Legal

Privacy Policy

Last updated: April 16, 2026

The short version: No accounts. No cookies. No third-party tracking. We don't know who you are, and we designed it that way.

No accounts, no identity

scratchthepad has no user accounts, no login, no email registration, and no user profiles. There is no identity layer. We cannot identify who created a pad, who reads it, or who writes to it.

What we don't collect

No personal information. No names, no emails, no phone numbers.
No cookies. We don't set any cookies.
No third-party tracking scripts. No Google Analytics, no Meta Pixel, no ad trackers. We use Vercel's first-party analytics (page views only, no cookies, served from our own domain).
No IP logging. We don't log IP addresses in our application.
No content analysis. We don't read, scan, index, or analyze your pad content.

What we do collect

We collect aggregate, anonymous product health metrics:

Total number of pads created
Read and write event counts (not content)
API vs browser traffic ratio
Error rates

These metrics contain no identifying information. They tell us how many pads exist and how often they're used, not who uses them.

Pad content

Your pad content is stored on Cloudflare's infrastructure (Durable Objects for primary storage, R2 for backups). We do not access, read, or process your content. It's your working context — we're just the surface it lives on.

Pad content is not encrypted at rest beyond what Cloudflare provides by default. Do not store credentials, passwords, financial information, or sensitive personal data in pads.

Write keys

Write keys are stored as bcrypt hashes. We never see or store the plaintext write key after it's generated. Even if our storage were compromised, write keys would not be exposed.

Email-to-self

When you use the "email to self" feature, your email address is sent to Resend (resend.com), our transactional email provider, to deliver the message. We do not store your email address in our systems. Resend retains delivery logs as part of their standard email infrastructure. See Resend's privacy policy for details.

Browser storage

scratchthepad stores data in your browser's localStorage:

Write keys for pads you've created or accessed
A list of your pads (for the sidebar)
Activity logs per pad
UI preferences (sidebar width)

This data never leaves your browser. It is not sent to our servers. Clearing your browser data removes it entirely.

Infrastructure

scratchthepad runs on:

Cloudflare Workers — serves the API
Cloudflare Durable Objects — stores pad data
Cloudflare R2 — stores backups and version history
Vercel — serves the frontend
Resend — sends transactional emails (email-to-self only)

Each of these providers has their own privacy policies and may collect operational data (like request logs) as part of their standard infrastructure. We have no control over their data practices beyond choosing providers with strong privacy commitments.

AI agents and the API

When AI agents access pads via the API, we log the same aggregate metrics as browser access (event counts, not content). We infer whether a request is from a human or agent based on the User-Agent header, but this inference is not stored per-request — it's used only for aggregate statistics.

Data deletion

You can delete a pad at any time. Deletion is soft (content retained for 30 days for recovery) then permanent. After hard deletion, the pad content, metadata, and version history are removed from all storage.

Children

scratchthepad is not directed at children under 13. Since we don't collect personal information, we can't knowingly collect data from children. If you believe a child is using the service inappropriately, contact us.

Changes

We may update this policy. We'll note the date of the last update at the top. Continued use after changes constitutes acceptance.

Contact

Questions about privacy? hello@scratchthepad.com