Privacy
1. What we collect
From you
- Your chosen username — public, displayed wherever your account shows up.
- Your email address — for sign-in, verification, password resets, and security notices.
- A hash of your password using a modern memory-hard password-hashing function. We never see, store, or transmit the plaintext.
- Any passkey credentials you register, stored as their public key + standard WebAuthn metadata.
- Your synced content if you subscribe to the sync feature — canvases, editor sections, the text you write. Stored encrypted in transit and at rest. Not read, scanned, or trained on.
Automatically
- Device public keys you register for sync.
- IP address and User-Agent at the time of authentication events — used for rate limiting and security forensics, not for tracking.
- Audit log entries on sign-in, sign-out, password change, device add/remove. Retained 12 months.
- That's it. No analytics, no telemetry, no tracking.
From third parties
- Paddle (Merchant of Record): your subscription status, plan, billing period end, and the email Paddle has on file for you.
- Apple (if you subscribe via iOS): a subscription token and expiration time. We don't receive your Apple ID, card, or billing address.
- Have I Been Pwned: nothing about you. We send only the first 5 characters of a SHA-1 hash of new passwords (k-anonymity) and check the returned list against the remaining characters locally. No data about you ever leaves our server.
2. How we use it
- Provide the service. Sign you in, sync your content between your devices, deliver paid features.
- Communicate with you. Verification emails, password resets, security alerts, important service notices.
- Secure the service. Rate limit abuse, detect credential stuffing, audit suspicious activity.
- Bill you. Apply your subscription state from Paddle/Apple to your account.
- Comply with the law. Tax records, lawful requests, fraud prevention.
We do not use your data to train AI models. We do not sell, rent, or trade your data with anyone for their own purposes. We do not place advertising. We do not send marketing emails. If we ever start sending marketing, you'll be asked to opt in first.
3. Lawful bases (GDPR / UK GDPR)
- Contract — running your account and providing the editor and sync service you signed up for. Applies to account data, content sync, billing state.
- Legitimate interests — security (audit log, rate limiting, breach checks), operating the service efficiently. We've assessed the balance and our interests don't override your privacy rights.
- Legal obligation — tax records, lawful disclosure requests.
- Consent — we don't currently rely on consent for anything. If we ever introduce marketing email, that's the only place we'd ask.
4. Who we share data with
Only the sub-processors listed below, only for the purposes stated. We disclose data outside that list only when required by valid legal process (and we'll notify you unless legally prohibited from doing so).
5. Sub-processors
| Sub-processor | Purpose | Where |
|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, DDoS protection, Workers + D1 storage | Global (incl. US, EU) |
| Paddle.com Market Ltd | Merchant of Record, payment processing, tax remittance | UK / EU / US |
| Resend, Inc. | Transactional email delivery | US |
| Apple Inc. | iOS in-app subscription billing, when you purchase via App Store | US |
| Have I Been Pwned | Password breach checking via k-anonymity (no data about you sent) | UK / global CDN |
6. International transfers
Cloudflare, Paddle, Resend, and Apple operate globally; data may be processed in the United States, EU, and elsewhere. Where personal data leaves the EU/UK, transfers are covered by Standard Contractual Clauses or equivalent safeguards with each sub-processor. You can request a copy of the SCCs we rely on.
7. How long we keep data
| Data | Retention |
|---|---|
| Account profile | While active, plus 30 days after deletion for recovery |
| Synced content | Until you delete it or close your account |
| Authentication audit log | 12 months |
| Billing records | 7 years (tax law) |
| Magic link tokens | Up to 1 hour, then deleted |
| Session tokens (hashed) | Up to 30 days from last use |
8. Your rights
Regardless of where you live, you can:
- Access the data we hold about you
- Correct anything inaccurate
- Export your data in a portable format
- Delete your account and the data with it
- Object to our processing where based on legitimate interests
EU/UK residents additionally have rights to restrict processing, data portability, withdraw consent (where applicable), and complain to a supervisory authority. To exercise any of these, write to [email protected]. We respond within 30 days at the latest.
9. US state-specific rights
Residents of California, Colorado, Connecticut, Virginia, Utah, Texas, Nevada, and other US states with comprehensive privacy laws have rights to know, access, correct, delete, and (where applicable) opt out of "sales" or "sharing" of personal information.
We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA, Colorado CPA, or similar laws. There is therefore no "Do Not Sell or Share" toggle to operate. We do not process sensitive personal information beyond what's listed in section 1.
To exercise California rights, email [email protected] or write to the postal address in section 15. We provide two methods on request. We don't discriminate against users who exercise these rights.
10. Information for minors
deskplot is not directed at children under 13 (United States) or under 16 (most EU member states; some require 13). We do not knowingly collect personal data from anyone in that bracket. If you believe a child has provided personal data, write to [email protected] and we will delete it and the associated account.
11. Cookies and tracking
The marketing site (deskplot.com) sets no cookies. The desktop and mobile apps store an opaque session token in the OS keychain — this is not a cookie, never leaves your device except to be sent in the Authorization header on our API calls.
Should we ever introduce cookies (e.g., for an authenticated web client), they will be strictly necessary, first-party only, and disclosed in an updated version of this page. We do not honor or override "Do Not Track" or Global Privacy Control because we don't engage in the tracking those signals were designed to suppress.
12. Automated decision-making
We do not perform automated decision-making or profiling with legal or similarly significant effects under GDPR Article 22 or analogous laws. We use automated rate-limiting and abuse-detection systems, but their decisions are reviewable by a human and don't determine your access to legal rights or services on their own.
13. Security
Passwords are hashed with a modern memory-hard function using current OWASP-recommended parameters. Sessions use opaque random tokens stored only as their SHA-256 hash. Card data never reaches our servers. Webhook payloads are signed and replay-protected. We use TLS 1.2+ for all traffic. We follow OWASP guidance and write an audit log on every authentication event.
If you discover a security vulnerability, please report it to [email protected]. We don't currently run a paid bug bounty but we acknowledge meaningful reports.
14. Changes
If we make material changes, we'll notify you by email and post a notice on this page at least 14 days before they take effect. Continued use after that date counts as acceptance.
15. Contact
Privacy questions or rights requests: [email protected]
Postal address: [postal address to be added before launch]