Unfiltered means direct, detailed, and honest — without marketing fluff. We try to separate evidence from interpretation, show tradeoffs, and keep the strongest counterpoint in view.
Explain the why, show the steps, and keep the context that typical search results flatten away.
Call out what is evidence, what is interpretation, and link you back to the source material.
Tune appearance, AI summary, filters, and region from the gear menu — without losing the habit of one search bar.
Built for people who want the why — not just a link list.
abbiey.search aims to minimise what we keep. This policy explains what data we collect, why, and where third parties are involved.
abbiey.search is operated by Abbiey Matthews (abbiey.search, "we", "our"). You can reach us at privacy@abbieysearch.com.
If you create an account, you provide us:
You can sign up with Google OAuth instead of email/password. In that case, we receive your Google email and name only; no other Google data is accessed.
Registered users may optionally store bookmarks and search history in their account. Search history is off by default and only syncs if you enable it. This data is yours and visible only to you. You can delete it at any time from your profile page, from Settings (clear all), or by turning history back off.
Incognito session (Settings → Privacy) stops new searches from being written to local history and to your account history for that browser, even if history saving is enabled. It does not change how third-party indexes see requests they receive when we fetch results for you.
Our hosting provider (Vercel) automatically records standard web server logs (IP address, HTTP method, URL path, response code, timestamp) for up to 30 days for security and abuse prevention. We do not analyse these logs for marketing purposes. Our own analytics tables store only a keyed digest of the query for aggregate counting, not the raw query text. Because search uses URL parameters, infrastructure logs outside our application may still temporarily contain the requested URL.
Optional Public signals lookups run only when you choose them (for example, expanding “Public signals (OSINT)” on a detected domain, IP, or email, or using the image lightbox action for the page host). They are not part of normal web search and are not written to your search history.
When you use this feature, our servers query public technical sources on your behalf, currently including:
cloudflare-dns.com) for DNS records such as A, AAAA, MX, NS, and TXT.rdap.org for registration metadata for domains and IPv4 addresses.dig / whois (optional self-hosted module) only when those programs are installed on the server and enabled in configuration—typical for developer setups on Linux/Kali, not used on our default production image.Those operators may process the hostname or IP you looked up according to their own policies. We apply short-lived in-memory caching on our side to reduce repeat queries; we do not store OSINT result payloads in your account or in analytics tables.
Self-hosters can disable or narrow OSINT using environment variables documented in .env.example (ABBIEY_OSINT_ENABLED, ABBIEY_OSINT_MODULES).
We set the minimum cookies required to operate the service:
session — a signed, server-side session cookie that keeps you logged in. HttpOnly, Secure, SameSite=Lax. Expires when your browser session ends (or 7 days if you tick "remember me").Google Analytics is configured in "Basic" mode and only fires if you have not opted out via browser settings or an ad blocker. If Google AdSense is enabled, Google may set cookies or use identifiers for ad delivery and measurement as described in Google’s advertising policies.
| Data | Why | Legal basis |
|---|---|---|
| Email address | Account recovery, transactional emails | Contract / legitimate interest |
| Bookmarks & history | Providing your personalised dashboard | Contract (account features) |
| Server logs | Security, abuse prevention, uptime monitoring | Legitimate interest |
| Payment info | Processed entirely by Stripe — we receive only a confirmation token, never card details | Contract |
We are transparent about where your data physically lives and which legal regime applies.
Singapore (Supabase ap-southeast-1). Data at rest is encrypted by Supabase; access is restricted via Row Level Security. Cross-border transfers are subject to Supabase’s DPA.RESEND_API_KEY env var unset to disable.
Self-hosters can surface their own region label by setting
ABBIEY_DATA_REGION (one of sg, eu, us,
local). EU data residency on the public-hosted instance is on
the roadmap; if you need it today, self-host into an
eu-central-1 Supabase project — everything in the codebase supports it.
We use the following sub-processors. Each has its own privacy policy.
rdap.org to the relevant registry or RIR; those operators process the domain or IP being looked up.To delete your account and all associated data, go to Profile → Delete Account or email privacy@abbieysearch.com.
Depending on where you live, you may have the right to:
Email privacy@abbieysearch.com to exercise any of these rights. We respond within 30 days.
abbiey.search is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it promptly.
All data is transmitted over HTTPS (TLS 1.2+). Passwords are hashed with bcrypt. Database access requires authenticated, encrypted connections. We apply Content Security Policy, HSTS, and other hardening headers.
We may update this policy. Material changes will be notified via the email address on your account. The "Last updated" date at the top will always reflect the current version.