Privacy Policy

When you create an Outworx Docs account we collect:

• Email address (required for sign-in via magic link)
• Name and avatar if you sign in with GitHub or Google
• Stripe customer ID if you subscribe to a paid plan (Stripe handles all card details; we never see them)
• Your projects: names, slugs, descriptions, API specifications you upload, and any custom branding

We use this to provide the service, bill you on paid plans, send transactional emails (magic links, billing confirmations), and provide support when you ask for it.

When a visitor browses a public docs site hosted on Outworx, we collect minimal analytics:

• Page views (path, referrer, country, browser family, OS, device type)
• Visitor hash — a one-way hash of IP + user agent, used to approximate “unique visitors.” We do not store raw IP addresses in analytics.

If a visitor uses the AI chat drawer on a paid docs site, we also store:

• Chat messages (both the visitor's questions and our AI's responses)
• A random session token stored in the visitor's browser so they can resume their chat
• Token usage per session for billing and rate-limit enforcement

The project owner can view these chat sessions in their dashboard (and no one else can). Chat sessions are automatically archived after the plan's retention window (7 / 30 / 360 days for Free / Pro / Business) and can be cleared at any time by the visitor via the “Clear chat” button.

We use the data above strictly to operate the service:

• Provide the features you signed up for
• Bill you and process payments (via Stripe)
• Send transactional emails (magic link, billing, quota warnings, account alerts)
• Generate aggregate analytics for project owners (chat stats, page-view summaries)
• Detect and prevent abuse
• Debug issues when you report them

We don't sell your data. We don't rent it. We don't use account holder or visitor data to train any AI model.

To run the service we rely on a small set of trusted third parties:

• Supabase — database hosting, authentication, file storage, scheduled jobs. Our primary data store.
• Stripe — payment processing. Card details never touch our servers.
• OpenAI — powers AI chat, search, description generation, and code examples. When AI features are used, the relevant content (the question, retrieved spec chunks, and recent conversation history) is sent to OpenAI to generate a response.
• Upstash Redis — rate limiting.
• Resend — transactional email delivery.
• Vercel — application hosting.

These providers process data only on our instruction. We don't share your data with anyone for marketing or advertising purposes.

We use a minimal set of browser storage items:

• Authentication cookies (for logged-in users) set by Supabase
• Password-access cookies (for password-protected docs sites)
• Chat session token in localStorage (so visitors can resume their chat after refresh)
• Shared header values in localStorage (so visitors don't re-type their API key in the Try It playground)

We don't set marketing, advertising, or cross-site tracking cookies.

Account data: while your account is active, plus up to 30 days after deletion.

Projects, specs, versions: until you delete them or your account.

Chat sessions and messages: retained per the project owner's plan — 7 days on Free, 30 days on Pro, 360 days on Business — then auto-archived daily by a scheduled job.

Page view analytics: retained for up to 12 months.

Billing records: retained as required by law and tax regulations (typically 7 years).

Depending on where you live (EU, UK, California, etc.), you may have rights to:

• Access the data we hold about you
• Correct inaccurate data
• Delete your data (right to be forgotten)
• Export your data in a portable format
• Object to certain processing

To exercise any of these, email info@outworx.io. We'll respond within 30 days. Account holders can delete their account directly from the Settings page.

Docs visitors who want a specific chat transcript deleted can ask the project owner, or use the “Clear chat” button in the drawer, which archives their session.

Our infrastructure runs in US data centers. If you're outside the US, your data may be transferred to, stored in, and processed in the US or other countries where our service providers operate. We use standard contractual clauses and provider-specific safeguards where required by law.

We use encryption in transit (HTTPS everywhere, including custom domains) and at rest (Supabase-managed), Row-Level Security policies on every table so customers can only see their own data, and industry-standard practices for credential management.

No system is perfectly secure. If you discover a vulnerability, please email info@outworx.io with details and we'll investigate.

The service is not directed at children under 13 (or 16 in the EU) and we don't knowingly collect their data. If you believe a child has provided us with information, email us and we'll delete it.

We may update this policy as the service evolves. Material changes will be announced by email to account holders and via a dashboard notice at least 14 days before taking effect. Continuing to use the service after that date constitutes acceptance.

Privacy questions, data-access requests, or deletion requests — email info@outworx.io.

Related: see our Terms of Service.

This policy is a good-faith starting point and will be refined with legal review. If you're representing a company with strict compliance needs, email us — we'll share our most current version plus a Data Processing Agreement where appropriate.