Privacy by explicit boundary

Know where your work lives.

Fabric distinguishes device-local recovery state, synchronized workspace data, identity records, and AI-provider requests because privacy depends on explicit boundaries.

Follow the Data Flow

On this device

Cached board state and supported pending assets

Fabric storage

Identity, sessions, workspaces, boards, assets, comments, checkpoints, and AI run records

Realtime service

Authorized board updates while connected; ephemeral awareness is not written to board history

AI provider

The instruction and selected semantic objects for an explicit run, with provider storage requested off

Data flow

Local first does not mean local only.

A collaborative product must move data. The privacy job is to make each transition scoped, visible, authorized, and reversible where possible.

  1. Create locally

    An edit appears immediately and enters a device-local durable queue.

  2. Synchronize

    Authorized updates merge through the realtime service when a connection exists.

  3. Store privately

    Snapshots, update tails, assets, comments, and checkpoints remain access-controlled.

  4. Process deliberately

    Exports, share links, and explicit AI runs receive the resource data required for that action.

Current data handling

Implemented storage, without invented retention promises.

This table maps the data the application stores and the controls it currently exposes. It does not imply a deletion or retention service level.

Data ClassCurrent StorageCurrent Boundary
OAuth identity and sessionsName, email, avatar, provider account ID, database session, and hashed network metadataProvider access, refresh, and ID tokens are discarded before account persistence. Sessions expire or can be revoked.
Workspace and board contentWorkspaces, projects, roles, board snapshots, comments, share-link metadata, checkpoints, and media metadata in Neon; private upload bytes in Cloudflare R2Effective board access is checked for every read and mutation. Boards can be archived, links revoked, and replaced or abandoned media is removed through durable cleanup.
Realtime recovery statePrincipal-, board-, and generation-scoped IndexedDB state plus durable server updatesDevice state remains in that browser. Signing out ends the session but does not guarantee deletion of browser recovery data.
AI runsInstruction, bounded conversation and selected-canvas context, hashes, events, proposal, usage, and status in Fabric storageOnly an explicit AI run calls the configured OpenAI-compatible streaming endpoint.
Security and session eventsSession timestamps, user-agent family, IP hash, and account security eventsThese records support session visibility and revocation; the application does not publish a retention duration for them.

Your device is a real storage location.

Visited board state and pending work can remain in IndexedDB under the principal, board, and document generation. Signing out invalidates the Fabric session but does not currently guarantee that browser recovery data is erased.

An AI run crosses another boundary.

Fabric sends the instruction, bounded conversation, and selected-canvas context to the configured OpenAI-compatible model only after an editor starts a run. Requests are streamed and provider processing remains subject to the configured account, endpoint, and provider terms.

Scope of this notice

Product behavior, separated from contractual terms.

This page describes behavior visible in the application and its repository. It does not provide a contractual retention period, deletion SLA, backup guarantee, subprocessor schedule, or compliance certification.

Review the boundary, then use the product.

Fabric keeps device recovery, synchronized workspace data, identity records, and AI-provider requests distinct in both the interface and implementation.