Legal
Privacy Policy
Last updated: June 21, 2026
1. Overview and Data Controller
This Privacy Policy describes how commentable <html> (“commentable”, “we”, “us”, “our”), the operator of html.commentable.link, collects, uses, stores, and shares your personal data, and explains the rights you have over it.
Data Controller: The data controller for personal data processed through this Service is the individual operator of commentable, located in Israel. Israel has been recognised by the European Commission as providing an adequate level of data protection for the purposes of GDPR (adequacy decision). For all data-related enquiries, use our contact form. A Data Protection Officer has not been appointed as the operator does not meet the thresholds requiring mandatory DPO designation under GDPR Article 37.
We have designed this Service with privacy as a core architectural constraint. The most sensitive data you provide — your HTML content — is encrypted in your browser before it leaves your device. We are technically incapable of reading it under normal operation (see Section 3 for scope and limitations).
TL;DR
- ✓Your HTML content is encrypted client-side. We cannot read it under normal operation.
- ✓We store your email address only for passwordless authentication.
- ✓Comments are stored unencrypted — do not include sensitive data in comments.
- ✓IP addresses are captured in server logs by our hosting providers. We do not operate third-party analytics.
- ✓We do not sell, share for advertising, or trade your personal data.
- ✓Sub-processors: Supabase (database/auth) and Vercel (hosting), both US-based.
2. Personal Data We Collect
2.1 Account Information
To publish pages you must create an account. We collect your email address, used solely to send passwordless sign-in links. We do not collect your name, phone number, or payment information (the Service is currently free).
2.2 Artifact Metadata
When you publish an HTML page, we store in our database:
- A randomly generated URL slug (e.g.
k3mX9pQr) - The optional title you provide
- Your encrypted HTML content — an opaque AES-256-GCM ciphertext (see Section 3)
- Visibility setting (unlisted or public)
- Optional expiration timestamp
- A PBKDF2-SHA256 hash of any page password you set — never the password in plaintext
- Your user ID (linked to your email)
- Creation timestamp
2.3 Comment Data
Anyone with a page link may leave comments without creating an account. When a comment is submitted, we store the commenter's chosen display name, comment text, pin coordinates, timestamp, and the associated artifact ID.
Comments are not encrypted and are readable by us. Do not include sensitive personal data in comments.
2.4 IP Addresses and Server Logs
Every HTTP request — including page views, comment submissions, and contact form submissions — is processed by our hosting provider (Vercel) and database provider (Supabase), both of which capture standard server logs containing IP addresses, browser user-agent strings, referring URLs, and request timestamps. This applies to registered users, anonymous visitors, and commenters alike.
We do not routinely access these logs; they are retained and used only for debugging, fraud prevention, and service security. We do not operate third-party analytics, tracking pixels, or behavioural advertising SDKs.
2.5 Cookies and Browser Storage
We use one authentication cookie set by Supabase (sb-<project-ref>-auth-token), which is a strictly necessary, first-party, HttpOnly session cookie. No consent is required for strictly necessary cookies under the EU ePrivacy Directive; you can delete it at any time through your browser settings, which will sign you out.
We store one item in your browser's localStorage per page you publish: the full share URL including the decryption key fragment. This data never leaves your device. It is not a cookie and is not subject to cookie consent rules.
Do Not Track / Global Privacy Control: We do not engage in cross-site tracking or behavioural advertising. Our Service responds to DNT and GPC signals by confirmation of our existing practice — no tracking occurs regardless of signal.
3. End-to-End Encryption — Scope and Limitations
When you publish an HTML page, your browser generates a random AES-256-GCM key, encrypts your HTML content locally, and transmits only the resulting ciphertext to our servers. The decryption key is appended to the share URL as a #fragment.
URL fragments are not transmitted to HTTP servers — they remain in the browser. Under normal operation:
- We cannot read, search, or share the contents of your HTML pages.
- A breach of our database would expose only meaningless ciphertext.
- We cannot produce your HTML content in response to legal requests because we do not hold the decryption key.
- If you lose the full URL (including the
#key=…fragment), the content is cryptographically unrecoverable.
Limitations: This guarantee would not apply if: (a) a court required us to modify client-side code to intercept keys; (b) a browser extension or network attacker intercepted the key before encryption; or (c) your device was already compromised. If you require absolute confidentiality against legal compulsion, consider self-hosting.
4. How We Use Your Personal Data
- Email address — Sending passwordless sign-in links (contractual necessity).
- Artifact metadata — Storing, retrieving, and displaying your published pages (contractual necessity).
- Comment data — Displaying feedback threads (contractual necessity).
- IP addresses / server logs — Service reliability, debugging, and abuse prevention (legitimate interest). We access these logs only reactively and do not build profiles from them.
We do not use your data to train machine-learning models, serve advertisements, build behavioural profiles, or for any purpose incompatible with those listed above.
6. Retention Periods
- Artifacts: Retained until deleted by you, or until the expiration date you set.
- Comments: Retained for as long as the associated artifact exists; deleted when the artifact is deleted.
- Email address / account: Retained until you request account deletion via our contact form.
- IP addresses / server logs: Retained by Vercel and Supabase per their own policies (typically 30–90 days). We do not maintain a separate copy.
7. Your Rights
All users
You may request access to, correction of, or deletion of personal data we hold about you via our contact form. We will respond in accordance with applicable law.
EU / EEA / UK residents (GDPR / UK GDPR)
You have the following rights:
- Access (Art. 15) — obtain a copy of the personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — request deletion of your data, subject to legal retention obligations.
- Restriction (Art. 18) — restrict our processing while a dispute is resolved.
- Portability (Art. 20) — receive your personal data in a structured, machine-readable format (JSON).
- Object (Art. 21) — object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
- Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior lawful processing.
You may also lodge a complaint with your local supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the ICO. In Israel, contact the Privacy Protection Authority.
California residents (CCPA / CPRA)
We do not sell or share personal information for cross-context behavioural advertising. You have the right to know, delete, correct, and opt out of sale (not applicable). We do not discriminate against users who exercise these rights. Submit requests via our contact form.
Israeli residents (Privacy Protection Law 5741-1981)
You have the right to access personal information we hold about you and to request its correction. Requests may be submitted via our contact form.
8. Security Measures
We apply the following technical safeguards:
- AES-256-GCM client-side encryption for all HTML content
- HTTPS (TLS 1.2 minimum) for all connections
- PBKDF2-SHA256 (100,000 iterations) for page password hashing
- Row-level security (RLS) policies at the database layer
- No third-party scripts loaded on artifact view pages
- Sandboxed iframe rendering (null-origin) for all published HTML
No system is perfectly secure. In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority as required by applicable law, and will notify affected individuals where required.
9. Children's Privacy
The Service is not directed to children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal data from children below these ages. If you believe a child has provided us with personal data without appropriate consent, contact us via our contact form and we will delete the data promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will update the “Last updated” date above. Your continued use of the Service after any changes constitutes acceptance. If you do not accept the changes, you may request account deletion via our contact form.
11. Contact and Complaints
For all privacy-related questions, data subject requests, or to exercise any right listed in Section 7, use our contact form.
If you are unsatisfied with our response, you have the right to lodge a complaint with your national supervisory authority (see Section 7 for authority links).
Also read our Terms of Use
← Back to home