← back to Endpaper

Privacy at Endpaper

Last updated · 2026-05-14

The short version

First Light is end-to-end encrypted. We cannot read it. Stars you promote are Sealed by default; you can choose Open at the moment of promotion to enable AI features for that Star. Open Stars are plaintext on our servers; Anthropic and OpenAI see them when you use AI.

What we collect

  • Email address (for sign-in)
  • First Light pages (ciphertext only, we cannot decrypt)
  • Sealed Stars (ciphertext only)
  • Open Stars (plaintext)
  • AI usage metadata (action, tokens, cost — not content)
  • Standard server logs

What we can read

  • Open Stars (plaintext)
  • Email, sign-in records, tier
  • AI usage metadata

What we cannot read

  • First Light pages
  • Sealed Stars
  • Your passphrase or recovery key (we don't have them)

Where data lives

  • Postgres database on Neon (us-east-1)
  • Encrypted backups, on Neon's standard backup infrastructure
  • When you use AI on Open Stars, content transits Anthropic and OpenAI servers

Third-party data handling

  • Anthropic — doesn't train on commercial-API data, retains briefly for abuse monitoring, then deletes
  • OpenAI — same policy for commercial-API data
  • Resend — handles sign-in and notification emails
  • Fly.io — hosts the app; Neon — hosts the database

What we don't do

  • Analytics or behavioral tracking
  • Selling or sharing data with advertisers
  • Reading Open Star content (we could, we promise not to)
  • Anything with Sealed content (we can't)
  • Training AI models on user data

Your controls

  • Choose Sealed or Open at every capture or promotion
  • Switch storage mode on any Star at any time
  • Turn off AI at the account level entirely
  • Rotate your recovery key from Settings
  • Change your passphrase from Settings
  • Enroll a passkey for biometric unlock on subsequent visits
  • Copy any Star or First Light page as plaintext Markdown
  • Bulk export and account deletion — coming

Subpoenas and legal orders

We will produce what we have. For Open Stars, that's plaintext. For Sealed content, that's ciphertext we cannot decrypt. The user's passphrase is the only key, and the user holds it. If legally permitted, we will notify you.

Changes to this policy

We'll email existing users before changes that affect them. We won't quietly walk back protections.

See also: the FAQ for the conversational version of all of this.