|
| 1 | +# Privacy |
| 2 | + |
| 3 | +This document describes what Etherpad stores and logs about its users, so |
| 4 | +operators can publish an accurate data-processing statement. |
| 5 | + |
| 6 | +## Pad content and author identity |
| 7 | + |
| 8 | +- Pad text, revision history, and chat messages are written to the |
| 9 | + configured database (see `dbType` / `dbSettings`). |
| 10 | +- Authorship is tracked by an opaque `authorID` that is bound to a |
| 11 | + short-lived author-token cookie. There is no link between an authorID |
| 12 | + and a real-world identity unless a plugin or SSO layer adds one. |
| 13 | + |
| 14 | +## IP addresses |
| 15 | + |
| 16 | +Etherpad never writes a client IP to its database. IPs only appear in |
| 17 | +`log4js` output (the `access`, `http`, `message`, and console loggers). |
| 18 | +Whether those are persisted depends entirely on the log appender your |
| 19 | +deployment configures. |
| 20 | + |
| 21 | +The `ipLogging` setting (`settings.json`) controls what those log |
| 22 | +records contain. All five log sites respect it: |
| 23 | + |
| 24 | +| Setting value | Access / auth / rate-limit log contents | |
| 25 | +| --- | --- | |
| 26 | +| `"anonymous"` (default) | the literal string `ANONYMOUS` | |
| 27 | +| `"truncated"` | IPv4 with last octet zeroed (`1.2.3.0`); IPv6 truncated to the first /48 (`2001:db8:1::`); IPv4-mapped IPv6 truncates the embedded v4; unknowns fall back to `ANONYMOUS` | |
| 28 | +| `"full"` | the original IP address | |
| 29 | + |
| 30 | +The pre-2026 boolean `disableIPlogging` is still honoured for one |
| 31 | +release cycle: `true` maps to `"anonymous"`, `false` maps to `"full"`. |
| 32 | +A deprecation WARN is emitted when only the legacy setting is present. |
| 33 | + |
| 34 | +## Rate limiting |
| 35 | + |
| 36 | +The in-memory socket rate limiter keys on the raw client IP for the |
| 37 | +duration of the limiter window (see `commitRateLimiting` in |
| 38 | +`settings.json`). This state is never written to disk, never sent to a |
| 39 | +plugin, and is thrown away on server restart. |
| 40 | + |
| 41 | +## What Etherpad does not do |
| 42 | + |
| 43 | +- No IP addresses are written to the database. |
| 44 | +- No IP addresses are sent to `clientVars` (and therefore to the |
| 45 | + browser). The long-standing `clientIp: '127.0.0.1'` placeholder was |
| 46 | + removed in the same change that introduced `ipLogging`. |
| 47 | +- No IP addresses are passed to server-side plugin hooks by Etherpad |
| 48 | + itself. Plugins that receive a raw `req` can still read `req.ip` |
| 49 | + directly — audit your installed plugins if you need to rule that |
| 50 | + out. |
| 51 | + |
| 52 | +## Cookies |
| 53 | + |
| 54 | +See [`cookies.md`](cookies.md) for the full cookie list. |
| 55 | + |
| 56 | +## Right to erasure |
| 57 | + |
| 58 | +See |
| 59 | +[`../docs/superpowers/specs/2026-04-18-gdpr-pr1-deletion-controls-design.md`](../docs/superpowers/specs/2026-04-18-gdpr-pr1-deletion-controls-design.md) |
| 60 | +for the deletion-token mechanism. Full author erasure is tracked as a |
| 61 | +follow-up in [ether/etherpad#6701](https://github.com/ether/etherpad/issues/6701). |
0 commit comments