anyone who has the URL.
  • Edit key— a 24-character secret returned at publish time and required to update the page. Stored alongside the page record. The edit key is the only credential — losing it is irreversible (we cannot “recover” it because there is no account to attach it to).
  • Uploaded images — files you paste or drag into the editor are stored in Cloudflare R2 with random keys and served from a public asset domain. Unreferenced uploads are garbage-collected after a grace window.
  • Rate-limit counters— we count requests per client IP in Upstash to enforce per-IP quotas on the publish, AI, upload, and analytics-beacon endpoints. Counters expire automatically inside the rolling window (typically 1–5 minutes).
  • Server logs— Vercel records request metadata (path, status, IP, user agent, latency) for operational troubleshooting. Retention is set by Vercel's plan defaults.
  • Page-view analytics — when someone loads a published QuickyPage, the page sends one impression event to our own server. We record an opaque session hash(a one-way SHA-256 of the visitor's IP address, user-agent, the current UTC date, and a server secret), the page id, the referring URL, any UTM tags on the link, the country/region/city as reported by Vercel's edge headers, and a coarse browser/OS/device family derived from the user-agent string. The session hash rotates daily — the same visitor on the same network gets a different hash tomorrow — and the underlying IP address is never stored. We do not set cookies for this. Aggregated counts (page views, unique sessions, top referrers, top countries) are shared with the holder of a page's edit URL through the page's analytics endpoint.

MCP connector (remote)

The remote MCP server at quicky.page/mcp lets third-party AI clients (Claude.ai, Cursor, custom orchestrators) publish, update, and read pages on your behalf. The data flow is:

  • OAuth identity — when you connect a client to the MCP server, you authorize it through our OAuth 2.0 authorization server. The client receives an access-token JWT (audience-bound to quicky.page/mcp, RS256-signed, 1-hour lifetime) and a refresh token (30-day lifetime, rotated on every use). The token identifies you to our server but not to anyone else — it cannot be replayed against any other service.
  • Stored OAuth state — in Upstash, under the qp:oauth:* namespace: registered client metadata, authorization codes (60s TTL), refresh-token records (30d TTL), and access-token revocation tombstones (≤1h TTL). When you revoke a connector or delete your account, the matching rows are dropped immediately.
  • What the connector receives — exactly the tool inputs and outputs (the markdown you ask it to publish, the page ids and URLs it gets back). The connector never receives your email, your Auth.js session, or any unrelated page data.
  • Auditability— every page published via the MCP is created with the same internal helper the editor uses, so it shows up in your account's History menu and is subject to the same delete / disconnect controls as anything you publish through the website itself.

The local stdio MCP package (@quickypage/mcp-server) runs as a subprocess on your machine, has no Quicky.Page account attached, and forwards inputs to the same public HTTP API any browser would call. It does not collect or transmit data on its own.

Accounts

Accounts are optional. When you sign in, we store:

  • Identity from your sign-in provider (Google email + display name, or magic-link email). Stored in Upstash under the qp:auth:* namespace via Auth.js.
  • Cloud-saved pages list— pageIds you've claimed plus their associated editKeys (escrowed so we can authorize edits on your behalf from any device). Stored under qp:account:*.
  • OAuth connector records — see the previous section.

Account deletion (Settings → Delete account) drops every row under qp:auth:*, qp:account:*, and qp:oauth:* for your user. Pages themselves are not deleted — they remain reachable by anyone who has their URL and editKey — but your identity vanishes from Quicky.Page entirely.

What we do not store

  • No accounts, names, or email addresses (unless you put them into a page yourself).
  • No analytics cookies, no third-party advertising trackers.
  • No fingerprint, no cross-site profile.
  • No long-term association between your IP and the pages you published — we don't store that link.

Third parties we send data to

  • Anthropic— when you use the “Shape”, “Generate”, or “Rewrite” features, the relevant input (your prompt, pasted content, or block being rewritten) is sent to Anthropic's Claude API to produce the AI response. Subject to Anthropic's privacy policy.
  • URL ingestion— when you paste a URL into the Shape panel, we fetch that URL server-side, strip it to visible text, and forward the text to Anthropic. The fetch is a normal HTTP GET originating from our server's IP.
  • Vercel hosts the application and routes requests. Cloudflare R2 hosts uploaded images. Upstash stores pages, edit keys, and rate-limit counters.
  • Vercel Analytics records cookieless, IP-anonymised page-view aggregates. Vercel Speed Insights records Core Web Vitals samples. Neither sets cookies or follows you across sites.
  • Sentry (only if SENTRY_DSN is configured) captures uncaught exceptions and a small amount of request context for error triage. Subject to Sentry's privacy policy.

Cookies

Quicky.Page does not set cookies. The editor uses localStoragefor two things, both client-side only: the in-progress draft (so a refresh doesn't lose unsaved work), and a per-browser list of pages you've published or edited via a ?id=#edit=URL (the capability key sits in the URL fragment so it never reaches our servers). Both can be cleared from your browser settings; clearing the second one means losing edit access to any page whose edit URL you didn't back up elsewhere.

Your rights

  • Delete a page you published— open the edit URL you saved at publish time and use the page menu's delete action. If you lost the edit URL, see Report abuse for the verification path.
  • Request data access or deletion — email info@quicky.pagewith the URL(s) involved. Because we don't collect identifiers, “all data about me” is typically “the page at this URL” — we need the URL to act on the request.
  • EU/UK residents— you can lodge a complaint with your local supervisory authority. Our basis for processing is legitimate interest in operating a publishing service; we do not rely on consent because we don't set non-essential cookies.
  • California residents — we do not sell or share personal information.

Children

Quicky.Page is not directed at children under 13 (under 16 in the EU). If you believe a child has published content here, email info@quicky.page and we will remove it.

Changes

We may update this page. The “last updated” date above always reflects the most recent change. Material changes will be announced on the home page or via the GitHub repository.

Contact

Privacy questions: info@quicky.page.