← back to Endpaper

Privacy at Endpaper

Last updated · 2026-05-23

The short version

First Light is end-to-end encrypted. We cannot read it. Stars and Confluences you keep are Sealed by default; you can choose Open at the moment of promotion or creation to enable AI features. Open content is plaintext on our servers; Anthropic and OpenAI see it when you use AI.

When you publish a Confluence, the published version's privacy depends on where you publish it — see the When you publish section below.

What we collect

  • Email address (for sign-in)
  • Handle, display name, and optional public bio (if you've set them — these are the public-facing parts of your Endpaper publications)
  • First Light pages (ciphertext only, we cannot decrypt)
  • Sealed Stars (ciphertext only)
  • Open Stars (plaintext)
  • Sealed Confluences (ciphertext only)
  • Open Confluences (plaintext)
  • Citations in your library (plaintext — bibliographic records: title, author, year. Not personal expression.)
  • Published versions of Confluences sent to the Endpaper destination (plaintext HTML, served as public web pages)
  • AI usage metadata (action, tokens, cost — not content)
  • Standard server logs

Confluences published to your own site via Jekyll are not stored by us beyond the snapshot record needed to track the publication; the committed file lives in your repository. Downloaded Markdown publications are not stored by us at all.

What we can read

  • Open Stars (plaintext)
  • Open Confluences (plaintext)
  • Citations in your library — the bibliographic records you enter, not the surrounding writing. The inline citation marker positions inside a Sealed Confluence are plaintext too (offsets + a citation FK reveal nothing about the prose around them).
  • Published Endpaper posts (plaintext HTML — they're public web pages)
  • Email, sign-in records, account settings
  • AI usage metadata
  • Standard server logs

What we cannot read

  • First Light pages
  • Sealed Stars
  • Sealed Confluences
  • Your passphrase or recovery key (we don't have them)
  • Files committed to your own Jekyll repository (we have no copy)
  • Markdown files you've downloaded (we have no copy)

Where data lives

  • Postgres database on Neon (us-east-1)
  • Encrypted backups, handled per Neon's standard backup retention
  • Marketing site (homepage, /about, /help, /faq, /privacy) on Cloudflare Pages
  • When you use AI on Open content, that content transits Anthropic and OpenAI servers
  • When you publish to a Jekyll destination, the committed file is sent to GitHub via the GitHub Contents API using an installation token from the Endpaper Publishing GitHub App

Third-party data handling

  • Anthropic — doesn't train on commercial-API data, retains briefly for abuse monitoring, then deletes
  • OpenAI — same policy for commercial-API data; used for embeddings (finding related Stars)
  • Resend — handles sign-in and notification emails
  • Fly.io — hosts the app; Neon — hosts the database
  • Cloudflare Pages — hosts and serves the marketing site and the SPA shell
  • GitHub — when you publish to a Jekyll destination, our GitHub App commits the rendered Markdown file to your configured repository

What we don't do

  • Analytics or behavioral tracking
  • Selling or sharing data with advertisers
  • Reading Open content (we could, we promise not to)
  • Anything with Sealed content (we can't)
  • Training AI models on user data
  • Tracking who reads your published posts — Endpaper-hosted publications have no analytics and no third-party scripts
  • Setting any tracking cookies anywhere

When you publish

Publishing changes the privacy posture of the published version. The source Confluence in Endpaper is unaffected; the public artifact has its own reality depending on the destination.

Publishing to Endpaper. Your Confluence becomes a public web page at endpaper.day/by/{handle}/{slug}. The published version is plaintext on our servers, served to anyone with the URL. If the source Confluence was Sealed, the act of publishing requires decrypting it on your device and sending the plaintext to us — the source Confluence stays Sealed; the published version is plaintext. Unpublishing returns 410 Gone for 30 days, then 404; the public artifact is gone.

Publishing to your own site (Jekyll-via-Git). Your Confluence is committed as a Markdown file to your GitHub repository. From that moment, the file lives in your repo's git history and is replicated by GitHub's infrastructure. We don't retain a copy of the file beyond the snapshot record in our database. Unpublishing in Endpaper doesn't delete the file from your repo by default — that's a one-click option but not automatic.

Downloading. A Markdown file decrypted on your device (if the source was Sealed) and downloaded directly. We don't have a server-side copy.

Sending to Mail. Your Confluence is rendered as an email and sent via Resend to every confirmed subscriber on your list. The email content lives briefly in Resend's infrastructure during delivery, then in each subscriber's inbox indefinitely. Email is a one-shot channel — once an email leaves, we can't recall it. If the source Confluence was Sealed, sending it to Mail requires decrypting it on your device and sending the plaintext to Endpaper's email infrastructure.

The publish dialog spells out the specific implications for each destination at the moment you publish. The dialog is the trust contract for the publication action — read it.

When someone subscribes to your writing

Anyone can subscribe to a writer's list at endpaper.day/by/{handle}/subscribe. We store the subscriber's email address, their optional display name, the list they joined, and a few timestamps (when they subscribed, when they confirmed, when they most recently received an email).

We do not track which emails subscribers open or which links they click. We do not collect device or location information. There are no tracking pixels, no link rewriting, no behavioral analytics. Every email contains a one-click unsubscribe link; clicking it immediately marks the subscriber as unsubscribed and they won't receive further emails from that writer's list.

Bounce events from Resend automatically unsubscribe the affected address so a dead inbox isn't repeatedly mailed. The unsubscribe action is logged for the writer's send history but is not announced to them — readers' inbox decisions are theirs.

Your controls

  • Choose Sealed or Open at every capture, promotion, or Confluence creation
  • Switch storage mode on any Star or Confluence at any time
  • Turn off AI at the account level entirely
  • Rotate your recovery key from Settings
  • Change your passphrase from Settings
  • Enroll a passkey, and enable biometric unlock per credential
  • Copy any Star or First Light page as plaintext Markdown
  • Unpublish any published Confluence — Endpaper destinations return 410 Gone for 30 days, then 404; Jekyll destinations leave the file in your repo by default, with an explicit option to delete it from the repo too
  • Bulk export of your Stars and First Light pages as a single ZIP from Settings
  • Account deletion — immediate and irreversible; your content is removed from the active database the moment you confirm

Cookies

Endpaper sets no cookies. Sign-in state is kept in your browser's localStorage, scoped to endpaper.day.

The marketing site (homepage, /about, /help, /faq, /privacy) sets no cookies. Endpaper-hosted published posts at endpaper.day/by/{handle}/{slug} set no cookies.

If you've published to your own site via Jekyll, whatever cookies that site sets is determined by your site's configuration, not by Endpaper.

Data retention

Active content is kept until you delete it or delete your account.

Content you soft-delete from inside the product (Stars or Confluences you remove) is recoverable for 30 days from Settings, then permanently purged.

Server logs are kept 90 days, then rotated.

Account deletion is immediate. Your content is removed from the active database the moment you confirm (every foreign key cascades from your user row). Backups containing your content are handled per Neon's standard backup retention.

Subpoenas and legal orders

We will produce what we have. For Open content, that's plaintext. For Sealed content, that's ciphertext we cannot decrypt. The user's passphrase is the only key, and the user holds it. If legally permitted, we will notify you.

Changes to this policy

We'll email existing users before changes that affect them. We won't quietly walk back protections.

See also: the FAQ for the conversational version of all of this. Or get on the list →

Questions about this policy? Email [email protected] — Aaron reads every message.