> privacy.md

Privacy Policy

Last updated: May 2026

Point Edit Studio is a self-hosted software product. This policy explains what data is involved when you use our marketing website and the software itself.

1. What we collect

The marketing website (this site)

We do not use cookies, analytics scripts, or any form of tracking on this marketing website. We do not collect IP addresses, browser fingerprints, or any other personal data through this site.

The Point Edit Studio software

Point Edit Studio is self-hosted on your own server. It does not send any data back to us. No telemetry, no usage analytics, no phoning home. What happens on your server stays on your server.

The software uses PHP sessions for authentication. These sessions set a single strictly-necessary session cookie. This cookie is HttpOnly, SameSite=Strict, and bound to your IP address. It expires after 2 hours of inactivity by default.

2. Third-party services

Our marketing website loads fonts from Google Fonts and images from Pexels. These services may receive your IP address when your browser fetches these resources. This is standard for any website using hosted fonts or images.

The Point Edit Studio software itself has no third-party dependencies and does not load any external resources during normal operation. Extensions you install may introduce their own third-party integrations — refer to each extension's documentation.

3. Data you control

Point Edit Studio stores data in files on your server:

sites.json — site configurations (URLs, API keys, file paths)
users.json — user accounts (bcrypt-hashed passwords, TOTP seeds)
/.pe_backups/ — timestamped file backups

None of this data leaves your server. You are responsible for its security. We recommend keeping sites.json and users.json outside your webroot when practical, and using the built-in .htaccess rules to block direct access.

4. Security

Point Edit Studio includes:

TOTP two-factor authentication (RFC 6238)
Brute-force lockout (5 attempts → 15-minute cooldown)
IP-bound sessions
Path-traversal protection
Content Security Policy headers
Dangerous PHP functions disabled by default

We recommend always running the latest version and reviewing the .htaccess configuration for your specific server environment.

5. Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page. Since the software is self-hosted, we have no way to notify you of changes — check back occasionally.

6. Contact

If you have questions about this policy or the software, visit our contact page.