Privacy Policy
Last updated: April 2025
This policy covers danielcheung.com and its hosted tools, Lexi and ContentGraph. Written plainly — no legalese.
The short version
This site collects no personal information directly. Lexi and ContentGraph process content entirely within your browser and send it to Anthropic's API using your own key — no content passes through this site's servers or is stored anywhere after your session ends. The only third-party data collection is standard server logging (Vercel) and aggregate traffic analytics (Google Analytics).
Governing law
This site is operated by Daniel Cheung, based in Australia. It is guided by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) set out in Schedule 1 of that Act, as amended by the Privacy and Other Legislation Amendment Act 2024 (No. 128, 2024). As a personal site with turnover below AUD $3 million, it currently qualifies for the small business exemption under the Act. Note that this exemption is under active review and may be removed in future legislative reforms — but this policy reflects the spirit of the APPs regardless.
Because this site uses analytics cookies that process the IP addresses of all visitors, it falls within the territorial scope of the EU General Data Protection Regulation (GDPR, Article 3(2)(b)) and the UK GDPR as read with the Data Protection Act 2018 (c. 12). The rights and obligations described in this policy apply accordingly.
What this website collects
Server logs. This site is hosted on Vercel, which automatically logs standard request data — IP address, browser type, referring URL, timestamp — for operational and security purposes. These logs are held under Vercel's privacy policy and are not directly accessible to or controlled by this site.
Google Analytics. This site uses Google Analytics 4 (GA4) to understand aggregate traffic — pages visited, session duration, referral source. GA4 processes IP addresses (anonymised by default for EU visitors) and sets cookies to distinguish sessions. The lawful basis for this processing is legitimate interests (GDPR Article 6(1)(f)): understanding how the site is used in order to improve it. No personally identifiable information is intentionally collected or linked.
Note: regulatory guidance on GA4's GDPR compliance continues to evolve across EU member states. Several national data protection authorities have found GA4 use problematic without supplementary measures. If you are in the EEA or UK, you may wish to use the Google Analytics opt-out browser add-on or a privacy-focused browser to limit this processing.
Lexi
Lexi audits the retrievability of web content. You paste raw HTML, which is parsed and cleaned entirely in your browser. Nothing is sent to this site's servers.
The extracted text is sent directly from your browser to the Anthropic API. Anthropic does not use API inputs to train its models by default. Their handling of your data is governed by Anthropic's privacy policy.
- API key (personal mode) — stored in sessionStorage for your current browser session only. Never sent to this site's servers. Cleared automatically when you close the tab.
- Sponsored access — if you use an invite code, a signed httpOnly cookie is set containing a one-way hash of that code and a timestamp. No personal data. Expires after 7 days.
- Last result — Lexi optionally saves your most recent analysis to localStorage for convenience across page reloads. This data never leaves your browser and can be cleared through your browser's site data settings.
ContentGraph
ContentGraph analyses the concept and relationship structure of content. You submit a URL or plain text. If a URL is provided, it is fetched and extracted within your browser — not by this site's servers. The extracted text is sent in three sequential calls directly from your browser to the Anthropic API.
- API key — stored in sessionStorage only, cleared on tab close, never transmitted to this site.
- No cookies or retained results — ContentGraph sets no cookies and stores nothing after your session ends.
Cookies and browser storage
- site_theme (localStorage) — your light/dark mode preference. Never leaves your browser.
- Google Analytics (cookies) — aggregate session tracking. Governed by Google's privacy policy.
- Lexi sponsored session (httpOnly cookie) — signed access token containing only an invite code hash. Expires after 7 days.
- Lexi last result (localStorage) — your most recent analysis, stored for convenience. Cleared with browser site data.
No advertising cookies or cross-site tracking identifiers are set by this site.
Third-party services and international transfers
All three third-party services used by this site are based in the United States. Transfers of personal data outside Australia, the EEA, and the UK are covered as follows:
- Vercel — hosting and infrastructure. Transfers covered by the EU–US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs, Regulation (EU) 2021/914).
- Google — Analytics. Transfers covered by the EU–US DPF and SCCs. Google holds a Data Processing Agreement available to site operators.
- Anthropic — LLM API. Transfers covered by SCCs (GDPR Article 46). Anthropic offers a Data Processing Addendum for API customers. Note: API calls in Lexi and ContentGraph are made directly from your browser using your own API key — this site is not a party to those transfers.
Your rights
Under the Australian Privacy Principles, you have the right to access personal information held about you and to request its correction.
Under the GDPR and UK GDPR, you additionally have the right to erasure (Article 17), the right to object to processing on grounds of legitimate interests (Article 21), and the right to access a copy of your personal data (Article 15).
Because this site holds no personal data of its own — only Vercel's server logs and Google's analytics data — most of these rights are best exercised directly with those providers. If you have a specific concern, reach out via danielkcheung@gmail.com or LinkedIn.
Complaints
If you believe your privacy rights have been breached, you can lodge a complaint with the relevant authority:
- Australia — Office of the Australian Information Commissioner (OAIC)
- EU — your national data protection authority (GDPR Article 77)
- UK — Information Commissioner's Office (ICO)
Changes to this policy
If data handling practices change materially, this page will be updated with a new date. Given the evolving regulatory landscape — particularly around analytics and AI — this policy will be reviewed periodically.