Privacy Policy
Last updated: March 7, 2026
TablaCognita is built on a zero-data hosting principle. We designed the product so that your documents never leave your browser. This policy explains what we do and do not collect.
1. What We Do NOT Collect
We never store, cache, log, or transmit your document content. Documents exist only in your browser's memory. The server acts as a relay — routing messages between your browser and your AI agent — without inspecting or retaining content.
- Document text, markdown, or any content you write
- Snapshots (stored in your browser's IndexedDB, never sent to our server)
- Cloud storage tokens or file contents (tokens are stored in your browser's localStorage; file content flows directly between your browser and the cloud provider)
2. What We Collect
We store the minimum information needed to operate user accounts:
- Email address — used for login and account identification
- Password hash — scrypt-hashed; we never store plaintext passwords
- Account tier — free or pro
- API key — a random token for MCP client authentication (starts with
tc_) - Google OAuth ID — if you sign in with Google, we store the Google account ID to link your account
- Stripe customer ID — if you subscribe to Pro, we store the Stripe customer ID for billing management
This data is stored in a SQLite database on our server infrastructure.
3. Server Logs
Our server logs contain operational information such as connection events, authentication outcomes (success/failure), and error diagnostics. Logs may include your email address and IP address. Logs do not contain document content. Logs are retained for operational purposes and are not shared with third parties.
4. Third-Party Services
TablaCognita integrates with the following services:
- Stripe — payment processing for Pro subscriptions. Stripe's privacy policy applies to payment data. We do not store your payment card details.
- Google OAuth — optional sign-in method. We receive your email and Google account ID. Google's privacy policy applies to the OAuth flow.
- Cloud storage providers (Google Drive, OneDrive, Dropbox, Box) — optional. OAuth tokens are stored in your browser only. Document content flows directly between your browser and the provider without passing through our server.
- Fly.io — our hosting provider. Their infrastructure privacy terms apply to server-side data.
- Google Analytics — we use Google Analytics (GA4) to understand how our site is used (page views, traffic sources). Google Analytics may set cookies. Google's privacy policy applies. No personal document content is sent to Google Analytics.
5. Cookies and Local Storage
Google Analytics may set cookies for analytics purposes. We also use browser localStorage to store:
- Your authentication token (30-day expiry)
- Your user profile (email, tier)
- Cloud storage provider tokens (if you connect a provider)
Snapshots are stored in IndexedDB in your browser.
6. Data Retention
Account data is retained as long as your account exists. You can delete your account at any time from the Account panel in the editor. This permanently removes your account and all associated data.
7. Data Security
All connections use HTTPS/WSS. Authentication uses OAuth (Google, Microsoft) — we do not store passwords. Authentication tokens are HMAC-signed. API keys are cryptographically random. Rate limiting is applied to authentication endpoints.
8. Children's Privacy
TablaCognita is not directed at children under 13. We do not knowingly collect personal information from children under 13.
9. Changes to This Policy
We may update this policy from time to time. Material changes will be noted on this page with an updated date.
10. Contact
For privacy questions or data deletion requests, contact us at support@tablacognita.com.