Privacy
Privacy Policy
Last updated: 2026-06-21
The short version
Typelets is a collaborative coding workspace. We collect the data we need to run the product (your account, your workspaces, your edits) and nothing else. We do not sell your data. We do not run third-party ad trackers. Your workspace content is private to you and the people you invite.
Who we are
Typelets is the collaborative coding workspace operated by the team behind typelets.com, and is the controller of the personal data described here.
For any privacy question, data request, or complaint, email [email protected]. If we appoint a formal data-controller entity or an EU/UK representative, we will name them here.
What we collect
Account data:
- Email address and display name you sign up with.
- Argon2id hash of your password (we never see or store the password itself).
- The Organizations you belong to and your role in each.
Workspace data:
- Files, folders, and whiteboards you create.
- Yjs document snapshots that let collaboration converge and survive reloads.
- Cursor position and presence (broadcast to other people viewing the same file in real time; not persisted long-term).
- Run output and terminal history while a workspace container is alive.
- Optional session recordings if an interviewer explicitly starts one.
Operational data:
- Session cookies (httpOnly, signed) that keep you signed in.
- A CSRF cookie used to protect form submissions.
- Server-side request logs (IP, path, status code, timestamp) retained for up to 30 days for abuse investigation and uptime monitoring.
How we use it
We use the data above to run the product: serve your workspaces, sync your edits between collaborators, execute the code you ask us to run in sandboxed containers, and authenticate your sessions. We use aggregate request logs to keep the service running (capacity planning, incident response).
We do not use your workspace content to train models, share it with third parties, or feed it to advertising networks.
Legal bases for processing
If you are in the EU, EEA, or UK, we rely on the following legal bases to process your personal data:
- Performance of a contract - to provide the workspaces, collaboration, and code execution you sign up for.
- Legitimate interests - to keep the service secure and reliable, investigate abuse, and operate it (for example request logs and rate limiting), balanced against your rights and freedoms.
- Legal obligation - to comply with valid legal process.
- Consent - for anything optional you opt into, such as starting a session recording. You can withdraw consent at any time without affecting processing already carried out.
Who we share it with
We use a small number of infrastructure providers that process data on our behalf:
- Fly.io - app hosting, container execution sandboxes.
- Cloudflare - edge CDN and TLS termination.
- PostgreSQL (managed) - relational data (accounts, workspaces, snapshots up to 256 KB).
- MinIO / S3-compatible object storage - larger snapshots and uploaded Org icons.
We do not share your data with anyone else, with the standard exception of legal compulsion: if we receive a valid subpoena or court order, we will comply, and we will notify you unless legally prohibited.
International data transfers
Our infrastructure providers operate data centers in multiple countries, so your data may be processed outside the country where you live, including in the United States. Where the law requires it for transfers out of the EU, EEA, or UK, we rely on Standard Contractual Clauses or an equivalent safeguard offered by those providers.
Retention and deletion
Account data is kept while your account is active. When you delete your account, we delete your workspaces, snapshots, and Org memberships within 30 days. Backups roll off within 60 days of deletion.
Session recordings, if you create them, persist until you or an Organization admin deletes them.
Request logs are kept for up to 30 days, then dropped.
Security
We protect your data with sandboxed code execution, argon2id password hashing, encryption at rest for sensitive fields such as two-factor secrets, TLS in transit, and a per-request authorization check on every workspace and Org operation. Your workspace content is private by default. Our Security page has the details.
No system is perfectly secure, but we treat your code and your account as private and design for that.
Your rights
You can update your profile, change your password, leave or transfer Orgs, and delete your account from the in-app settings.
Depending on where you live, you also have the right to:
- Access the personal data we hold about you, and receive a portable copy.
- Correct data that is inaccurate or incomplete.
- Delete your data, or ask us to restrict or stop processing it.
- Object to processing we carry out on the basis of legitimate interests.
- Withdraw consent you previously gave, without affecting processing already done.
To exercise any of these, email [email protected]; we aim to respond within 30 days. We will not discriminate against you for exercising your rights.
We do not sell your personal data and never have, so under the CCPA/CPRA there is no sale to opt out of.
If you are in the EU, EEA, or UK and believe we have mishandled your data, you have the right to lodge a complaint with your local data protection authority. We would appreciate the chance to put it right first.
Children
Typelets is not directed at children. You must be old enough to form a binding contract where you live (at least 13, and often 16 or 18) to create an account. We do not knowingly collect personal data from children under 13. If you believe a child has given us personal data, email [email protected] and we will delete it.
Communications
We send transactional and product email: account verification, security notices, assessment invitations, and material changes to these policies. We do not send marketing email without your consent, and any non-essential email includes a way to unsubscribe.
Cookies
We use two first-party cookies, both essential to the product:
- A signed session cookie (httpOnly, Secure, SameSite=Lax) that keeps you signed in.
- A CSRF cookie that pairs with a header on form submissions to prevent cross-site request forgery.
We do not use analytics cookies, marketing cookies, or third-party tracking pixels.
Changes
If we change this policy in a way that affects you materially, we will email registered users and update the "Last updated" date at the top of this page before the change takes effect.