Inkstract

Privacy

How we handle your data

Last updated March 2026

The short version

Your content is encrypted at rest with per-user keys. Source files are deleted after processing. We never train on your data. No human reviews your documents.

What happens when you email a document

  1. 1

    Postmark receives your email and forwards the parsed content to our server.

  2. 2

    The PDF is saved to Cloudflare R2 (EU region), which provides server-side encryption at rest.

  3. 3

    Each page image is sent to Anthropic's Claude API for processing — only the page image and your dictionary entries (abbreviations and expansions) are sent to help interpret your handwriting. We do not send your account email, name, or other account details. Note that if your dictionary entries contain personal information (such as people's names or initials), this will be included in API requests.

  4. 4

    The structured Markdown output is encrypted with your unique key and stored.

  5. 5

    The source PDF is deleted according to your retention setting (default: immediately after processing).

How encryption works

Your processed content (OCR text, Markdown output, dictionary entries) is encrypted at rest using per-user encryption keys derived from a master key. Source PDFs, while stored, are protected by Cloudflare's server-side encryption rather than per-user keys. Each user's key is unique — a breach of one user's data does not expose another's. Our automated processing pipeline decrypts content server-side to process and display it. No human reviews your documents — access is logged in a tamper-resistant audit trail.

What we store

  • Your account email, your processed Markdown (encrypted), your dictionary entries (encrypted), extracted diagram images, and audit logs of all system access to your data.

What we don't do

  • Train on your content. We never train on your content.
  • Sell or share your data.
  • Look at your documents. Anthropic's API does not train on inputs sent via their API.
  • We may disclose user data where required by law, court order, or regulatory requirement.

Third-party services

Anthropic (Claude API — document processing), Cloudflare R2 (encrypted file storage, EU), Postmark (inbound email parsing), Resend (transactional email), Railway (application hosting), Stripe (payment processing, when applicable), Sentry (error tracking — receives technical error data when something goes wrong, such as the type of error and where it occurred; no user content, email addresses, or personal information is included), Todoist (optional integration — if connected, extracted task text and the document filename are sent to Todoist's API to create tasks in your inbox; no other account information is sent), Plausible (privacy-focused analytics — page views only, no cookies, no personal data).

Your controls

  • Configure source file retention. Source files are deleted immediately after processing by default. You can change this in your account settings to keep source files for 24 hours, 3 days, 7 days, 30 days, or indefinitely. Regardless of your setting, all files are permanently deleted if you delete your account.
  • Export all your data anytime.
  • Delete your account and all associated data with one click.

What we're honest about

We process your content server-side — this is required for the service to work. We cannot offer end-to-end encryption where only you hold the key because we need to decrypt content to process it with Claude's API and display it in your browser. What we can guarantee is: encryption at rest, no human access, automated processing only, full audit logging, and your right to delete everything at any time.

The content of your handwritten pages — including any personal information you write — is sent to Anthropic's Claude API for processing. This is inherent to how the service works. Similarly, if you connect third-party integrations like Todoist, extracted data (such as task text and filenames) is shared with those services.