Privacy Policy

Last updated: April 13, 2026

Workshelf ("we", "our", or "the Service") is a writing platform that provides version control for creative writing projects. This privacy policy explains what data we collect, how we use it, and your rights.

1. Data We Collect

Account Information

Email address — for login, verification, and password reset
Username — for identification and collaboration
Display name — optional, shown in your profile
Password — stored as an irreversible bcrypt hash (we cannot read your password)

Content

Writing content — text you create in repositories, stored as structured JSON
Version history — commit snapshots of your files for diff/history features
Metadata — file names, folder structure, branch names, commit messages

OAuth Data (if using GitHub or Google login)

We receive your name, email, and profile image from the provider
We store OAuth access/refresh tokens to maintain your session
We do not access your repositories, contacts, or other provider data

2. Data We Do NOT Collect

No analytics or tracking scripts
No third-party advertising
No cookies beyond authentication (session cookie only)
No IP addresses stored permanently (used transiently for rate limiting only)
No browser fingerprinting
No user agent tracking

3. How We Use Your Data

To provide the Service — storing and serving your writing content
To authenticate you and protect your account
To send transactional emails (verification, password reset) — never marketing
To enforce rate limits and prevent abuse (IP addresses, not stored long-term)

4. Data Sharing

We do not sell, rent, or share your personal data with third parties, except:

Infrastructure providers — Neon (database), Vercel (hosting), Upstash (rate limiting), Resend (email), Sentry (error monitoring) process data on our behalf under their privacy policies
Legal requirements — if compelled by law enforcement with valid legal process
Your choice — public repositories are readable by anyone; private repositories are only accessible to you and your collaborators

5. Data Security

All connections are encrypted in transit (TLS/HTTPS)
Passwords are hashed with bcrypt (cost factor 12)
Sessions use signed JWTs with 24-hour expiry
Security headers (HSTS, CSP, X-Frame-Options) are enforced
Repositories are private by default

6. Your Rights

Access — you can view all your data through the application
Export — you can export your repositories as ZIP files, or download a complete copy of all your data (profile, repos, files, commits) as JSON from your account settings
Deletion — you can delete your account and all associated data from your account settings. This is immediate and irreversible.
Correction — you can update your profile information at any time

7. Data Retention

We retain your data for as long as your account is active. When you delete your account, all data (profile, repositories, files, commits, collaborator records) is permanently and immediately deleted. We do not maintain backups of deleted accounts.

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the CCPA:

Right to Know — you may request what personal information we collect, use, and disclose
Right to Delete — you may request deletion of your personal information (available via account deletion)
Right to Opt-Out of Sale — we do not sell personal information
Non-Discrimination — we will not discriminate against you for exercising your CCPA rights

To exercise these rights, use the account settings or email us at the address below.

9. Children

Workshelf is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has created an account, please contact us.

10. Changes

We may update this policy. Significant changes will be communicated via email or in-app notification. Continued use after changes constitutes acceptance.

11. Contact

For privacy questions or data requests, email us at privacy@workshelf.dev.

← Back to Workshelf