Privacy Policy

1. Introduction

Readstash ("we," "our," or "us"), a product built by Seven Hills Software, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our content saving and digest service, including our website and Chrome extension (collectively, the "Service").

By using Readstash, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Account Information

Email addresses and profile information provided during account creation. If you sign up via Google OAuth, we receive your name and email from Google.

2.2 Content Data

Our Chrome extension and X (Twitter) integration collect:

• Tweets, threads, and bookmarks you save
• URLs and metadata of saved content
• AI-generated summaries of your saved content
• Categories, tags, and interests you assign to content

We do not access your direct messages, followers list, or any content you have not explicitly chosen to save.

2.3 Payment Information

Stripe processes all payments. We do not store your full credit card details. Stripe provides us with limited data such as the last four digits of your card and transaction status.

2.4 Usage Data

We automatically collect interaction data including pages visited, features used, browser type, IP address, and device information.

3. How We Use Your Information

• Provide and maintain the Service, including saving and organizing your content
• Generate AI-powered summaries of your saved content
• Send weekly email digests of your saved content
• Process payments and manage subscriptions
• Communicate with you about service updates and support
• Improve and optimize our Service and develop new features
• Detect and prevent fraud or abuse
• Comply with legal obligations

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your data based on:

• Contract: Processing necessary to provide the Service
• Legitimate Interest: Service improvement, fraud prevention, security
• Consent: Optional marketing communications
• Legal Obligation: Compliance with applicable laws

5. Data Sharing and Third Parties

We share data with the following service providers:

• Supabase — Database and authentication (USA)
• OpenAI — AI summarization processing (USA)
• Stripe — Payment processing (USA)
• Vercel — Hosting and deployment (USA)
• Google — OAuth authentication (if selected)
• Resend — Email delivery for digests (USA)

We do not sell your personal information. We only disclose data when legally required or to protect our rights.

6. International Data Transfers

Your data may be transferred to the United States where our service providers operate. For EEA users, we ensure appropriate safeguards are in place, including Standard Contractual Clauses.

7. Data Retention

• Saved content: Retained until you delete it or close your account
• Account data: Retained until account deletion
• Payment records: 7 years for tax and legal compliance
• Usage logs: Up to 90 days
• Email digest history: 1 year

Anonymized or aggregated data may be retained after account deletion.

8. Data Security

We implement industry-standard security measures including:

• TLS 1.3 encryption for data in transit
• Encryption at rest for stored data
• Secure API key authentication
• Regular security audits
• Access controls and authentication requirements

No method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights

9.1 All Users

• Access your personal data via your dashboard
• Correct inaccurate information
• Delete your account and associated data
• Export your saved content
• Opt-out of marketing communications

9.2 EEA Users (GDPR)

• Object to processing based on legitimate interest
• Restrict processing of your data
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

9.3 California Users (CCPA)

• Know what personal information is collected
• Know whether your data is sold or disclosed
• Opt-out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your rights

9.4 Indian Users (DPDPA)

• Access your personal data
• Correct or erase your data
• Grievance redressal
• Nominate representatives

10. Data Breach Notification

In the event of a data breach, we will notify affected users via email within 72 hours of becoming aware of the breach, in accordance with GDPR and DPDPA requirements. We will also notify relevant regulatory authorities where required.

11. Children's Privacy

Readstash is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a minor, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our Service. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

Email: support@readstash.app
Company: Seven Hills Software

GDPR inquiries may also be directed to your local data protection authority.