f8xt Privacy Policy

Last updated: April 29, 2026

f8xt does not store notes, accounts, or app data on its own servers. When the site loads, Vercel processes requests and may automatically handle limited request logs and related metadata.

Note

f8xt is a website with no backend server, database, or user account system. The official domains are https://f8xt.app/ and https://f8ful.org/

2. What f8xt Does Not Collect

f8xt never receives, stores, or processes:

  • Your notes or any content you create
  • Your name, email address, or any personal identifier
  • OAuth tokens from Google, Microsoft, or Dropbox
  • Your cloud file names, folder structure, or metadata
  • Analytics or behavioural tracking data

Why not:OAuth authentication uses the PKCE flow entirely in your browser. Tokens remain in browser memory on your device only. All file reads and writes occur directly between your browser and your cloud provider's API. No f8xt server is involved.

3. What Vercel Logs

f8xt is hosted on Vercel, which processes requests necessary to deliver the application to your browser.

f8xt does not receive or access these logs. Vercel may automatically process limited request data and related metadata (such as IP address, request path, user agent, and timestamps) in accordance with its own policies:

Vercel operates global edge infrastructure, so your request may be served and processed outside your country of residence.

4. Your Cloud Storage Provider

When you connect Google Drive, OneDrive, or Dropbox, your notes are stored as files in your account under that provider's terms. f8xt never receives a copy.

Note on “zero-knowledge”: f8xt cannot read your notes, but your cloud provider can, since files are not encrypted before being written to your drive. If you require encryption at rest, you should apply independent encryption.

5. Plugins

f8xt supports optional plugins: small programs you choose to install to extend the app. Plugins are third-party code, not written or reviewed by f8xt unless stated otherwise. They run sandboxed and can only do what you explicitly approve through a permission prompt at install time.

A plugin can only access your notes if you grant it the notes permission, and can only send data over the network if you grant it the network permission (these are always separate). If you grant both to a plugin, that plugin is capable of transmitting your notes to a destination it chooses. f8xt itself still never receives your notes; but a plugin you install and authorize is outside f8xt's control. Only install plugins you trust, review the permissions shown before granting them, and disable or uninstall a plugin at any time from settings.

Browsing the built-in plugin registry, or checking installed plugins for updates, fetches public files from GitHub (the F8ful-org/f8xt-plugins repository, served by raw.githubusercontent.com). Like any web request to GitHub, this sends your IP address and request metadata to GitHub; it transmits none of your notes or personal data. If you never open the registry, no such request is made beyond the periodic update check for plugins you installed from it.

A plugin may also add its own cloud storage provider. In that case the plugin manages its own credentials in isolation: it cannot read the OAuth tokens for your main cloud provider, and your main provider's connection cannot read the plugin's. Data you store through a plugin provider goes wherever that plugin sends it, under that service's terms.

6. Cookies and Local Storage

f8xt uses minimal browser storage solely for core functionality.

Cookies may be used in a limited capacity to maintain your authenticated session (for example, keeping you signed in after a page reload). Because f8xt does not store user data on its own servers, this functionality is handled entirely within your browser context.

Your browser's local storage may also be used to store application preferences (such as theme or interface settings) to ensure a consistent experience and to prevent visual resets when the application loads.

This data remains on your device and is not transmitted to f8xt servers.

7. Legal Bases and Your Rights

The only personal data processing associated with f8xt is limited request handling and logging performed by Vercel. The legal basis for this is legitimate interest: operating the infrastructure securely and diagnosing failures.

EU / EEA (GDPR)

Legal basis: Article 6(1)(f). You have rights of access, rectification, erasure, restriction, portability, and objection under Articles 15-21. You may lodge a complaint with your national supervisory authority (Article 77).

Because relevant log data is processed and controlled by Vercel, requests relating to such data should be directed to Vercel. f8xt will make reasonable efforts to assist where possible.

UK (UK GDPR)

Same rights as above. Supervisory authority: Information Commissioner's Office at https://ico.org.uk.

California (CCPA / CPRA)

f8xt does not sell personal information and does not share it for cross-context behavioural advertising. Requests or questions can be directed to the contact below.

Brazil (LGPD)

Legal basis: legitimate interest. You may exercise your rights under Article 18 of Law 13,709/2018 by contacting us using the details below. f8xt will make reasonable efforts to respond and assist where applicable.

Canada (PIPEDA / Quebec Law 25)

We collect only what is necessary for identified purposes with appropriate safeguards.

Australia (Privacy Act 1988)

We comply with the Australian Privacy Principles.

India (DPDP Act 2023)

We process personal data only to the limited extent required to deliver the service, such as the handling of basic request data by our hosting provider (Vercel).

Under the Digital Personal Data Protection Act, 2023, processing is carried out for a lawful purpose. Where applicable, this may rely on your consent or on certain legitimate uses as defined under the Act.

You have the right to access information about your personal data, request correction or erasure, and seek grievance redressal by contacting us at the email below. Requests related to server log data may need to be directed to Vercel, as they control that data.

8. Children

f8xt is not directed at children under 13 (or 16 in the EU/EEA). We do not knowingly collect data from children.

9. International Transfers

Vercel may transfer log data to the United States or other countries. For EU/EEA users, Vercel relies on Standard Contractual Clauses. See Vercel's DPA for details. We have no control over this.

10. Changes

Material changes will be reflected in an updated date at the top of this document.

11. Contact

Email: hi@f8xt.app

We aim to respond within 30 days, but do not guarantee it.

This policy reflects the actual architecture of f8xt. It is not legal advice.