Privacy Policy

Last updated: April 16, 2026

This Privacy Policy describes how Perpetual Software LLC ("Perpetual", "we", "us"), a limited liability company registered in Massachusetts, United States, collects, uses, and protects information in connection with the Pad hosted service available at app.getpad.dev (the "Service"). It applies only to the hosted offering. If you self-host Pad on your own infrastructure, you are the data controller for your deployment and this policy does not apply.

For EU/UK users: Perpetual Software LLC is the controller of personal data processed for the purpose of providing the Service to individual users, and is a processor acting on behalf of workspace owners with respect to the content those owners store in Pad.

Summary

  • We collect only what is needed to run the Service. No advertising, no tracking, no behavioral profiling.
  • Your workspace content belongs to you. We never use it to train AI models.
  • We use strictly-necessary cookies only — no cookie banner is required because we use no non-essential cookies.
  • You can export or delete your data at any time from Account Settings.
  • Questions or requests: [email protected].

What we collect

Account information

  • Email address — used to identify your account and send transactional messages (password resets, workspace invitations, billing receipts).
  • Name and (optional) avatar URL — displayed to collaborators in shared workspaces.
  • Password hash — if you registered with a password, we store only a salted hash (never the plaintext password).
  • OAuth provider identifiers — if you sign in with GitHub or Google, we store the provider name and the verified email address returned by that provider.

Workspace content

Anything you create in Pad — workspaces, collections, items, comments, attachments, rich content — is stored so we can deliver it back to you and to people you explicitly share it with. You own this content. We do not sell, mine, or use it to train models.

Session and security data

  • Session cookies bound to your browser (via a hash of your User-Agent) so stolen session tokens can't trivially be replayed from another device.
  • IP address at session creation, for rate limiting and abuse detection.
  • Audit log recording security-relevant actions (logins, password changes, permission changes) so you and we can review account activity.

Billing data

Payments are processed by Stripe. We never see or store full payment card numbers. We store only your Stripe customer ID and the current subscription plan on your account. Stripe's privacy practices govern any data you provide on their checkout page.

Cookies

Pad uses only first-party, strictly-necessary cookies:

  • __Host-pad_session — authenticates your session.
  • __Host-pad_csrf — protects state-changing requests from cross-site forgery.
  • pad_oauth_state / pad_oauth_link — short-lived cookies used during OAuth redirects.

We do not use advertising, analytics, or tracking cookies. Because we use no non-essential cookies, consent under the EU ePrivacy Directive / UK PECR is not required for cookies on this Service.

How we use your data

  • To operate the Service — authenticate you, render your workspaces, sync changes in real time.
  • To communicate with you — workspace invitations, password resets, billing receipts, and (rarely) important service announcements.
  • To keep the Service secure — detect abuse, rate-limit requests, investigate incidents.
  • To comply with the law — respond to valid legal requests and enforce our Terms.

Legal bases for processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR / UK GDPR:

  • Performance of a contract (Art. 6(1)(b)): processing necessary to create and operate your account, deliver the features of the Service, take payment, and respond to your requests.
  • Legitimate interests (Art. 6(1)(f)): security logging, rate limiting, abuse detection, fraud prevention, product improvement based on aggregate usage patterns, and direct non-marketing communication with existing customers. You may object to processing based on legitimate interests at any time (see Your rights below).
  • Consent (Art. 6(1)(a)): only for optional communications that require it (we do not currently send marketing email). Where consent is the basis, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): retention of invoices, tax records, and other data we are required by law to keep.

We do not process special-category data (Art. 9 GDPR) and do not knowingly make decisions about you based solely on automated processing that produces legal or similarly significant effects (Art. 22).

Third-party services (sub-processors)

The hosted Service relies on the following sub-processors. A current, versioned list is maintained at getpad.dev/subprocessors.

  • Stripe — payment processing.
  • Maileroo — transactional email delivery.
  • GitHub, Google — optional OAuth sign-in providers.
  • Resend — marketing-site waitlist (only if you voluntarily submit the form on getpad.dev).
  • Hivelocity — VPS hosting that runs the servers and databases that store your data.

