Privacy
The service is intentionally simple, but a public avatar API still receives some request data in order to function. This page describes that practical baseline.
What The Service Receives
- the identifier you put in the request, such as an email address or username
- request parameters such as avatar type, size, format, and background
- standard HTTP metadata handled by the server, reverse proxy, and CDN, such as IP address, user agent, referrer, and request timing
What The App Itself Stores
The application does not require user accounts and does not set application cookies by default. In the basic request flow it generates the avatar on demand and returns it directly.
If object storage support is enabled and a signed-link or persistence route is used, the generated avatar file and its object key may be stored in the configured S3-compatible bucket.
Logging And Infrastructure
Depending on deployment, infrastructure components such as nginx, Caddy, Cloudflare, hosting providers, or S3-compatible storage may keep access logs and operational metadata. Those logs are part of running a public service and may contain the identifier you requested if it appears in the URL.
What To Avoid Sending
If you do not want personal data to appear in logs or URLs, do not send raw personal data as the id value. A common pattern is to send an internal stable id or a one-way application hash instead of a plain email address.
Repository And Crate
You can inspect the implementation in the public API repository and the reusable avatar renderer in the Rust crate.