Privacy Policy

Account information. When you register, we collect your email address and a password. We never store your password — we store a salted Argon2id hash. We also record an emailVerifiedAt timestamp once you click the verification link.

Session data. When you log in, we generate a session token, store an SHA-256 hash of it on our servers, and record the IP address and User-Agent of the request. We use this to keep you logged in and to detect suspicious activity. The cookie holding the token is httpOnly and expires after 30 days.

Content you create. Projects, diagrams, custom components, and component groups that you create on the Service are stored in our database so you can return to them.

Public share links. If you generate a /s/... share link, the share token (hashed) and any expiration or revocation timestamps are stored. The contents of the shared diagram are visible to anyone with the link until you revoke it.

Billing information. All payment processing is handled by Stripe. We do not see, store, or have access to your full card number, CVV, or bank account number. We store the Stripe Customer ID associated with your account, your subscription status, plan, and renewal date so we can apply the correct entitlements.

Email correspondence. We send transactional emails for account verification and password reset. We do not currently send marketing email.

Analytics. On our public marketing pages we use Plausible Analytics, a privacy-friendly analytics product that does not set cookies and does not collect personal data. It records aggregated, anonymized page-view data.

Cookies. We use two first-party cookies:

• rh_session — required to keep you logged in.
• rh_csrf — protects against cross-site request forgery on form submissions.

We also store a small theme value in localStorage to remember light/dark mode. We do not use advertising cookies, social-media trackers, or session-replay tools.

We use the information above to:

• create and secure your account;
• provide the Service (storing and rendering your diagrams, generating exports, providing share links);
• process subscription payments and apply plan entitlements;
• send transactional email (verification, password reset, billing notifications via Stripe);
• detect and respond to abuse, fraud, and security issues;
• understand aggregate, anonymous traffic patterns to improve the Service;
• comply with legal obligations.

We do not sell or rent your personal information to third parties, and we do not use Your Content to train machine-learning models.

Each provider is contractually required to handle data on our behalf and not for its own purposes, except where it acts as an independent controller (e.g., Stripe for fraud prevention).

Your data may be processed in countries other than the one you live in, including the United States and the European Union, depending on which providers handle a given request. Where required, we rely on standard contractual mechanisms (such as Standard Contractual Clauses) to protect cross-border transfers.

Depending on where you live, you may have the right to:

• access the personal information we hold about you;
• correct inaccurate information;
• delete your account and personal information;
• export a copy of Your Content;
• object to or restrict certain processing;
• lodge a complaint with your local data-protection authority.

To exercise any of these rights, email us at support@webmatter.io. We aim to respond within 30 days. We may need to verify your identity before acting on a request.

California residents (CCPA/CPRA): the rights above include the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell personal information.

You can delete your account at any time from the Account page. Deletion is immediate: we cancel any active Stripe subscription, then permanently remove your account, sessions, projects, diagrams, custom components, component groups, and share tokens. Backups containing this data are overwritten within 30 days. We retain a minimal record of billing and tax events for as long as required by applicable tax law (typically up to 7 years), and we retain Stripe payment records under Stripe's own retention policies. If you'd prefer to make a deletion request by email, write to support@webmatter.io and we'll process it manually.

We retain other data only as long as necessary for the purpose it was collected:

• Sessions are deleted automatically once they expire (30 days) or when you log out.
• Email verification tokens are deleted as soon as they are used or expire (24 hours).
• Password reset tokens expire after 1 hour and are marked consumed after use.
• Billing records are retained as required by applicable tax law.

We protect your data with: TLS in transit; password hashing with Argon2id; database session tokens stored only as hashes; HMAC-signed tokens for time-limited print/share access; CSRF protection on mutating endpoints; httpOnly cookies for session tokens. No system is perfectly secure, and we cannot guarantee absolute security; please use a unique, strong password and keep it confidential.

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact support@webmatter.io and we will delete it.

We may update this Privacy Policy. If we make material changes we will notify you by email or in-app notice before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Questions, complaints, or requests about your personal information: support@webmatter.io.