LiıPy

Effective Date: July 12, 2026

Privacy Policy

1. Introduction

LiPy (“we,” “our,” or “us”) is an academic open-source project for Odia handwritten character recognition, OCR, dataset creation, and machine learning research. We are committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

By using the LiPy platform, you agree to the practices described in this policy. If you do not agree, please discontinue use of the platform.

2. Information We Collect

We collect only the information necessary to operate the platform and improve our machine learning models. The specific data we collect depends on how you interact with LiPy.

2.1 Administrator Authentication Data

The LiPy admin dashboard is accessible only to pre-authorized administrators. Users cannot self-register as administrators. When an administrator authenticates, we collect:

  • Email address — used as the primary identifier for authentication via email/password login.
  • OAuth profile data — when authenticating with Google or GitHub, we receive the basic profile information that your OAuth provider shares (name, email address, and avatar URL). This data is used only for authentication and identity verification.
  • Passkeys (WebAuthn) — if you register a passkey, your device manages the cryptographic key pair. LiPy stores only the public key and a passkey identifier, never the private key.

2.2 Security Event Logging

To protect administrator accounts and detect unauthorized access attempts, we log security events in our database. These logs include:

  • User ID and event type (login, logout, failed login, password change, OAuth login, passkey login, session revocation, and automatic session expiry).
  • Timestamp of the event.
  • IP address and user-agent string, from which we derive browser type and operating system for display purposes.
  • Device information label (e.g., “Chrome on Windows 11”).
  • Event status (Success, Failed, Not Authorized, Auto-Expired).
  • Additional metadata relevant to the event (e.g., reason for failure, provider name for OAuth events, number of sessions revoked).

2.3 LiPyD Contributor Data

LiPyD is the dataset contribution module of the platform. Participation is entirely voluntary and does not require an account. When you contribute, we collect:

  • Contributor Name — a name you provide yourself. This is not verified and can be any identifier you choose (including a pseudonym).
  • Contributor ID — a unique identifier automatically generated in your browser and stored locally. This ID is not linked to any real-world identity.
  • Session ID — a session identifier generated in your browser to group contributions within a session.
  • Handwritten Character Samples — images of Odia characters that you draw on the canvas. These images are the core dataset used to train machine learning models.
  • Character Metadata— the character label (e.g., “CONS_KA”), the collection mode (single-character or mixed random), a sample number, and a filename.
  • Timestamps — the date and time when each sample was created.

Contributor names and IDs are stored in browser cookies and localStorage to recognize returning contributors. Handwritten samples are stored locally in IndexedDB and, when Supabase is configured, uploaded to our Supabase storage bucket and recorded in our database tables.

2.4 Cookies and Local Storage

We use the following client-side storage:

  • Supabase session cookies — used for administrator authentication session management. These are HTTP-only cookies set by Supabase Auth.
  • lipy_name — stores your chosen contributor name (LiPyD).
  • lipy_contributorId — stores your auto-generated contributor identifier (LiPyD).
  • lipy_stroke_width — stores your preferred canvas stroke width (LiPyD).
  • localStorage — various keys prefixed with lipy_ for session configuration, sample counters, contribution statistics, scheduler state, and export timestamps.
  • IndexedDB (LiPyDB) — stores sample records with image blobs, contributor records, and an upload queue for synchronizing contributions to Supabase when configured.

3. Information We Do Not Collect

LiPy does not collect:

  • Analytics or usage tracking data (no Google Analytics, no tracking scripts).
  • Advertising data (we do not serve advertisements).
  • Marketing email addresses or communication preferences (we do not send marketing emails).
  • Payment or billing information (the platform is free to use).
  • Location data beyond the IP address logged for security events.
  • Personal information from children under 13 (the platform is not directed at children).

