Last updated: June 2026
The short version: Your plan contents are encrypted in your browser before they ever reach our server. We cannot read your plans. The encryption key lives only in the link you share — we never see it. If you create an optional account, we store your email address so you can sign in.
WhatPlan uses AES-256-GCM encryption, performed entirely in your browser using the Web Crypto API. When you create or edit a document:
Our server stores only:
We do not store encryption keys, document titles, task names, photos in readable form, or any other plaintext plan content. Anonymous plans are created and shared purely by link — no account is required to create, edit, or share a plan.
WhatPlan works fully without an account. If you choose to create one — to save your plans and access them across devices — our server additionally stores:
To sign in, you enter your email and we send a six-digit code; there is no password. Sign-in codes and update emails are delivered through our email provider, Resend. You can permanently delete your account and everything tied to it at any time from More → Security → Delete my account.
If you opt in, WhatPlan can let you know when a shared plan changes, by web push and/or email. To do this we store your notification preferences and, for push, an anonymous device endpoint provided by your browser. Notifications never contain your plaintext plan content, and you can turn them off at any time. (Web push is a browser / installed-web-app feature and is not available inside the WhatPlan iOS app.)
WhatPlan uses your browser's localStorage and on-device database to:
This data stays on your device and is never sent to our server. Decryption keys are never written to this on-device storage.
To know whether basic flows like saving and sharing are working at all (and to spot regressions quickly), WhatPlan uses Plausible Analytics. Plausible is cookie-less, does not use cross-site identifiers, anonymises IP addresses on the fly, and is GDPR/PECR/CCPA compliant by design.
What we collect:
What we never send:
Opt out: WhatPlan honours the browser Do Not Track setting and suppresses every analytics event when it is on. You can also opt out persistently on this device by opening your browser's developer console and running:
localStorage.setItem('whatplan.analytics.optout', '1')
To opt back in, run localStorage.removeItem('whatplan.analytics.optout') and reload.
Photos added to tasks are resized on your device for efficiency, then encrypted alongside the rest of your document content before being stored. We cannot view or access your photos.
Documents remain stored on our server until they are naturally cleared. Since we cannot read document content, we cannot identify or target specific documents for removal. If you lose the link (and its encryption key), the document becomes permanently unreadable.
If you have questions about this privacy policy, you can reach us through the WhatPlan project page.