Privacy Policy

Streamize Inc. takes your personal information seriously and complies with the Korean Personal Information Protection Act (PIPA) and other applicable laws.

Effective 2026-06-18Last updated 2026-06-18

Streamize Inc. (스트리마이즈 주식회사) (the “Company,” “we,” “us”) operates htmlbook (htmlbook.io, the “Service”) and processes your personal information as described below. This policy applies to the Service, and we comply with the Personal Information Protection Act (PIPA) and other applicable laws.

The Service is about storing, rendering, and sharing documents. Document bodies are stored in Cloudflare R2 (object storage); account and document metadata are stored in Google Firestore. The documents you publish may contain information you entered, and their sensitivity depends entirely on what you choose to publish.

1. Personal Information We Process

We process the following personal information for sign-up and authentication, document storage and sharing, and operating and improving the Service.

Category	Items	How collected
Account & authentication	Email address, display name, profile photo (photoURL), sign-in provider identity, Firebase user ID (uid), public handle (@handle)	Collected automatically when you sign in with Google/GitHub or an email magic link (items a provider omits, such as a private GitHub email, may not be collected)
Service usage	Sign-up timestamp, usage counters (document count, total stored bytes)	Generated automatically as you use the Service
Credentials (API keys)	The hash of an API key (the raw key is never stored), key label/identifier, linked workspace, created/last-used timestamps	Generated server-side when you create a key (the raw key is shown only once)
Document content	Document bodies you or your connected agent publish/upload/edit (HTML, Markdown, bundles, images, annotations), document metadata (title, tags, summary, visibility), a search index of the body, version history and editor identifiers	Collected when you publish via MCP/REST API, upload in the web library, or edit inline in the reader
Collaboration	Workspace/project information, member identifiers and roles, invite tokens	When a workspace is created or an invite is sent
Connectors (OAuth)	OAuth client registration (name, redirect URIs), and hashes of authorization codes and refresh tokens	When you connect a connector such as claude.ai or Claude Desktop
Automatically collected / device	Cookie and local-storage identifiers, device/browser type, access and usage logs (page views, usage events, etc.), IP address and User-Agent	Collected automatically as you use the Service (IP and User-Agent are not stored by our own server code but may be collected/processed by our hosting platform logs and by analytics/ad tools)

We do not maintain fields to collect sensitive information (such as beliefs, health, or political views). Because we cannot pre-screen what you type into a document body, please take care not to publish sensitive information.

2. Purposes of Processing

Confirming sign-up intent, identifying and authenticating you, and managing accounts and workspaces.
Providing the core features — storing, rendering, versioning, searching, and sharing documents.
Providing document sharing and collaboration among workspace members.
Operating and maintaining the Service, preventing abuse and ensuring security, analyzing usage, and improving quality.
Measuring advertising performance (conversions) and marketing (behavioral, see Section 12).
Responding to your inquiries and delivering notices.

3. Retention and Use Period

We process and retain personal information within the period required by law or consented to by you.

Account information (email, display name, handle, uid, etc.): until you withdraw your membership.
Document content, metadata, version history, and search index: until you permanently delete the document or your account is deleted. Each version body is retained in immutable form; a document moved to Trash (soft delete) retains its body until you restore or permanently delete it.
Service usage logs and access records: retained until the operational/statistical purpose is achieved, and in any case destroyed at the earlier of 1 year from collection or your withdrawal of membership.
Authentication/session: the login session cookie ~14 days; OAuth authorization codes 10 minutes (single-use); OAuth refresh tokens and workspace invite tokens until their respective expiry/revocation (invite tokens 7 days).
Where the law requires retention for a set period (e.g., the Protection of Communications Secrets Act), we retain it for that period.

4. Provision to Third Parties

We do not provide your personal information to third parties beyond the scope stated in Sections 1–2, except:

1.where you have given prior consent;
2.where required by law or lawfully requested through legal process such as an investigation or trial;
3.where you yourself share a workspace or make a document public, thereby disclosing the content and your own handle/authoring information to members or the general public (disclosure by your choice);
4.where behavioral information is sent from your device to advertising providers to measure ad performance (detailed in Section 12).