4. How Information Is Used

We use the collected information for the following purposes:

  • Authentication and Authorization — to verify administrator identity and control access to the admin dashboard.
  • Security Monitoring — to detect and log unauthorized access attempts, enforce session expiration, and maintain an audit trail of administrative actions.
  • Dataset Development — handwritten character samples contributed through LiPyD are used to train and improve our Odia handwritten character recognition machine learning model.
  • Service Improvement — to understand aggregate usage patterns and improve the platform experience.
  • Communication — to send password reset emails when requested by an administrator.

5. Authentication

LiPy uses Supabase Authentication for all authentication operations. We support the following authentication methods:

  • Email and Password — standard email/password authentication with password hashing handled by Supabase.
  • Google OAuth — sign in with your Google account. Google shares only the profile information necessary for authentication and identity verification.
  • GitHub OAuth — sign in with your GitHub account. GitHub shares only the profile information necessary for authentication and identity verification.
  • Passkeys (WebAuthn) — passwordless authentication using device-bound cryptographic keys.

Important: Authentication is only used to identify pre-authorized administrators. Users cannot self-register as administrators. Only accounts present in the admins table are allowed to access the dashboard after authentication. Authentication and authorization are separate — being authenticated does not grant access to the admin dashboard unless the account is specifically authorized.

We also offer a password reset feature for administrators. When requested, a password reset email is sent to the registered email address via Supabase Auth. After a successful password reset, other active sessions may be revoked to protect the account.

6. Third-Party Services

LiPy uses the following third-party services:

  • Supabase — provides authentication services, database (PostgreSQL) for storing security events, admin records, and dataset metadata, and object storage for handwritten character image files.
  • Vercel — hosts the frontend web application.
  • Microsoft Azure — hosts the FastAPI backend service for model inference.
  • Hugging Face — hosts the trained model weights and a reference copy of the dataset.
  • Google OAuth— used exclusively for authentication (sign-in). No other Google APIs are accessed. Google’s privacy policy applies to data handled during the OAuth flow.
  • GitHub OAuth— used exclusively for authentication (sign-in). No other GitHub APIs are accessed. GitHub’s privacy policy applies to data handled during the OAuth flow.

Each third-party service has its own privacy policy governing how it handles your data. We encourage you to review those policies.

7. Data Storage and Retention

  • Administrator authentication data is stored in Supabase Auth and retained until the administrator account is deleted.
  • Security event logs are stored in the Supabase database and retained indefinitely for audit purposes.
  • LiPyD contributor data(name, contributor ID, session information) is stored in browser cookies, localStorage, and IndexedDB. When Supabase is configured, contributor metadata and handwritten samples are uploaded to Supabase storage and database tables. This data is retained until you clear your browser data or use the “Reset profile” feature in LiPyD.
  • Handwritten character samples contributed through LiPyD are retained as part of the research dataset. Once synchronized to the remote database, they become part of the aggregate dataset used for model training.

8. Data Security

We implement reasonable security measures to protect your data, including:

  • Enforced 24-hour session expiration for administrator sessions.
  • Automatic session revocation after password changes.
  • Rate limiting on authentication attempts.
  • Detailed security event logging to detect and investigate unauthorized access.
  • Admin-only authorization checks on every protected route via middleware.

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — request a copy of the data we hold about you.
  • Correction — request that we correct inaccurate data.
  • Deletion — request deletion of your data, subject to our retention policies.
  • Export — export your contributed dataset using the “Export dataset” feature in LiPyD.
  • Objection — object to the processing of your data for research purposes.

To exercise these rights, please contact us at the email address provided in Section 13. We will respond to your request within a reasonable timeframe.

10. Account Deletion

Administrator accounts: To request deletion of an administrator account, please contact us at the email below. Note that security event logs associated with the account may be retained for audit purposes.

LiPyD contributor data:You can delete your local contributor data at any time by using the “Reset profile” button in the LiPyD contributor panel. This clears all cookies, localStorage keys, and IndexedDB records associated with your contributor profile on your device. Data that has already been synchronized to the remote database may remain as part of the aggregate research dataset.

11. Children’s Privacy

LiPy is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us, and we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically. Continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us at:

© 2026 LiPy Team. All rights reserved.