Skip to main content

Privacy Policy

Last updated 6 June 2026

This policy explains what Excaliwow collects when you use the hosted service at excaliwow.com, why, and the choices you have. We have tried to describe what the product actually does, in plain language, rather than list every theoretical practice.

Who we are

Excaliwow ("we", "us") is a personal, non-commercial learning and hobby project for creating and sharing diagrams, run by an individual based in Florida, United States. We are the controller of the personal data described below. If you have any question about this policy or your data, contact us at support at excaliwow dot com.

What we collect

Account information

When you sign up we collect your email address (required) and an optional display name. If you create a password, we store it only as a salted hash, never in plain text. If you sign in with Google or GitHub instead, we store the tokens those providers issue so we can keep you signed in.

Content you create

We store the diagrams you create, the images you upload into them, comments you write, and the folder structure you organize them in. This content is yours; we process it only to provide the service to you and the people you share it with.

Usage and technical data

We use Cloudflare Web Analytics, a privacy-preserving, cookieless analytics tool, to understand aggregate traffic (page views, referrers, broad device class). It does not use cookies, does not fingerprint you, and does not build a cross-site profile. Our servers also keep standard operational logs (such as IP address and request metadata) for a limited period, to run and secure the service.

To diagnose errors and monitor performance, we send application traces to Honeycomb, our monitoring provider. These traces can include limited account identifiers — such as your email address — so we can tie a problem to the affected account and fix it. They do not include your diagram content. Traces are retained for a limited period (currently up to 60 days) and then deleted automatically.

How we use your data

  • To provide the service: store and render your diagrams, sync real-time collaboration, and serve the share links you publish.
  • To authenticate you and keep your account secure.
  • To send transactional email you need (verification, password resets, security notices, account changes).
  • To send optional product and referral emails, which always include an unsubscribe link.
  • To understand aggregate usage and improve the product.

We do not sell your personal data, and we do not use your diagrams to train machine learning models.

Cookies

We use only the cookies needed to run the service. We do not use advertising or cross-site tracking cookies, and our analytics are cookieless. For that reason we do not show a cookie consent banner.

  • Session cookies keep you signed in after you log in.
  • Theme cookies remember your light or dark preference.
  • Referral and share cookies are set only if you follow a referral link or open a password-protected public diagram, to make those features work.

Email

We send email through Resend, our email provider. Transactional messages (such as email verification, password resets, and security notices) are part of the service and are sent to all users. Product and referral emails are optional and carry an unsubscribe link in every message; unsubscribing stops them without affecting transactional email.

Where your data lives and who processes it

Your account data and diagrams are stored in our database; uploaded images and generated thumbnails are stored in our object storage. We rely on a small set of service providers (subprocessors) to operate Excaliwow:

  • Our hosting and object-storage provider, for running the service and storing files.
  • Resend, for sending email.
  • Cloudflare, for content delivery and cookieless analytics.
  • Honeycomb, for performance monitoring and error diagnostics; our application traces may include your email address as an account identifier.
  • Google and GitHub, only if you choose to sign in with them.

Some of these providers, and our own infrastructure, process and store data in the United States.

Security

We take reasonable technical and organizational measures to protect your data, including encryption in transit and access controls. No online service can be perfectly secure, but if a breach affects your personal data, we will notify you and any relevant authority as required by applicable law.

Sharing and public links

When you publish a public share link, the diagram becomes viewable by anyone who has the link (or the link plus a password, if you set one). Only publish content you are comfortable making public. You can disable a public link at any time. People you invite as collaborators can see and, depending on their role, edit the diagram you shared with them.

Retention

We keep your account data and content for as long as your account is active. When you delete your account, we delete your diagrams, uploaded images, and associated personal data. We may retain a limited amount of information where the law requires it (for example, suppression records that ensure we honor an unsubscribe request).

One technical exception: diagnostic traces held by our monitoring provider (described above), which may include your email address, expire on that provider's retention schedule — currently up to 60 days — so a small amount of this data can persist for a short time after you delete your account, and is then deleted automatically.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise any of these, contact us at support at excaliwow dot com. We may need to verify your identity before we act, and we may decline requests that are manifestly unfounded, excessive, or repetitive, or charge a reasonable fee, to the extent the law allows. We will respond within the time required by applicable law. You can also unsubscribe from optional email using the link in any such message.

Children

Excaliwow is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact us and we will delete it.

Changes to this policy

We may update this policy as the product evolves. When we make a material change, we will update the date above and, where appropriate, notify you. Your continued use of Excaliwow after a change means you accept the updated policy.

Contact

Questions about this policy or your data? Email support at excaliwow dot com. See also our Terms of Service.