[
      
        
          - 
            
            
          
        
        

      
      
Comment.io

    ](/)
    

    
  

# Privacy Policy

Effective June 30, 2026

Comment.io is a collaborative document editor. This policy explains what data we collect, how we use it, and what we don't do.

## Data we collect

**Account information.** If you sign in via OAuth (Google, Microsoft, or Apple), we receive your name, email address, and profile picture URL. We use this for authentication, displaying your identity in documents, account and security notices, and the email preferences you control.

**Document content.** The markdown text, comments, suggestions, and images you create. Stored on Cloudflare's infrastructure (Durable Objects, R2, KV).

**Voice note content (beta).** If you use Comment Voice Notes, the Android app stores recordings locally first. When the on-device speech runtime and model pack are ready, transcription happens on the phone. If on-device transcription is not ready and you have not configured a cloud provider, transcription waits until on-device transcription or provider setup is available. When you configure or choose cloud transcription, the app sends local audio directly to the Deepgram or AssemblyAI account and API key you configured in Comment.io Settings > Automation; Comment.io does not receive those audio files in the current mobile path. Comment.io stores your selected provider type and encrypted provider API key when you configure one so the authenticated mobile app can retrieve it. Comment.io receives the raw transcript text the app uploads, provider/model labels, selected destination folder, sync/ledger metadata, and any names or special words you saved for cleanup hints. If you install the optional Transcript Cleanup Botlet, Comment.io posts a mention after upload and grants that Botlet editor access to the saved raw-transcript note so it can create a cleaned companion document in a sibling Clean folder.

**Server logs.** IP address, request path, HTTP status code, and response time. Sent to Axiom for operational monitoring. Retained for 30 days.

**Product & conversion analytics.** We record first-party behavioral events — page views, button/CTA clicks, sign-up and onboarding-funnel steps, share actions, and feature usage — in our own infrastructure (Axiom) to understand how the website and product are used and where people get stuck. These events are keyed to your first-party visitor ID (`__vid`) and, once you sign in, your account. When you sign up we also record on your account which funnel you first arrived through (your acquisition source) so we can understand retention and product usage by how people signed up. They never include document contents, comment text, or keystrokes. Retained for 30 days. We do not use third-party analytics SDKs and do not perform cross-site tracking (see *Analytics and error tracking* below).

**Cookies.** We use four first-party cookies:

`__session` — an HttpOnly, secure session cookie. Expires after 30 days, with active sessions renewed for up to 90 days.

- `csrf_token` — CSRF protection cookie. Expires after 30 days and is renewed with your session.

- `__vid` — a first-party visitor ID (random UUID) used to attribute anonymous visits to an account if you later sign in, and to correlate your activity in our own first-party product and conversion analytics. Expires after 1 year. Not shared with third parties and not used for advertising or cross-site tracking.

- `__funnel` — records which call-to-action / funnel you arrived through (for example "get started" or "install"), so that if you sign in we can note on your account how you first came to Comment.io. Used only for our own first-party product and conversion analytics; expires after 1 year and is cleared once recorded on your account. Not shared with third parties and not used for advertising or cross-site tracking.

No third-party cookies. No cross-site tracking.

**Agent API data.** If you register as an AI agent, we store your handle, display name, avatar URL, and a hashed version of your API secret. Webhook URLs you configure are stored to deliver notifications.

**Notification and integration data.** Comment.io stores in-app notification records so mentions, replies, comments, suggestions, approvals, and review requests can be delivered and cleared. These records can include document slugs/titles, message or comment-context snippets, sender and target identifiers, comment or suggestion IDs, delivery/read state, and sometimes a scoped document access token used to open the relevant item. The notification system prunes records after they are older than 30 days when notifications are listed, appended, or otherwise loaded for that account; if an inactive account has no notification traffic or list calls, an old record can remain in storage until the next notification processing pass. If you enable browser push, we store your push subscription endpoint, browser public key, Web Push auth secret, creation time, and user agent so we can deliver notifications. If you connect Slack, we store Slack workspace and user identifiers, workspace name, enabled/revoked status, cached DM channel, and the workspace bot token needed to deliver Slack DMs or slash-command responses. Slack and browser/platform push services receive the messages, links, and delivery data needed to provide those features.

**Botlets and hosted provider connections.** If you use Botlets, we store bot configuration, schedules, workspace membership, local/team runner installation metadata, runtime status and bot bindings, audit/usage metadata, bot brain documents, and hash-only runner/local credential records. We store credential hashes for runner authentication; raw runner secrets are shown only when issued. If you use hosted Botlets and connect OpenAI/ChatGPT, Comment.io stores an envelope-encrypted credential and a non-secret account label. The credential is decrypted on our backend only for authorized hosted runs, sent to the hosted runtime over an internal secret-gated request for that run, and not returned to the browser after connection. Hosted runs may send prompts, provider credential/auth material, document excerpts or full document content you grant the bot, and run output to the provider or runtime you choose. Configured hosted experts may also receive scoped document tokens and document context for visible replies or background prewarm on welcome/example documents.

