Privacy
This is a draft placeholder. These notes reflect the current architecture and will be refined into a full privacy policy over time.
Private by default
conceptspace is private by default. Access requires authentication. Your spaces, blocks, items, and uploaded files are not visible to the public unless you explicitly enable sharing on a specific block or item, or open a public Drop submission link.
Shared blocks and items
When you enable sharing on a block or item, a link is generated. Sharing can be public (anyone with the link can read) or password-protected (a one-time password unlock sets a signed cookie). You can disable sharing, switch access types, or rotate the password at any time from the relevant share controls.
Drop submissions
A block can also expose a public Drop link that lets anonymous visitors submit a single new item — without granting any read access to the block’s existing contents. Drop links can be public or password-protected.
File storage
Uploaded files are stored in private cloud object storage. The app authorizes every file request and then redirects to a short-lived signed URL; the underlying storage keys are not exposed in normal application surfaces.
Exports
Data exports include text content and metadata only. Uploaded file bundles are not included in exports.
Data storage
Account data is stored in a private Postgres database. Uploaded files are stored in private cloud object storage. Storage reconciliation runs on demand from the admin tools and tracks missing or orphaned records, correcting usage counters as it goes.
Security
Access requires authentication with a valid email and password. Account passwords and share/drop passwords are hashed with argon2. Share-unlock cookies are HMAC-signed and scoped to the individual share or drop token. File access is authorized through app-controlled routes before any signed storage URL is issued. Public unlock, submission, and file upload routes are rate-limited per IP+token to discourage brute-force attacks and storage abuse.