Privacy Policy - AT Container Registry (atcr.io)

Last updated: January 2025

Data We Collect and Store

Data Stored on Your PDS (Controlled by You)

When you use AT Container Registry, records are written to your Personal Data Server (PDS) under the io.atcr.* namespace. This data is stored on infrastructure you or your PDS hosting provider controls. We do not control this data, and its retention and deletion is governed by your PDS provider's policies.

Data Stored on Our Infrastructure

Layer Records: Our hold services (e.g., hold01.atcr.io) maintain records in their embedded PDS that reference container image layers you publish. These records are public and link your AT Protocol identity (DID) to content-addressed SHA identifiers.

OCI Blobs: Container image layers are stored in our object storage (S3). These blobs are content-addressed and deduplicated—meaning identical layers uploaded by different users are stored only once.

Authentication Data:

  • OAuth tokens obtained during sign-in
  • Web UI session tokens
  • Docker credential helper device tokens, including:
    • IP address
    • Device name
    • Token creation and last-used timestamps

Cached PDS Data: We may cache data from your PDS in our database to improve performance and reduce load on your PDS. This cached data mirrors public information already stored on your PDS.

Server Logs: Our logs may include your handle, DID, IP address, timestamps, and actions performed. Logs are currently ephemeral but may be retained in the future for security and debugging purposes.

Our Services and Their Data

AT Container Registry consists of multiple services, each with distinct data responsibilities:

AppView (atcr.io)

The registry frontend you interact with directly. Stores:

  • OAuth sessions and tokens for authentication
  • Device tokens for the Docker credential helper
  • Web UI sessions
  • Cached metadata from your PDS (indexes for search and display)

ATCR-Hosted Hold Services

Storage backends we operate (e.g., hold01.atcr.io). Each hold has an embedded PDS and stores:

  • OCI blobs (container image layers) in object storage
  • Layer records in the hold's embedded PDS linking your DID to blob references
  • Crew membership records for access control

Hold services on *.atcr.io domains are operated by us and covered by this policy.

User-Deployed Hold Services (BYOS)

You may use "Bring Your Own Storage" by deploying your own hold service. Data on user-deployed holds is governed by that operator's privacy policy, not ours. We can request deletion on your behalf but cannot guarantee it for services we do not control.

Data Sharing and Deduplication

OCI container images use content-addressable storage. When you push an image layer, it is identified by its cryptographic hash (SHA256). If another user pushes an identical layer, both users reference the same underlying blob. This is standard practice for container registries and enables efficient storage and distribution.

What this means for your data:

  • Layer content is not uniquely "yours" if other users have pushed identical content
  • Public SHA references may be associated with your AT Protocol identity
  • Deleting your records does not delete blob data that other users also reference

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights:

Right to Access

You may export a copy of all personal data we store about you via the "Export Data" button in your account settings. This export includes:

  • Layer records associated with your DID on our PDS
  • OAuth tokens, web UI sessions, and device tokens
  • Cached PDS data
  • List of registered devices (credential helper)

For data not included in the self-service export (such as server logs), contact us and we will respond within 30 days.

Note: Data stored on your own PDS is already under your control and accessible to you directly.

Right to Erasure ("Right to be Forgotten")

You may request deletion of your data via the account settings page. Due to our technical architecture, deletion works as follows:

Immediately deleted from AppView:

  • OAuth tokens, web UI sessions, and device tokens
  • Cached PDS data (manifest and tag indexes)
  • Server logs containing your identifiers (deleted or anonymized, if retained)

Immediately deleted from ATCR-hosted holds:

  • Layer records in the hold's embedded PDS that reference your DID
  • Crew membership records

Deleted within 30 days from ATCR-hosted holds:

  • OCI blobs in object storage that are no longer referenced by any user (via garbage collection)

User-deployed holds:

  • We attempt to delete your data via API, but success depends on hold availability
  • Data on holds we do not operate is governed by that operator's policies

Cannot be deleted by us:

  • Records stored on your own PDS (you control these, or your PDS provider does)
  • Blob data that is also referenced by other users (deduplicated content)

Optional: Delete AT Protocol Records

When deleting your account, you may optionally authorize us to delete io.atcr.* records from your PDS. This requires an active OAuth session and is optional because:

  • Your PDS is controlled by you or your hosting provider, not us
  • You may delete these records yourself at any time
  • We have no ongoing obligation to manage data on infrastructure we do not control

Right to Rectification

You may update your data through normal use of the service. Data stored on your PDS is under your direct control.

