Privacy & security

• OAuth and integration tokens are encrypted at rest with AES-256-GCM.
• Passwords are bcrypt-hashed (cost 12).
• Sessions are signed JWTs tracked in a server-side `sessions` collection — revoke any device from Settings → Account.
• Login is rate-limited (5 attempts / 5 min / IP) plus per-account lockout (10 failures / hour / email).
• OAuth flows use CSRF state parameters.
• Server logs auto-purge after 30 days via TTL index.

You can export every mindmap, note, and quiz as JSON and delete your account at any time from Settings → Danger. Read the full Privacy Policy and Cookie Policy for details.