WriteFlow is built with a local-first philosophy. This means your writing is private by default and stays under your control.
1. Local Storage by Default
When you write, everything is saved to your browser’s IndexedDB storage (on your device). Nothing is sent to any server unless you explicitly sign in and choose to enable sync.
Even if you never create an account, your notes, drafts, font preferences, and background choices remain only on your device.
2. Optional Sync (When Signed In)
If you sign in, you can optionally sync your notes and preferences across devices. This data is stored in a PostgreSQL database (hosted on Neon).
- Every sync request is authenticated using secure httpOnly cookies via Better Auth.
- All database queries are strictly scoped to your user ID:
WHERE user_id = your_id. - There is no administrative query or backdoor that can read another user’s notes.
3. What the Developer Can (and Cannot) See
As the person who built and runs WriteFlow:
- I can technically connect to the database.
- However, because of the strict user ID scoping above, I have no practical way to read your private writing.
- I do not log the content of your notes anywhere.
- I only see error logs (e.g. “sync failed”) — never the actual text you wrote.
4. Encryption & Infrastructure
- All traffic between your browser and the servers is encrypted over HTTPS.
- Data at rest in the database is encrypted with AES-256 (standard for Neon Postgres).
- Authentication secrets and the Grok API key are stored only in Vercel’s environment variables (never in client-side code).
5. Your Rights
You can export all your data at any time from Settings → Export.
You can delete everything locally or from the cloud at any time.
If you have any questions about privacy or data handling, feel free to reach out at z@zlatkobijelic.com.