5. Entrustment of Processing

To provide the Service reliably, we entrust personal-information processing as follows, and our contracts require the processors to handle personal information securely.

Processor	Entrusted work	Retention/use period
Vercel Inc.	Web application hosting and serverless execution	Until the contract ends or you withdraw
Cloudflare, Inc.	Storage of document bodies, sources (.md/.html) and assets, and public content delivery (CDN)	Until the contract ends or you withdraw
Google LLC (Firebase)	User authentication and metadata database (Cloud Firestore)	Until the contract ends or you withdraw
PostHog Inc.	Product-usage analytics (improvement, statistics, activation funnel)	Until the contract ends or you withdraw

If the entrusted work or processor changes, we will disclose it through this policy. As most processors are located outside Korea, the details of cross-border transfer are given separately in Section 6.

6. Cross-Border Transfer

Because we use global infrastructure and tools, personal information is transferred overseas. Under Article 28-8 of PIPA we disclose the transfers below (method: transmitted over the network as you use the Service or as events occur).

Recipient	Country	Items transferred	Purpose
Vercel Inc.	United States	Request data, cookies, personal information processed server-side	Web hosting / serverless execution
Cloudflare, Inc. (R2)	United States and others (global edge, region: auto)	Document bodies, sources, assets (may contain personal information)	Body storage and public content delivery
Google LLC (Firebase)	United States	Email, handle, uid, document metadata, etc.	Authentication and metadata storage
PostHog Inc.	United States	Page views, usage events, device/browser info, uid, derived IP	Product-usage analytics
Reddit, Inc. / Meta Platforms, Inc.	United States	Behavioral data (visit/conversion events), cookie identifiers, derived IP/User-Agent	Ad performance measurement (Section 12)
Google LLC / GitHub, Inc.	United States	Email and profile identity at sign-in	OAuth sign-in

You may refuse the cross-border transfer of your personal information. However, infrastructure entrustment (hosting, storage, authentication) is essential to providing the Service, so refusing it may limit your use of the Service; transfers to analytics/ad tools can be refused by the means in Sections 11–12 (browser cookie settings, blockers, etc.). For refusals or inquiries, contact the privacy officer in Section 13.

7. Children under 14

We provide the Service to users aged 14 or older and do not knowingly collect personal information from children under 14. Children under 14 may not register for or use the Service; if we learn that a user is under 14, that account and its personal information may be deleted without delay.

8. Your Rights and How to Exercise Them

1.You may at any time request access to, correction of, deletion of, or suspension of processing of your personal information, or withdraw consent.
2.Rights you can exercise directly in the Service: read and edit documents (inline editing), delete (move to Trash and permanently delete), switch visibility public/private, restore versions, change your handle (in Settings), and sign out / end your session.
3.To delete your entire account (withdraw membership) and erase, stop processing of, or withdraw consent for the personal information linked to it, contact the privacy officer at admin@streamize.net; after verifying your identity we will act without delay in accordance with the law.
4.We verify that the person exercising a right is the data subject or a legitimate representative; for a child under 14, a legal guardian may exercise these rights.
5.You must not infringe others’ personal information or privacy; you are responsible for consequences of entering inaccurate information.

9. Destruction of Personal Information

1.When personal information becomes unnecessary — because its retention period has elapsed or its processing purpose has been achieved — we destroy it without delay.
2.Method: personal information in electronic files is permanently deleted by means that make recovery impossible. Permanently deleting a document removes its body, sources (.md/.html), public mirrors, version records, and short link; the related search index and usage records are also destroyed without delay after the retention period elapses or the purpose is achieved.
3.Personal information that the law requires us to retain is stored separately and destroyed once the statutory period elapses.

10. Security Measures

We take the following technical and administrative measures to process personal information securely.

