1. Who we are

Paperbase is a hosted PDF generation API operated by the Paperbase team (“Paperbase,” “we,” or “us”). Our service is available at paperbase.dev and via the API at api.paperbase.dev.

2. What data we collect

Account data

When you sign up, we collect your email address to create your workspace and issue an API key. We do not collect payment information in Phase 1 — there is no billing.

Render data

When you call the API, we temporarily store the rendered PDF and a preview image in Supabase Storage so we can return a signed download URL. Files are automatically deleted after 24 hours (live keys) or 1 hour (test keys). We do not read, analyse, or train on the content of your documents.

Usage telemetry

We log per-render metadata — job ID, key prefix, render time, page count, warning codes, and design quality score — to monitor service health and enforce the free-tier quota (100 renders/month). We do not log document content.

Server logs

Standard HTTP request logs (IP address, timestamp, route, status code) are retained by our hosting provider (Vercel) for up to 30 days.

3. How we use your data

  • To authenticate your API requests and enforce usage limits.
  • To deliver the rendered PDF and preview to you via signed URLs.
  • To monitor service performance and investigate errors.
  • To contact you about your account if needed (no marketing without consent).

4. Data sharing

We do not sell your data. We share data only with the infrastructure providers required to operate the service:

  • Vercel — hosting and serverless compute.
  • Supabase — database, storage, and authentication (us-east-1 region).

Both providers are GDPR-compliant and process data under data processing agreements.

5. Cookies

The marketing website (paperbase.dev) does not use tracking or analytics cookies. The docs site (docs.paperbase.dev) may use a session cookie for the Fumadocs search index. No third-party advertising cookies are used.

6. Data retention

Rendered files are deleted automatically after 24 hours (live) or 1 hour (test). Account data (email, API keys) is retained until you delete your account. Usage logs are retained for 90 days then purged.

7. Your rights

You may request access to, correction of, or deletion of your personal data at any time by emailing privacy@paperbase.dev. We will respond within 30 days.

8. Security

API keys are stored as bcrypt hashes (cost 10). All data in transit is encrypted via TLS. Supabase Storage enforces row-level security so each workspace can only access its own files.

9. Changes

We may update this policy as the service evolves. Material changes will be notified by email to registered users at least 14 days before taking effect. The effective date above reflects the most recent revision.

10. Contact

Questions about this policy: privacy@paperbase.dev.