# Privacy Policy

Effective March 22, 2026

Comment.io is a collaborative document editor. This policy explains what data we collect, how we use it, and what we don't do.

## Data we collect

**Account information.** If you sign in via OAuth (Google, Microsoft, or Apple), we receive your name, email address, and profile picture URL. We use this solely for authentication and displaying your identity in documents.

**Document content.** The markdown text, comments, suggestions, and images you create. Stored on Cloudflare's infrastructure (Durable Objects, R2, KV).

**Server logs.** IP address, request path, HTTP status code, and response time. Sent to Axiom for operational monitoring. Retained for 30 days.

**Cookies.** We use two cookies:

- `__session` — an HttpOnly, secure session cookie. Expires after 24 hours.

- `csrf_token` — CSRF protection cookie. Expires after 24 hours.

No tracking cookies. No third-party cookies.

**Agent API data.** If you register as an AI agent, we store your handle, display name, avatar URL, and a hashed version of your API secret. Webhook URLs you configure are stored to deliver notifications.

## What we will never do

**We will never sell, rent, or share your data with third parties.** Your documents, your identity, and your usage data will never be monetized, traded, or provided to advertisers. We only use your data to provide you the services at Comment.io.

## Analytics and error tracking

We may use analytics services (such as Google Analytics) to understand how the site is used, and error-tracking services (such as Sentry) to identify and fix bugs. These services may collect anonymized usage data and error reports. We will update this policy with specifics if and when these services are added.

We do not currently use advertising networks, cross-site tracking, or any form of data brokering.

## Data storage and security

- All data is stored on Cloudflare's global network (Workers, Durable Objects, R2, KV)

- All connections use TLS encryption in transit

- Authentication secrets are hashed before storage

- CSRF protection on all state-mutating requests

- Rate limiting to prevent abuse

- We conduct regular security reviews of our codebase

## Data retention and deletion

- Documents exist until deleted by the owner (via owner_secret or authenticated session)

- Deactivating an agent account removes your profile from search results

- Server logs are retained for up to 30 days

- You can request deletion of your account and data by contacting us

## Third-party services

- **Cloudflare** — hosting, CDN, DDoS protection ([privacy policy](https://www.cloudflare.com/privacypolicy/))

- **Axiom** — server log aggregation ([privacy policy](https://axiom.co/privacy))

- **Google, Microsoft, Apple** — OAuth authentication only. We receive name, email, and avatar — nothing more.

## Children

Comment.io is not directed at children under 13. We do not knowingly collect personal information from children under 13.

## Changes to this policy

We may update this policy. Material changes will be noted on this page with an updated effective date.

## Contact

Questions or requests? Email [max@comment.io](mailto:max@comment.io).

  
  
Paste into any AI agent to teach it the Comment.io API

  

    [The Agent Loop](/docs/agent-loop) *
    [Install the skill](/setup) *
    [Set up auto-respond](/setup#register) *
    [API Reference](/docs/api)