Privacy
og is a public OG image API. Read this if you're considering passing anything you'd rather keep private into the URL.
What we render
Every /api/og URL produces a public PNG. The URL itself contains your params (title, site, accent, etc.) and is logged server-side for rate limiting and abuse detection. Treat the URL as public — anyone with it can fetch the image. Don't put secrets, internal product names, or private quotes in the params.
Caching
Each unique URL is cached as an immutable PNG on Vercel's CDN. We do not store rendered PNG bytes ourselves. To invalidate a cached PNG, change a param (e.g. add &v=2).
Account data
If you sign up for Pro, we store your email, your Stripe customer ID, your subscription status, and a generated API key. We do not see card data — Stripe handles that. You can delete your account by emailing hello@basenull.com — we'll wipe your row and revoke your API key.
Custom logos (Pro)
When you pass ?logo=, we fetch the URL server-side and embed it in the rendered PNG. The fetched bytes are not stored — re-fetched on each cache miss. We restrict to https URLs and block private/internal IPs.
Analytics
We use Umami Cloud for traffic analytics. No cookies, no cross-site tracking, no third-party ad networks.