Right to Data Portability

AT Protocol is designed for data portability. Your records are stored in an open, documented format on your PDS and can be exported or migrated at any time.

Right to Object / Restrict Processing

You may revoke our OAuth access at any time through your PDS provider's settings. This will prevent us from reading or writing records to your PDS.

Your Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

Right to Know

You may export a copy of your personal data via the "Export Data" button in your account settings. You may also request disclosure of:

  • The categories of personal information we collect
  • The purposes for which we use your personal information
  • The categories of third parties with whom we share your personal information

For data not included in the self-service export (such as server logs), contact us and we will respond within 30 days.

Right to Delete

You may delete your personal information via the account settings page, subject to the same technical limitations described in the GDPR section above. For data not accessible through self-service, we will respond to requests within 45 days, except where retention is necessary for:

  • Completing the transaction for which the data was collected
  • Security and fraud prevention
  • Legal compliance

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

Categories of Personal Information Collected

Category Examples Collected
Identifiers DID, handle, IP address, device name Yes
Internet activity Access logs, usage data, actions performed Yes
Geolocation Approximate location via IP Yes

We do not sell or share your personal information for cross-context behavioral advertising.

Data Retention

Data Type Service Retention Period
OAuth tokens AppView Until revoked or logout
Web UI session tokens AppView Until logout or expiration
Device tokens (credential helper) AppView Until revoked by user
Cached PDS data AppView Refreshed periodically; deleted on account deletion
Server logs AppView Currently ephemeral; this policy will be updated if log retention is implemented
Layer records Hold PDS Until you request deletion
OCI blobs Hold Storage Until no longer referenced (pruned within 30 days)

Important Notes on AT Protocol Architecture

AT Container Registry is built on the AT Protocol, which has a unique data architecture:

  1. You control your data. Most data associated with your use of AT Container Registry is stored on your Personal Data Server (PDS), which you or your chosen provider controls.
  2. Public by design. AT Protocol data is designed to be public and distributed. Records you create, including container image references, are publicly visible and may be replicated across the network.
  3. Content-addressed storage. OCI blobs are identified by their cryptographic hash. This means blob data is inherently pseudonymous—it cannot be attributed to you without the corresponding records that reference it.
  4. Deletion limitations. Because AT Protocol is distributed, we cannot guarantee that copies of public records have not been made by other participants in the network. We can only delete data on infrastructure we control.

Bring Your Own Storage (BYOS)

AT Container Registry supports "Bring Your Own Storage" where users can deploy their own hold services to store container image blobs. This section explains how BYOS affects your privacy rights.

ATCR-Hosted Holds

Hold services on *.atcr.io domains (e.g., hold01.atcr.io) are operated by us and fully covered by this privacy policy. We can fulfill all data access, export, and deletion requests for these services.

User-Deployed Holds

If you use a hold service not operated by us:

  • That hold's data practices are governed by its operator's privacy policy, not ours
  • When you request account deletion, we attempt to delete your data from all holds via API
  • We cannot guarantee deletion for holds that are offline or refuse the request
  • You should contact that hold's operator directly for data requests we cannot fulfill

If You Operate a Hold

If you deploy your own hold service and allow other users to store data on it, you become a data controller for that data under GDPR/CCPA. You are responsible for:

  • Responding to deletion requests from users of your hold
  • Implementing appropriate data retention policies
  • Publishing your own privacy policy if required by law

How to Exercise Your Rights

Self-Service (via Settings)

Most data management can be done directly through your account settings at atcr.io:

  • Export your data: Use the "Export Data" button in settings to download a copy of all personal data we store about you.
  • Delete your data: Use the "Delete Account" button in settings. This will remove your layer records, cached data, and authentication tokens. You may also choose to have us delete io.atcr.* records from your PDS (requires active OAuth session).
  • Revoke device tokens: Manage and revoke credential helper devices in settings.
  • Update your data: Corrections happen through normal use of the service.

Contact Us

For requests we cannot fulfill through self-service, such as:

  • Copies of server logs containing your data
  • Database records not exposed in the UI
  • Questions about this policy

Email: privacy@atcr.io

Please include your AT Protocol DID or handle so we can verify your identity.

We will respond to requests within 30 days (GDPR) or 45 days (CCPA).

Contact

For questions about this privacy policy or to exercise your data rights, contact:

Email: privacy@atcr.io

Website: https://atcr.io