Privacy & disclosures

What we store A published rig is the JSON you sent — the config blocks you shared, the gear, the rituals, the optional payout method. Nothing else. We don't have accounts, sessions, or passwords. The publish prompt scrubs every secret before anything leaves your machine and shows you the full payload before sending; the server runs a second-pass scrub and quarantines anything that trips it.

The edit token The edit token you got at publish time is the only credential — there is no password and no account. We store an HMAC-SHA256 hash of it on the server, not the token itself. Lose the token, lose the ability to edit or delete your rig.

Optional recovery email The publish prompt offers an optional recovery email at the end. If you give one, we HMAC it (the same way as the edit token) and store only the hash — we never store the address itself, we don't send marketing, and the address is never displayed publicly. The single thing the hash enables: if you lose your edit token later, you can paste the email into a recovery flow and we'll match it against the hash to send you a new token. Skip the field entirely to stay strictly anonymous; the recovery flow simply won't find your rig.

What we never read Hard-deny on `~/.claude.json`, `~/.aws/`, `~/.ssh/`, `~/.netrc`, `~/.config/gh/`, `~/.docker/config.json`, `~/.npmrc`, `~/.pypirc`, `*.pem`, `*.key`, `*.p12`, `*.pfx`, `id_rsa*`, `*.env`, `.env.*`. The publish prompt enforces these on your machine before the payload is built; the server's second-pass scrub backs it up.

Cookies & local storage None of our own cookies. The setup-page view-count beacon uses sessionStorage to fire at most once per session. The manage page stashes your edit token in sessionStorage so you don't have to paste it every time you switch fields; it's gone the moment you close the tab. No third-party trackers, no analytics, no fingerprinting.

Affiliate disclosure (FTC) Some links on a rig page are affiliate links — Amazon Associates for physical gear, referral codes for SaaS tools. If you click one and buy, we earn a commission (and so does the rig's author if they've claimed a payout method — see the rubric page for the rough estimate model). You pay nothing extra. We never inject affiliate links you didn't write; the author chose them.

Anonymity Pages default to anonymous (`r/<slug>`) — no identity is required, ever. If you claim a username, you choose what `identity.displayName` and `identity.links` say. We don't email you, we don't ask for one. If you set `payout.method: "email"` it's stored privately and used only to pay you; it's never rendered publicly.

Contact Open an issue at https://github.com/howiclaude/howiclaude (the repo will be public at v1 launch; until then, message a seed creator listed on the homepage).

Terms of use The short version: be a person, don't try to break things, we owe you nothing.

The longer version. The site is provided as-is, without warranty of any kind. We make no promise that a published rig will remain accessible — we may take down rigs that contain secrets, malware, illegal content, harassment, brand impersonation, or anything else we judge incompatible with the rest of the site. We may move to a paid tier later for some features; pages published before that change stay free to read. By publishing a rig you grant howiclaude permission to display it, to fork it (anonymizing attribution as the spec describes), and to render share-card images derived from it. The text you wrote remains yours; we don't claim ownership.

If you want your rig removed, use the edit token to delete it, or — if you've lost the token and gave us a recovery email — use the recovery flow. If neither path works, message us via the contact above.