Privacy

numcal is built so there's very little to collect — and the little that exists is anonymized, encrypted, or deleted on a clock.

No accounts are required to use the calculator. There are no cookies, no third-party trackers, no advertising, and nothing about you is sold. This page explains exactly what happens to data, in plain English.

The calculator runs in your browser

When you type a question and it parses, the whole answer is computed on your own device. The query never reaches numcal's server. There is no chatbot, no language model, and no per-query round-trip for the math — so most of what you ask is never transmitted at all.

Analytics

Pageviews go to a self-hosted analytics instance (GoatCounter). It counts a visit without setting a cookie and without storing your IP address. That is the entire telemetry stack — no Google Analytics, no Facebook pixel, no session replay, no fingerprinting.

Queries that don't parse

One narrow exception. When a query fails to parse, it's sent to a log endpoint so the parser can be improved on real misses rather than imagined ones. Stored: the text you typed, a timestamp, and a truncated User-Agent string for bot filtering. Not stored: your IP, any identifier, or anything that ties one logged query to another. Each row is deleted automatically after 90 days. Queries that parse successfully are never logged.

If you sign in (optional)

Accounts are optional — the calculator needs none. Signing in exists only to save things across devices: pinned dates, notebooks, time stamps, capsules, and streaks. Sign-in is a magic link sent to your email; there is no password. What's stored, and how:

• Your email is encrypted at rest. It's stored as ciphertext for display, plus a separate keyed hash used only to look your account up. The plaintext email is never written to the database.
• Your saved data is encrypted per user. Every personal field — marker labels, notebook titles and contents, stamp and capsule text — is encrypted with a key unique to your account. An operator reading the raw database sees only ciphertext, not your labels or notes.
• Your session is a token, not a cookie. It lives in your browser's localStorage; the server keeps only a hash of it. Signing out clears the token.
• The sign-in email is sent via Resend, our email provider, which processes the delivery. Magic-link tokens are stored only as a hash and expire in 15 minutes.
• Rate-limiting uses a hash of your IP, never the IP itself, and only to stop sign-in abuse.

Sharing is opt-in

A notebook is private until you explicitly share it — by publishing a public link or enabling a calendar-subscription URL. Either can be revoked at any time, which invalidates the link.

Deleting your data

Signing out removes the token from your browser. To delete your account, open Settings → Delete account, type your email to confirm, and choose Delete forever. It's immediate and self-serve — no email, no waiting.

Deletion is a crypto-shred: your account's data key is destroyed, so the encrypted content — notebook titles and lines, marker and stamp labels, capsule text — can't be recovered afterward, not even from a backup that happens to survive. It also removes your notebooks, markers, time stamps, time capsules, streaks, and active sessions. There is no undo.

No advertising, no selling

There are no banner ads, tracking pixels, sponsored suggestions, or affiliate links, and there never will be. Your queries are not collected and not sold — for the ones that parse, there's nothing to collect in the first place. A future paid API will fund the operation; the web tool stays free.

Changes

If this policy changes in a way that matters, the change will be reflected here with a new date below. Questions are welcome — see the API page for how to reach a human.

Last reviewed May 22, 2026.