Each operates under its own privacy policy and a data processing agreement with us. We share only the minimum information required for each service to perform its function.

International transfers

Perpetual Software LLC is located in Massachusetts, United States, and our production servers are located in the United States. If you access the Service from the EEA, the UK, or Switzerland, your personal data will be transferred to and processed in the United States.

Where such transfers occur, they are made under one or more of the following lawful mechanisms:

  • The EU-US Data Privacy Framework and its UK Extension / Swiss-US Data Privacy Framework, where our sub-processors (including Stripe and Google) are certified participants; and/or
  • The European Commission's Standard Contractual Clauses (SCCs) (EU 2021/914) and the UK International Data Transfer Addendum, together with supplementary technical and organisational measures (encryption in transit and at rest, access controls, and audit logging).

A copy of the transfer mechanism used for a specific processing activity is available on request from [email protected].

Data retention and deletion

You can delete your account at any time from Account Settings → Danger Zone → Delete account, or by POSTing to /api/v1/auth/delete-account. When you do, your personal account data and workspaces you solely own are removed from our live systems within 30 days. Encrypted database backups are retained for up to 90 days before rotation; any data in those backups is deleted on the normal backup rotation schedule and is never restored except to recover from disaster.

Workspaces shared with other members may be transferred to a remaining owner rather than deleted, at your request or per workspace settings. Invoices and billing records are retained for the period required by applicable tax and accounting law (typically 7 years in the US). Security audit logs are retained for 1 year.

Security

Data in transit is encrypted with TLS 1.2+. Sensitive fields (such as API tokens) are encrypted at rest using AES-256. Passwords are hashed with a modern, salted algorithm. Access to production systems is limited to authorized personnel and logged. We commit to disclosing material security incidents promptly to affected users and — where required by GDPR Art. 33/34 or applicable US state law — to the relevant supervisory authorities.

Your rights

If you are in the EEA, UK, or Switzerland (GDPR / UK GDPR)

You have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate or incomplete personal data (Art. 16).
  • Erasure of your personal data (Art. 17; "right to be forgotten").
  • Restrict processing in certain circumstances (Art. 18).
  • Data portability — receive your data in a structured, machine-readable format (Art. 20). You can export your data as JSON via Account Settings → Export data or at /api/v1/auth/export.
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent at any time where processing is based on consent (Art. 7(3)).
  • Lodge a complaint with your local data protection supervisory authority. A directory is available at edpb.europa.eu. UK residents may complain to the Information Commissioner's Office at ico.org.uk.

You can exercise most of these rights directly from Account Settings. For any request we cannot fulfil via self-service, email [email protected] and we will respond within 30 days.

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or a similar US state

You have comparable rights under your state's consumer privacy law, including:

  • The right to know what personal information we collect and how we use it.
  • The right to access or delete your personal information.
  • The right to correct inaccurate personal information.
  • The right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal information for advertising purposes, so there is nothing to opt out of.
  • The right to non-discrimination for exercising your rights.

To exercise these rights, email [email protected]. You may designate an authorized agent to make a request on your behalf; we may require written authorization and proof of identity.

"Do Not Track" and Global Privacy Control

We do not track users across sites and do not respond differently to DNT or GPC signals because there is no cross-site tracking to disable.

Data Processing Agreements

Business customers who require a Data Processing Agreement (DPA) for GDPR Art. 28 compliance may request our standard DPA (which incorporates the EU Standard Contractual Clauses, Module 2, and the UK International Data Transfer Addendum) by emailing [email protected]. Entering into the DPA is free.

Children

The Service is not intended for use by children under 13 (or 16 in the EU, or the age required by your local law to consent to the processing of personal data). We do not knowingly collect data from children. If you believe we have collected data from a child, contact [email protected] and we will delete it.

Automated decision-making

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects concerning you (GDPR Art. 22).

Changes to this policy

If we make material changes, we will update the date above and notify account holders by email at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Contact

Privacy questions and data-subject requests:

Perpetual Software LLC
Attn: Privacy
Massachusetts, United States
[email protected]