Security
How documents and accounts are protected
This page states the controls the service currently enforces and the security properties it does not claim.
Transport and upload handling
- Public application traffic uses HTTPS.
- Uploaded source files are written to a request-scoped temporary directory and removed when that conversion request ends.
- File extensions and upload sizes are validated before conversion.
Accounts and result delivery
- Email ownership is verified with a short-lived code.
- Sessions are server-side, expire, and use secure HTTP-only cookies in production.
- Generated Markdown is delivered only after the account and plan checks succeed.
- Authentication and analytics endpoints have bounded request and rate controls.
Persistent data
Generated Markdown, account records, download records, and billing entitlement records are stored in the application database. Access is restricted at the infrastructure level. The application does not currently apply per-document field encryption to stored Markdown and does not claim an automatic deletion window.
External processing
Scanned pages and images may be sent to a specialized OCR processor. Checkout is handled by Gumroad. Cloudflare provides network and delivery services, and the application is hosted on Contabo infrastructure. See the privacy notice for the data categories involved.
Report a security issue
Send a reproducible report to th3nolo@th3nolo.com. Do not include customer documents, credentials, or secrets in the first message.