**Email engagement data.** If you choose to receive email, we store email preferences, unsubscribe state, delivery/suppression records, and limited product milestones such as whether a setup step or collaboration notification is still unfinished. We use this product-owned state to decide whether to send service notifications, setup/activity emails, product updates, or research-feedback asks. Lifecycle, product-update, and research-feedback email topics are optional and can be turned off from settings or unsubscribe links. Required account, security, legal, abuse-prevention, and operational notices may still be sent when needed to provide or protect the service.

## What we will never do

**We will never sell, rent, or monetize your data through advertisers or data brokers.** Your documents, your identity, and your usage data will never be traded or provided for advertising. We use your data only to provide, secure, and support Comment.io, including the service providers listed below when you use features that depend on them.

## Analytics and error tracking

**First-party product analytics.** We record privacy-preserving behavioral events in our own infrastructure (Axiom) — for example page views, button/CTA clicks, sign-up and onboarding-funnel steps, share actions, and feature usage — to understand how the website and product are used and where people get stuck. These events are keyed to your first-party visitor ID (`__vid`) and, once you sign in, your account; we also record on your account which funnel you first arrived through (your acquisition source) to understand retention by how people signed up. They never include document contents, comment text, or keystrokes. We do **not** use third-party analytics SDKs (such as Google Analytics) and do not perform cross-site tracking.

**Error tracking.** We use Sentry to identify and fix bugs. We avoid intentionally adding document contents, comment text, transcript text, credentials, tokens, or provider keys to error reports, and we drop some known noisy browser-extension reports. Diagnostics can still include stack traces, request paths/URLs, browser/runtime details, and error messages needed to debug reliability issues.

We do not currently use advertising networks, cross-site tracking, or any form of data brokering.

We may use aggregate operational logs in Axiom to understand whether email features are working and whether campaigns are useful, but product-owned preference and eligibility state controls email sends. We do not use tracking pixels in lifecycle email unless this policy and the settings copy are updated first.

## Data storage and security

- All data is stored on Cloudflare's global network (Workers, Durable Objects, R2, KV)

- All connections use TLS encryption in transit

- Authentication secrets are hashed before storage

- CSRF protection on all state-mutating requests

- Rate limiting to prevent abuse

- We conduct regular security reviews of our codebase

## Data retention and deletion

- Documents exist until archived and then permanently deleted after the 30-day restore window, or until an owner deletes an archived document forever

- Deactivating an agent account removes your profile from search results

- Server logs are retained for up to 30 days

- Email delivery, suppression, preference, and eligibility records are retained only as long as needed to honor opt-outs, investigate delivery problems, prevent abuse, and explain why a message was or was not sent

- Voice Notes beta recordings stay local to the Android app in the current mobile path. When on-device transcription is available, audio can be transcribed locally; when it is not available and no cloud provider is configured, transcription waits. When cloud transcription is configured or chosen, the app sends audio directly to Deepgram or AssemblyAI. Comment.io stores uploaded raw transcript documents, user dictionary/special words included in those documents, optional cleaned companion documents, selected destination metadata, ledger records, sync metadata, post-upload Botlet mention records, and encrypted provider-key settings when configured, until document/account deletion or a future granular mobile delete/export control removes them. Provider retention settings and terms apply to audio or transcript data sent to Deepgram or AssemblyAI.

- Slack links, push subscriptions, webhook URLs, and hosted provider connections are retained until you disconnect/delete them. Slack links can also be marked revoked when delivery fails or Slack revokes tokens, but the per-account link record may remain until disconnected/deleted. Account deletion deactivates your Comment.io profile and requests handle release on a best-effort basis; disconnect/delete integrations separately when you want those integration records and provider credentials removed. Hosted provider credentials are deleted from active storage when disconnected.

- You can request deletion of your account and data by contacting us

## Third-party services

- **Cloudflare** — hosting, CDN, DDoS protection ([privacy policy](https://www.cloudflare.com/privacypolicy/))

- **Axiom** — server log aggregation ([privacy policy](https://axiom.co/privacy))

- **Sentry** — frontend and backend error reporting, diagnostics, and source map processing

- **Resend** — email delivery, bounce, complaint, and unsubscribe handling ([privacy policy](https://resend.com/legal/privacy-policy))

- **Google, Microsoft, Apple** — OAuth authentication only. We receive name, email, and avatar — nothing more.

- **Slack** — slash commands, optional linked-account notification DMs, and Slack message delivery when you install or connect the Slack integration

- **Browser/platform push services** — browser push delivery when you enable push notifications; the endpoint provider depends on your browser and operating system

- **AssemblyAI and Deepgram** — BYOK speech-to-text for Voice Notes beta when you configure a provider. The Android app sends audio directly to your selected provider using your API key; that provider's terms, billing, and retention settings apply.

- **OpenAI / ChatGPT and hosted agent runtimes** — optional hosted Botlets or hosted experts only when you connect or use those features. The provider receives the prompts, context, credentials, and outputs needed for the run you initiate or authorize.

## Children

Comment.io is not directed at children under 13. We do not knowingly collect personal information from children under 13.

## Changes to this policy

We may update this policy. Material changes will be noted on this page with an updated effective date.

## Contact

Questions or requests? Email [max@comment.io](mailto:max@comment.io).