The Tome's Promise to You
Privacy Policy
Effective date: May 18, 2026
The Tome holds your stories. It does not read them, share them, or profit from them. What you write here is yours — completely, permanently, without reservation.
Overview
This policy describes what information the Tome collects when you use it, why that information is needed, and how it is stored. Nothing here is buried in fine print. If something is collected, it is named below.
Information We Collect
When you sign in through Google or GitHub OAuth, we receive and store the following profile fields provided by your chosen OAuth provider:
- Display name
- Email address
- Profile avatar URL
- A provider-specific user ID, used to recognize your account across sessions
We do not receive, store, or ever handle your OAuth provider password, nor any access or refresh tokens issued by Google or GitHub. The handshake happens; the keys stay with them.
Your Content
Every project, document, note, and fragment you write inside the Tome is stored in the database on the server hosting this application.
The Tome is a place to write — not a platform harvesting the words you trust it with.
Cookies & Sessions
When you sign in, the application sets a single cookie containing a signed JWT. This cookie is:
- HttpOnly — inaccessible to JavaScript running in the page
- Secure — transmitted only over encrypted connections
- SameSite=Strict — not shared with any third-party domain
A companion refresh token cookie — carrying the same security attributes — silently renews your session when the primary token expires. You will not be interrupted mid-sentence.
We use no advertising cookies, no analytics cookies, and no third-party tracking scripts of any kind. The Tome does not watch you write.
Data Sharing
Your data is held entirely within Insanitomeium's infrastructure. We do not sell it, trade it, or share it with third parties.
No data is transmitted to external services — with one narrow exception: the OAuth handshake with Google or GitHub that occurs at sign-in. That exchange is limited, necessary, and does not include your content.
Data Retention & Deletion
Your account and all content associated with it remain in the Tome until you choose to remove it. To delete your account and everything written under it, contact us directly and we will take care of it.
The Tome does not hold onto what you ask it to release.
Security
The Tome is built with security as a foundational concern, not an afterthought:
- JWT tokens are signed with RS256 asymmetric keys
- CSRF protection is applied to all state-mutating endpoints
- All database queries use parameterized statements
We are responsible for keeping the infrastructure, TLS certificates, and environment secrets current and secure. That obligation belongs to us, not to you.
Changes to This Policy
If this policy is updated, the effective date at the top of this page will reflect the revision. Continued use of the application after an update constitutes acceptance of the revised terms.
We will not obscure meaningful changes. If something important shifts, it will be plain to see.