Privacy

• Your email, when you sign in. One row per email in our users table. We never sell, share, or send marketing to it.
• Your docs, in full. Every HTML version you push is stored verbatim in our Postgres database — including any sensitive content inside it. Treat duodoc-hosted as roughly as sensitive as a Google Doc on a personal Google account.
• Your comments, including the author email, the anchored text fingerprint, the body, and resolved-state.
• Consumed magic-link token IDs (the jtionly, not the token itself), so old links can't be replayed.

• Your Anthropic API key.Stored in your browser's localStorage only. When you click Address with Claude or Visualize Markdown, the key is POSTed to our server, forwarded to Anthropic in one in-memory request, then discarded. It is never written to our database, our logs, or our caches.
• Passwords. We use magic-link email sign-in (single-use tokens), not passwords.
• Analytics on your reading behavior. No mouse tracking, no scroll-depth telemetry, no per-comment view counts.

• Vercel — hosts the app + runs the API routes. Sees request headers + bodies in transit. Logs may retain request URLs (not bodies) for ~30 days.
• Neon — hosts the Postgres database. Sees doc HTML + comments at rest. Encrypted at rest, TLS in transit.
• Anthropic — receives your doc HTML + the target comment whenever you invoke Address with Claudeor Visualize Markdown. Subject to Anthropic's data usage policies under your API key.
• Resend — sends magic-link and notification emails. Sees the recipient email + the message body.

If any of these processors are unacceptable, see the alternatives below.

1. Private visibility. Mark any doc privatein the doc settings panel — only you can view, even with the URL. Useful for drafts that aren't for sharing yet but still live in our DB.
2. Self-host — run duodoc on your own infrastructure. Single docker-compose file, your own Postgres, your own domain. We see nothing.
3. Local-only mode — duodoc serve from the CLI launches a localhost-only Next.js server backed by embedded pglite (Postgres in WASM). Nothing leaves the laptop. Best for solo + Claude Code agent loops where no one else is reviewing.

• Export. The download menu in every viewer gives you .html, .md, and a .zip bundle of any doc and all its comments. You can take everything with you.
• Delete. Doc settings → Danger zone → Delete removes the doc plus every version, comment, and snapshot. Cascades on the schema enforce this.
• Account deletion.Not self-serve yet. Email us; we'll wipe the row + all your docs.

Material changes will be reflected in the commit history of this file (src/app/privacy/page.tsx). We'll add timestamps once the page is more than a snapshot of an honest first pass.

Last edited: 2026-05-21.