Privacy Policy
DexThemes is an open-source theme discovery and creation service for Codex. This policy covers the website, API, MCP app, and Codex plugin.
Data we process
- GitHub account identifiers and public profile fields used for sign-in, attribution, and account recovery.
- For supporter claims, the Buy Me a Coffee transaction ID, supporter name and email supplied by that service, amount, currency, claim status, and relevant webhook event identifiers.
- Theme names, summaries, palettes, likes, copy counts, achievements, leaderboard activity, moderation reports, and submission timestamps.
- Short-lived OAuth and plugin session records, rate-limit counters, and security logs needed to protect the service.
- For the “OpenAI is nothing without its people” achievement and Human Spark reward, only a boolean indicating that a signed identity provider verified an exact
@openai.comdomain. DexThemes does not retain that work email address for the bonus.
DexThemes does not ask the plugin for a workspace user ID, owner ID, repository contents, hidden prompts, API keys, or access tokens as tool arguments.
How data is used
Data is used to provide authentication, theme creation and publishing, creator stats, achievements, leaderboards, abuse prevention, moderation, and service reliability. Public submissions display the creator name and theme data the user confirmed for publication.
Supporter status never requires public listing. The supporter wall shows a user's public GitHub name, username, avatar, and unlock date only after explicit opt-in. Claim records are retained while needed to verify supporter access, prevent fraud, process refunds or revocations, and resolve support requests; users may request access, correction, deletion where applicable, or removal from the public wall through support.
Sharing and subprocessors
DexThemes relies on hosting, database, identity, analytics, and platform providers to operate the service. Those providers process only the data needed for their role. DexThemes does not sell personal data.
Retention and control
Short-lived OAuth state and plugin sessions expire automatically. Community content and associated counters remain while published or as needed for moderation, security, legal obligations, and abuse prevention. To request account access or deletion, open a minimal request through GitHub Issues without posting private information; the maintainer will continue the request through GitHub identity verification.
Security
DexThemes uses OAuth with PKCE, signed token verification, scoped access, hashed API keys, rate limits, server-derived identity, and confirmation before public submission. No online service can guarantee absolute security.
Children and changes
DexThemes is not directed to children under 13. Material changes will be posted here with a new effective date.
Contact
For privacy or security questions, use the support page. Do not include secrets or private workspace data in a public issue.