# Private workspaces, encryption and access

Canonical HTML: [https://collty.com/help/security/private-workspaces-and-access](https://collty.com/help/security/private-workspaces-and-access)
Audience: Everyone
Reading time: 7 min
Updated: 2026-07-15T00:00:00.000Z

Understand what is public, what stays private and how Collty separates the two.

## Public discovery and private work are separate

Public pages, published Insights, public team pages and approved public profile information can be discoverable. Private workspaces, tasks, files, billing records, non-public profiles and all chats remain outside public indexing and AI discovery resources.

## How private data is protected

### Inside Collty: Layered workspace and field protection

Private records are scoped by workspace, project and participant permissions. Sensitive fields use application-level AES-256-GCM encryption, while HMAC-SHA256 lookups allow exact matching without turning encrypted content into public search data.

- Authenticated server checks enforce project and participant boundaries.
- Encrypted fields and lookup hashes serve different purposes and are stored separately.
- Private routes are excluded from sitemaps, feeds, llms resources and indexing directives.
- Chats are never part of public discovery, even when a Signal or profile is public.

## Share deliberately

1. **Check the object:** Confirm whether you are sharing a public profile, a team preview or a private project object.
2. **Check access:** Add only the people who need the workspace or project.
3. **Use project communication:** Keep confidential decisions inside authorized project tools rather than public Signals.

## Related guides

- [Choose Your Workspace](https://collty.com/help/getting-started/choose-your-workspace)
- [Map Work In Creative Canvas](https://collty.com/help/projects/map-work-in-creative-canvas)
- [Browser Mobile And Sync](https://collty.com/help/troubleshooting/browser-mobile-and-sync)