Database access control: clients are entirely barred from accessing the database directly (deny-all rules); all data access goes through the server with owner-based authorization.
Encryption in transit and at rest: all communication is encrypted over HTTPS, and stored data is protected by the storage providers’ encryption.
Authentication/session protection: the login session cookie is httpOnly, Secure (in production), and SameSite, is verified for revocation on every request, and is invalidated on sign-out to prevent reuse.
Credential protection: API keys are stored only as a one-way hash (SHA-256), never in plaintext; OAuth uses PKCE (S256), single-use authorization codes, and rotating refresh tokens with reuse detection.
Content security: hb-doc documents are sanitized against an allowlist at ingest; bundles that contain arbitrary code are isolated and rendered cross-origin from a separate sandbox domain; and a strict, nonce-based Content-Security-Policy is applied.
Least-privilege access and administrator access control (admin allowlist).

11. Cookies and Similar Technologies

We use cookies and similar technologies (such as local storage) for convenience and analytics.

Name	Type	Purpose	Lifespan
hb_session	Essential	Login session authentication (the server identifies you)	~14 days
hb_lang	Functional	Remembers your language (/ko) preference	1 year
ph_* (PostHog)	Analytics	Product-usage analytics; user/session identification	Per vendor policy
_rdt (Reddit)	Advertising	Ad-conversion tracking	Per vendor policy
_fbp (Meta)	Advertising	Ad-conversion tracking	Per vendor policy

Essential/functional cookies are needed to keep you signed in and remember settings; refusing them may limit some features.
Analytics/ad cookies (PostHog, Reddit, Meta) operate only when we have configured those tools, and are not loaded on preview deployments or in local environments.
You can refuse or delete cookies through your browser settings and use ad/tracker blockers (in which case the analytics/ad tools do not operate).

12. Behavioral Information

Collectors: Reddit, Inc. (Reddit Ads pixel), Meta Platforms, Inc. (Meta/Facebook pixel), PostHog Inc. (product analytics).
Items: visit/conversion events (page views, sign-up, key generation, first document published, etc.), cookie/device/browser identifiers, and IP/User-Agent derived by the providers.
Method: collected and transmitted automatically by pixels/scripts embedded in the web page on your device (PostHog ingests via a same-origin /ingest path, but the ultimate recipient is the PostHog cloud).
Purpose: measuring advertising performance (conversions) and analyzing usage.
How to refuse: block cookies in your browser, use an ad/tracker blocker, or opt out of personalized ads on each provider’s (Reddit/Meta) ad settings page.

We do not currently operate a server-side Conversions API; the behavioral collection above occurs entirely on your device’s client, so it can be blocked by the means above.

13. Privacy Officer

We have designated a privacy officer to take overall responsibility for personal-information processing and to handle data subjects’ inquiries, complaints, and remedies.

Privacy officer: Park Ju-chan (박주찬), Representative
Organization: Streamize Inc. (스트리마이즈 주식회사)
Phone: +82-10-2128-9446
Email: admin@streamize.net

You may direct privacy-related inquiries, complaints, and remedy requests arising from your use of the Service to the contact above, and we will respond and act without delay.

14. Remedies for Rights Violations

To obtain relief for a personal-information violation, you may apply for dispute resolution or counseling with the following bodies (Republic of Korea):

Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr
Privacy Infringement Report Center (KISA): 118 / privacy.kisa.or.kr
Supreme Prosecutors’ Office, Cyber Investigation: 1301 / www.spo.go.kr
National Police Agency, Cyber Bureau: 182 / ecrm.police.go.kr

15. Changes to This Policy

This Privacy Policy applies from its effective date. If its content is added to, removed, or amended due to changes in law, policy, or the Service, we will announce the reason and the effective date through the Service before the amended policy takes effect.

This Privacy Policy is effective as of June 18, 2026. (Posted: June 18, 2026 / Effective: June 18, 2026)

← htmlbook Terms