Privacy Policy

The short version

We collect the minimum we need to run your account: your email, your name, your bookmarks, and the auth token your devices use to talk to our servers. We don't sell your data, share it with partners, or use it to train AI models. You can delete your account anytime and we erase everything within 24 hours.

If that's all you wanted to know, great. The sections below get specific for the App Store reviewers, the lawyers, and anyone who likes details.

1. What we collect

Account information

• Email address — required for account creation and where we send your bookmarks.
• Name — your display name. You provide this on signup.
• Password — stored as a cryptographic hash. We can't read your password; if you forget it you have to reset it.
• OAuth identity — if you sign in with Apple, Google, or GitHub, we store the provider's user ID and (where available) the email they share with us.

Bookmarks (your content)

• URL, title, and optional note for every bookmark you save.
• The source (iOS Share Extension, Chrome extension, web) — so we can show you stats and improve the relevant client.
• The send-status — whether the email leg succeeded, failed, or is pending.

Settings

• Destination email — if you want bookmarks sent to a different inbox than your account email.
• Subject preface / suffix — your customizations for the bookmark email subject line.
• Custom mail headers — optional; for power users routing bookmarks through filtering rules.

Authentication artifacts

• Personal access tokens — when you create one in Settings to authorize a device. Stored hashed; the plaintext is shown to you once at creation and never again.
• Web session cookie — when you log in via the browser. Standard server-side session.
• Login attempts — IP address, email, success/failure timestamp. Used for rate-limiting and audit. Pruned after 30 days.

Subscription

• Subscription status — active / cancelled / expired. We get this from Apple (or Google, when Android ships) via RevenueCat. We never see your credit card or Apple ID password.

Operational logs

• Server-side error logs may include IP addresses, user IDs, and request paths when something goes wrong. Used for debugging and ops; pruned after 7 days.

What we do NOT collect

• Your browsing history outside of bookmarks you explicitly save.
• Your contacts, photos, location, or microphone.
• Cross-site or cross-app tracking identifiers.
• Any third-party analytics, pixels, or fingerprinting scripts.

2. Why we collect it

Each piece of data above maps to a specific function:

• Email + name → so you have an account and so the email leg of bookmarks works.
• Bookmarks → so we can show you your library and email you the link.
• OAuth identity → so you can sign in without a password.
• Tokens + sessions → so we know it's actually you when you ingest a bookmark.
• Settings → because you set them; we honor them.
• Login attempts → so we can throttle brute-force attacks and show you (in admin) recent activity.
• Subscription status → so we know whether to gate paid features.
• Logs → so we can fix bugs that affect you.

3. Who we share it with

Nobody, in the marketing sense — we don't sell, rent, or barter your data. We do work with a small set of subprocessors that help us deliver the service:

• Resend (resend.com) — our email transport. They see the bookmark URL, the email subject we generate, and your destination email address each time we send an email on your behalf. Their privacy policy.
• Apple, Google, GitHub — only if you choose to sign in via OAuth, and only what their flow exposes (email, profile name, provider user ID). They never see your bookmarks.
• Apple App Store + RevenueCat (revenuecat.com) — Apple processes your subscription payment; RevenueCat validates the receipt and tells our server whether you're a paying user. Apple sees the purchase; RevenueCat sees the entitlement event.
• Our hosting provider — cPanel-based shared hosting in the United States. They have system-level access to the server but no application-level access to your data.
• Anthropic (anthropic.com) — when you use a Pro AI feature (auto-tag, summary, weekly digest, chat), we send the relevant bookmark text to Claude Haiku via Anthropic's API. They do not retain or train on it (per their commercial privacy terms). Free-tier users never trigger these calls.

That's the full list. We will update this section if it ever changes, and we'll notify active users by email if a new subprocessor handles substantive personal data.

4. How long we keep it

• Active accounts — as long as the account exists.
• Deleted accounts — gone within 24 hours of you clicking Delete Account in Settings. Cascades to bookmarks, settings, OAuth links, tokens, and sessions. Operational logs may persist for up to 7 more days, then are deleted by automated cleanup.
• Login attempts — 30 days, then automatically deleted.
• Audit / forensic logs — 7 days.
• Backups — daily backups retained 14 days, then overwritten. If you delete your account, your data may persist in a backup for up to 14 additional days before being aged out.

5. Your rights

Regardless of where you live, you can:

• Access your data — visit your bookmark library at app.stash2self.com.
• Export your data — email support@stash2self.com and we'll send you a JSON dump of everything we have on you, within 7 days.
• Correct your data — most fields you can edit yourself in Settings; for anything else, email us.
• Delete your data — Settings → Delete Account, in-app.
• Object to specific processing or opt out of marketing emails — we don't currently send marketing emails, so this is mostly hypothetical, but the right exists.

If you're in the EU, UK, or California, you have additional rights under GDPR / UK-GDPR / CCPA — including the right to lodge a complaint with your local data protection authority. We'll respond to any rights request within 30 days.

6. Children's privacy

Stash2Self is not directed at children under 13 (or 16, in the EU). We don't knowingly collect data from children. If you believe we have, email support@stash2self.com and we'll delete the account.

7. Cookies

We use a single first-party session cookie when you log into the web app. It's HttpOnly; Secure; SameSite=Strict, expires after 12 hours of inactivity, and contains nothing more than a server-side session ID. We do not use third-party cookies, advertising cookies, or analytics cookies on either the marketing site (stash2self.com) or the app (app.stash2self.com).

8. Security

The technical safeguards in place:

• HTTPS everywhere; HTTP requests redirect to HTTPS.
• Passwords stored using bcrypt with a 12-round cost factor.
• Personal access tokens stored as SHA-256 hashes; the plaintext is shown once at creation.
• Rate limiting on login (5/min/IP+email), registration (10/min/IP), and password resets (5/min/IP).
• Per-user data isolation enforced at the application layer for every read and write.
• Daily backups, automated cleanup of stale audit data, regular dependency updates.

9. Where your data lives

Stash2Self runs on shared hosting located in the United States. Subprocessors (Resend, RevenueCat, Anthropic, OAuth providers) operate from data centers around the world; consult their privacy pages for specifics. By using Stash2Self, you consent to your data being processed in the United States and wherever our subprocessors operate.

10. Changes to this policy

If we make material changes, we'll update the "Last updated" date at the top of this page and email active users. Non-material changes (typo fixes, clarifications) are made silently.

11. Contact

Privacy questions, data requests, complaints — email support@stash2self.com. We're a small team and we read every message.