1. Scope
This policy applies to the Obsidian Collaborative Folders website and hosted service operated by Experimental LLC in the United States. If you self-host the server, you are responsible for your own privacy practices, notices, and legal compliance for that deployment.
2. Contact and Controller
Experimental LLC is the data controller for the hosted service described in this policy. For privacy requests, email a@experimental.energy or open an issue on GitHub.
3. Information We Process
Depending on how you use the product, we may process:
- Identifiers and account data, such as email address, display name, account ID, and client ID.
- Collaboration metadata, such as folder IDs, shared folder display names, membership state, invite tokens, and synchronization state metadata.
- Document routing metadata, including room identifiers that may contain relative file paths within a shared folder.
- Billing and subscription records, such as Stripe customer/subscription IDs, plan, status, and billing period dates.
- Operational and security logs, such as IP address, request timing, user agent, and error events.
- Support and communications content you send to us.
4. Encrypted Content
The collaboration system is designed for end-to-end encrypted note content. Note bodies and attachment payloads are encrypted client-side before relay or storage by the hosted service. We still process limited non-content metadata required for routing, authorization, abuse prevention, and service reliability.
End-to-end encryption does not hide all metadata from the server. For example, the hosted service can see folder IDs, shared folder display names used in invite flows, and document room identifiers that can include relative file paths (for example, notes/meeting.md). The hosted service does not require or receive your full local vault filesystem path.
5. How We Use Information
We use information to provide and secure the service, authenticate users, manage subscriptions, enforce hosted account and storage entitlements, prevent fraud and abuse, troubleshoot incidents, meet legal obligations, and improve product reliability.
6. Sharing of Information
We do not sell personal information. We may disclose information to service providers that process data on our behalf (for example hosting, storage, logging, and billing processors such as Stripe), when required by law, or in connection with a merger, financing, acquisition, dissolution, or sale of assets.
7. Data Retention
We retain data only as long as needed for service operation, subscription management, security, dispute handling, and legal obligations. Retention periods vary by data type. Security logs may be retained for a limited period for abuse prevention. Self-hosted operators control retention for their own deployments.
8. Your Choices
You may request access, correction, deletion, or export of account-level hosted data by contacting us at the link above. We may need to verify your identity before completing a request. For self-hosted deployments, data access and deletion are controlled by the deployment owner.
9. California Privacy Disclosures
California residents may have rights under applicable California privacy laws, including rights to know, delete, and correct certain personal information, and to limit certain uses of sensitive personal information where required by law. We do not sell personal information and do not share personal information for cross-context behavioral advertising as those terms are defined under California law.
To submit a California privacy request, email a@experimental.energy or use the issue link above. We will confirm receipt and respond within timeframes required by law.
10. Cookies and Do Not Track
We may use cookies or similar technologies that are necessary for authentication, security, fraud prevention, load balancing, or basic service operation. We do not permit third-party behavioral advertising on the service. The service is not currently designed to respond to browser "Do Not Track" signals because no common industry standard is fully implemented.
11. Children's Privacy
The hosted service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 provided personal information, contact us so we can investigate and delete it as appropriate.
12. Data Security
We use administrative, technical, and organizational safeguards designed to protect data, including access controls, logging, encryption in transit, and end-to-end encrypted note content. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
13. U.S.-Only Service
The hosted service is intended for users in the United States. We do not market the hosted service to EU or UK users and do not offer region-specific terms for non-U.S. jurisdictions at this time.
14. Policy Changes
We may update this policy over time. Material changes will be reflected by updating the date at the top of this page.