Privacy Policy
Effective: 1 July 2026
1. Who we are
Paperbase is a hosted PDF generation API operated by the Paperbase team (“Paperbase,” “we,” or “us”). Our service is available at paperbase.dev and via the API at api.paperbase.dev.
2. What data we collect
Account data
When you sign up, we collect your email address to create your workspace and issue an API key. We do not collect payment information in Phase 1 — there is no billing.
Render data
When you call the API, we temporarily store the rendered PDF and a preview image in Supabase Storage so we can return a signed download URL. Files are automatically deleted after 24 hours (live keys) or 1 hour (test keys). We do not read, analyse, or train on the content of your documents.
Usage telemetry
We log per-render metadata — job ID, key prefix, render time, page count, warning codes, and design quality score — to monitor service health and enforce the free-tier quota (100 renders/month). We do not log document content.
Server logs
Standard HTTP request logs (IP address, timestamp, route, status code) are retained by our hosting provider (Vercel) for up to 30 days.
3. How we use your data
- To authenticate your API requests and enforce usage limits.
- To deliver the rendered PDF and preview to you via signed URLs.
- To monitor service performance and investigate errors.
- To contact you about your account if needed (no marketing without consent).
4. Data sharing
We do not sell your data. We share data only with the infrastructure providers required to operate the service:
- Vercel — hosting and serverless compute.
- Supabase — database, storage, and authentication (us-east-1 region).
Both providers are GDPR-compliant and process data under data processing agreements.
5. Cookies
The marketing website (paperbase.dev) does not use tracking or analytics cookies. The docs site (docs.paperbase.dev) may use a session cookie for the Fumadocs search index. No third-party advertising cookies are used.
6. Data retention
Rendered files are deleted automatically after 24 hours (live) or 1 hour (test). Account data (email, API keys) is retained until you delete your account. Usage logs are retained for 90 days then purged.
7. Your rights
You may request access to, correction of, or deletion of your personal data at any time by emailing privacy@paperbase.dev. We will respond within 30 days.
8. Security
API keys are stored as bcrypt hashes (cost 10). All data in transit is encrypted via TLS. Supabase Storage enforces row-level security so each workspace can only access its own files.
9. Changes
We may update this policy as the service evolves. Material changes will be notified by email to registered users at least 14 days before taking effect. The effective date above reflects the most recent revision.
10. Contact
Questions about this policy: privacy@paperbase.dev.