Annot

Annot.work

Privacy policy

Last updated: 2026-05-19

Draft pending lawyer review. This policy is a good-faith first pass written by the product team. It will be reviewed by Japanese SaaS counsel before public launch. The Cloudflare Workers + R2 + D1 architecture caps liability per their AUP; treat that as the immediate backstop until this document is countersigned.

1. Who we are

Annot is operated by ingcreators (a sole proprietorship, planning incorporation in Japan in 2026Q4). Contact: hello@annot.work. Source code: github.com/ingcreators/annot.

2. What you can do without signing in

The PWA at annot.work/app is local-first. With the default Browser storage backend, your annotations live in your browser's IndexedDB and we never see them.

The Chrome extension stores its captures in extension-local IndexedDB, transferred to the PWA over a same-origin message channel.

The headless annotator (@ingcreators/annot-annotator) and the Playwright fixture (@ingcreators/annot-playwright) run entirely on your machine; they don't phone home.

3. What we store when you sign in

You sign in only when you choose to. We then store:

  • Account identifier — your GitHub numeric id, or your Google subject (sub) claim. We do not store your password.
  • Display name + email — used to show your account chip in the PWA and to reach you about security advisories.
  • Session cookie — an HTTP-only, SameSite=Lax, Secure cookie scoped to annot.work. Holds a random session id, not your account data.
  • OAuth refresh token — encrypted at rest in our database, used only to refresh access to the storage backend you opted into (GitHub repo, Google Drive folder). Revocable from your account settings.

4. What we store when you use Annot Cloud

Switching to the Annot Cloud storage backend uploads:

  • Your annotated screenshots (PNG + SVG)
  • Your folder structure (paths, titles, ordering)
  • Any tags you apply
  • Page metadata captured by the Chrome extension (visible-element bboxes + text content from the source page, if you chose to keep the metadata when transferring the capture)

Storage is on Cloudflare R2 (object storage) and Cloudflare D1 (SQLite metadata). Both reside in EU / US regions per Cloudflare's deployment policy.

5. What we don't store

  • Telemetry. The PWA, extension, headless annotator, and Playwright fixture do not send usage analytics to us by default. (A planned external error tracker — Sentry — will be opt-in only and is not currently wired.)
  • Marketing pixels. The landing page at annot.work does not embed Google Analytics, Meta Pixel, Hotjar, or any similar tracker.
  • Your stored OAuth scopes beyond what you grant. The GitHub backend requests repo only on the repositories you select. The Google Drive backend uses drive.file only.

6. Sharing your data

We share data only in two cases:

  1. Sub-processors: Cloudflare (R2 + D1 + KV + Workers), GitHub (OAuth + the storage backend if you chose it), Google (OAuth + Drive if you chose that backend). Their terms cover the data they handle on our behalf.
  2. Legal compulsion: a court order against us would be honoured to the extent legally required, with advance notice to you where the order allows.

We do not sell your data, your screenshots, your metadata, or your usage patterns to anyone. We do not train AI models on your stored annotations.

7. Retention

  • Local data (Browser / Device / Extension) — until you delete it from your browser / disk. We can't see it.
  • Annot Cloud data — until you delete the file, or until you delete your account (account deletion removes all your stored content within 30 days).
  • Share links — by default no expiry; you can revoke individual links or set an expiry when generating them.
  • Logs — Cloudflare retains request logs per their own retention policy (typically 7 days). We don't forward request logs to long-term storage.

8. Your rights (GDPR / APPI)

  • Access: export your stored content at any time via the PWA's Settings → Export all action.
  • Delete: Settings → Delete account removes all your stored content within 30 days.
  • Correct: edit your display name + email via the PWA's settings; the underlying OAuth identity is corrected at the provider (GitHub / Google).
  • Object / port: contact hello@annot.work and we'll respond within 30 days.

9. Cookies

We set one cookie: annot_session, after you sign in. It is HTTP-only, SameSite=Lax, Secure, and scoped to annot.work. It holds an opaque session id only.

We do not use third-party tracking cookies. The marketing site at the root of annot.work sets no cookies at all.

10. Security

  • Transport: HTTPS, HSTS-preloaded, TLS 1.3.
  • OAuth secrets are stored as Cloudflare Workers Secrets; never logged.
  • Refresh tokens are encrypted at rest with a per-row key-wrapping scheme.
  • Source code is open; security researchers are encouraged to disclose responsibly via security@annot.work.

11. Changes to this policy

We'll update the Last updated date at the top when the policy changes. Material changes (new sub-processor, new data category collected, change in retention) trigger an email to active accounts at least 30 days before the change takes effect.

12. Contact

Questions, deletion requests, or GDPR-related access requests: hello@annot.work. For security disclosures: security@annot.work.