Privacy

Last updated: May 21, 2026. WebDocs ("we", "our") describes how we handle information in this product. This is a product notice, not personalized legal advice.

Two ways to use WebDocs

Public demo at /— The sample document, any HTML you import for the session, and comments you add there live in your browser's memory for that visit. Reloading restores the built-in demo; we do not send that trial content to our servers or to Convex. A small viewer preference (comment highlight color) may be saved in your browser's local storage until you clear it.

Cloud workspace at /app — Signing in creates a Clerk-authenticated session. We store each document as a snapshot: title, opaque document id, current HTML string, anchored comment metadata derived from your document, version number, and an owner id tying the row to your Clerk account. All of this is stored in Convex (our database and server functions provider). Convex functions check your identity before returning or changing a document; other accounts cannot query your rows by design.

Security practices we rely on

Encryption in transit. You access WebDocs over HTTPS. Traffic between your browser, our app hosting, Clerk, and Convex uses Transport Layer Security consistent with normal production web apps.

Encryption at rest (hosted data).User data stored in Convex is encrypted at rest on Convex's side as part of their platform—not a separate switch you enable in app code. Convex states that all user data stored in Convex is encrypted at rest; see Status and Guarantees and Platform Security. If you need contractual or compliance detail beyond those pages, check with Convex directly.

Access control. Uploaded HTML and comments exist in decrypted form inside Convex functions so the product can validate, annotate, and serve previews. That is standard for server-backed collaboration tools—it is not end-to-end encryption. Do not upload material that requires true client-only encryption unless you layer that protection yourself before upload.

Deletion.When you remove a document in the cloud workspace, we delete its Convex row; there is no in-product trash or undo. Backups and provider retention are governed by Convex's policies; we do not operate a separate long-lived copy for recovery.

Limits. User-supplied HTML is rejected beyond the byte cap enforced in Terms of use and in the application.

Service providers

Clerkhandles sign-in session and identity for /app; see Clerk's documentation and privacy materials for categories of account data they process.

Convex hosts document rows, runs our server functions that enforce authorization, and provides realtime updates to signed-in clients.

Application hosting serves the Next.js frontend (for example via Vercel or another host you configure). Hosting providers necessarily process requests and TLS metadata like any SaaS frontend.

Changes

We will update this page when practices change materially. Continuing to use the product after updates means you accept the revised notice.