Privacy Policy

When you use HumanWroteThis, we may collect:

• Email address — if you create an account, used only for authentication and account-related communication.
• Display name and username — shown publicly on certificates you create.
• Content you type — stored as part of your certificate. Certificates are public by default and accessible to anyone with the code; signed-in writers can instead mark a certificate private (see "Who can see your content" below).
• How you typed it — the timing and order of your edits as you write, so the certificate can be replayed and watched being written. This recording is part of the certificate. See "How your writing is recorded" below.
• Certificate metadata — character count, word count, and date.
• Drafts (in-progress writing) — if you're signed in on the web, we save your unfinished writing — including the text so far and its keystroke recording — to our servers so you can stop and resume later, or pick up on another device. Drafts are private to your account, never public, and are deleted when you turn them into a certificate, reset the editor, or delete your account.
• Input pattern signals — as part of our anti-fraud system, we look at the cadence and shape of your typing (e.g., how many characters arrive at once, how fast they arrive) and may flag a certificate internally if it doesn't look like genuine human typing. This is used solely to maintain trust in certificates and is not shared.
• Authentication session data — stored locally in your browser (or, in the desktop app, locally on your device).
• Network address (IP) — briefly recorded when a certificate is created, solely to rate-limit abuse and prevent automated flooding. It's deleted automatically within about an hour and is never used to profile or identify you.

We do not collect payment information, precise location, or any data beyond what's listed above.

We use your data to operate the service — to store certificates, authenticate your account, and display your name on certificates you've authored. We use anonymized analytics data to understand how the product is used and improve it. We do not use your content to train AI models, sell it to third parties, or use it for advertising.

Public certificates (the default) are accessible to anyone who has the certificate code — the content, keystroke replay, metadata, and author name (if you're logged in).

Private certificates (signed-in writers only) are visible only to you. The code returns nothing for anyone else, and the certificate doesn't appear in link previews or search engines. To show a private certificate to someone, you create a share link — a unique, unguessable URL. Anyone who has a share link can view the certificate (including anyone it gets forwarded to), and you can revoke any share link at any time, which cuts off access through it immediately. You can also switch a certificate between public and private at any time from its page.

Anonymous certificates (created without an account) are always public and have no author attached.

When you write on HumanWroteThis, we record the timing and sequence of your edits — when each change happened and in what order — as you type. We do this so the certificate can be replayed: anyone viewing it can watch the writing happen, which is what makes it credible as human work.

This recording is stored as part of the certificate and shares the certificate's visibility — public alongside a public certificate, restricted alongside a private one. It is deleted automatically whenever the certificate is deleted.

This records how a specific document was written — it is evidence of process for that piece of writing. It is not a biometric profile of you, and we do not use it to identify or authenticate you or to analyze your typing style across documents.

Your data is stored using Supabase, a hosted database service. Data is stored on servers in the United States. Supabase's own privacy policy governs their handling of infrastructure-level data. Certificates and (for signed-in web users) drafts are stored here.

HumanWroteThis offers a macOS desktop app. Drafts you write in the desktop app are stored locally on your device, in a local database, and aren't uploaded to our servers unless you turn them into a certificate. Your login session is stored locally on your device. Certificates you create in the desktop app sync to the same servers as the web app; the desktop app currently creates public certificates only.

We use browser local storage to maintain your login session. We do not use advertising cookies or third-party tracking. Google Sign-In may set cookies from Google's domains if you use it to log in.

We use Vercel Web Analytics to understand aggregate usage of the site — which pages are visited, how visitors arrive, and basic device and country information. Vercel Web Analytics does not set cookies and does not store identifiers on your device. Unique visitors are estimated using a privacy-preserving hash that rotates daily and is not retained beyond that. No personal data about individual visitors is collected or stored by us or Vercel — only aggregate counts. We also record anonymous, aggregate product events — for example that a certificate was generated, a write session started, or a sign-up was submitted — to measure whether core features work. These events aren't tied to your identity and set no cookies.

You can delete your account and all associated data — including your certificates, drafts, and their keystroke recordings — at any time from your account settings. You can delete any individual certificate you own from the certificate page. Deleting a certificate also deletes its keystroke recording.

If you created an anonymous certificate (without an account) and want it removed, email us at support@humanwrotethis.com with the certificate code.

Questions, requests, or concerns about how we handle your data — including any of the rights described above — can be sent to support@humanwrotethis.com.

HumanWroteThis is not directed at children under 13. We do not knowingly collect data from anyone under 13.

If we materially change how we handle your data, we'll update the date at the top of this page. Continued use of the service constitutes acceptance.