Privacy Policy

Last updated: February 2026

The short version: Your content is encrypted in your browser before it ever reaches our server. We cannot read your documents. The encryption key lives only in the link you share — we never see it.

End-to-End Encryption

WhatPlan uses AES-256-GCM encryption, performed entirely in your browser using the Web Crypto API. When you create or edit a document:

A unique encryption key is generated on your device
Your content is encrypted before being sent to our server
The encryption key is stored in the URL fragment (the part after the #) which is never sent to the server
Only people who have the full link can decrypt and read the document

What We Store

Our server stores only:

Document ID — a short random identifier for each document
Encrypted content — an opaque blob we cannot read or decrypt
Timestamp — when the document was last updated

We do not store encryption keys, document titles, task names, photos in readable form, or any other plaintext content.

Local Storage

WhatPlan uses your browser's localStorage to:

Keep a backup of your most recent edits (so you don't lose work if your connection drops)
Remember your recently visited documents for quick access

This data stays on your device and is never sent to our server.

Privacy-First Analytics

To know whether basic flows like saving and sharing are working at all (and to spot regressions quickly), WhatPlan uses Plausible Analytics. Plausible is cookie-less, does not use cross-site identifiers, anonymises IP addresses on the fly, and is GDPR/PECR/CCPA compliant by design.

What we collect:

Anonymous page views (URL path, referrer, browser, device type, country)
A small set of named product events: document created, save success or failure (with a coarse size bucket and duration), share-link copied, sign-in code requested, first sign-in completed, plan saved to account, push notifications enabled, photo uploaded (with a coarse size bucket), edit-conflict detected, PWA installed, and offline page load

What we never send:

Document IDs, titles, task names, comments, photos, or any other plaintext content
Encryption keys (they live only in the URL fragment, which browsers do not transmit)
Email addresses, account IDs, or device identifiers
Cookies or any persistent tracking identifier

Opt out: WhatPlan honours the browser Do Not Track setting and suppresses every analytics event when it is on. You can also opt out persistently on this device by opening your browser's developer console and running:

localStorage.setItem('whatplan.analytics.optout', '1')

To opt back in, run localStorage.removeItem('whatplan.analytics.optout') and reload.

Photos

Photos added to tasks are resized on your device for efficiency, then encrypted alongside the rest of your document content before being stored. We cannot view or access your photos.

Data Retention

Documents remain stored on our server until they are naturally cleared. Since we cannot read document content, we cannot identify or target specific documents for removal. If you lose the link (and its encryption key), the document becomes permanently unreadable.

Contact

If you have questions about this privacy policy, you can reach us through the WhatPlan project page.