Privacy Policy

Stashcord (“Stashcord”, “we”, “us”) is a link- and note-archiving service operated by {LEGAL ENTITY NAME}, with a registered address at {REGISTERED ADDRESS}. You can reach us about this policy at {CONTACT EMAIL}.

This Privacy Policy explains what personal data we collect when you use Stashcord, why we collect it, how we share it, and the rights you have over it. It applies to the Stashcord web app, mobile apps, browser extension, Discord bot, and any related services we operate (the “Service”).

We collect three broad categories of data: account data you give us when you sign up, content data you create or upload while using the Service, and technical data generated automatically when you interact with the Service.

Specifically:

• Account & identity. When you sign up, our authentication provider Clerk processes your name, email address, profile image, and any third-party identity you use to sign in (e.g. Google, GitHub, Discord). We store an internal account identifier and the basic profile fields above.
• User content. Anything you stash — links, notes, attachments, tags, and snapshots of pages you archive. This also includes content captured through our browser extension (e.g. pages or tweets you choose to save) and the Discord bot (e.g. saves you trigger from a Discord channel).
• Archived third-party content. When you save a link, we fetch the page and store a snapshot of it on our infrastructure so it stays available if the original disappears. That snapshot may include the page’s text, images, and metadata.
• Billing data. If you subscribe to a paid plan, our payments provider Polar collects and stores your billing details (name, billing address, payment method). We do not store card numbers or full payment instruments. We do store a Polar customer ID, subscription status, plan, and add-on details so we can grant entitlements.
• Usage & product analytics. We use PostHog to record events about how the Service is used (page views, feature interactions, error reports). These events are linked to your internal account identifier once you sign in.
• Operational logs. Our servers record technical metadata such as request timestamps, IP address, user-agent string, and the path/operation requested, so we can debug, prevent abuse, and operate the Service reliably. Some infrastructure traces and metrics are forwarded to Honeycomb (an observability provider) for the same purposes.
• Communications. Email or messages you send us for support, plus any responses we send back.

We use the data above to:

• Provide, maintain, and improve the Service — including archiving content you save, syncing it across devices, and serving it back to you.
• Authenticate you, secure your account, and detect and prevent fraud, abuse, or violations of our Acceptable Use Policy.
• Bill you for paid plans and manage your subscription via Polar.
• Communicate with you about the Service — service announcements, security alerts, and replies to your support requests. We do not send marketing email without an opt-in.
• Understand how features are used (via PostHog) so we can prioritize improvements.
• Comply with legal obligations and enforce our agreements.

If the GDPR or UK GDPR applies to you, our legal bases for processing your personal data are:

• Contract. Processing necessary to deliver the Service you signed up for (Art. 6(1)(b)).
• Legitimate interests. Operating, securing, and improving the Service; preventing abuse; product analytics (Art. 6(1)(f)). You can object to processing based on legitimate interests — see “Your rights” below.
• Consent. Where required, e.g. for non-essential cookies or analytics in jurisdictions that require opt-in (Art. 6(1)(a)). You can withdraw consent at any time.
• Legal obligation. Where we must process data to comply with applicable law (Art. 6(1)(c)).

We use the following service providers to operate Stashcord. Each acts as a processor on our behalf and is bound by appropriate data protection terms.

• Clerk — authentication and identity (US).
• Convex — primary application database and backend functions (US).
• Cloudflare — R2 object storage for archived content and attachments; CDN; Cloudflare Tunnel for our archive worker (global).
• Vercel — hosting for the web app (US).
• Hetzner — hosting for our archive worker (Germany).
• Polar — payments and subscription management (US).
• PostHog — product analytics and error tracking (US / EU, depending on instance).
• Honeycomb — infrastructure traces and host metrics for our archive worker (US).
• Discord — only if you choose to link your Discord account or use the Stashcord Discord bot. We exchange a minimal set of identifiers (e.g. Discord user ID) with Discord.
• Anthropic — only if you opt to use the Stashcord MCP integration with Claude. Content you choose to expose through the integration is processed by Anthropic to answer your requests.

We do not sell your personal data, and we do not share it with advertising networks.

Most of our processors are based in the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data is transferred to the US or other jurisdictions outside your home country. We rely on Standard Contractual Clauses (and equivalent UK and Swiss safeguards) for these transfers where required, and we select processors that maintain appropriate technical and organizational safeguards.

We keep your account data and content for as long as your account is active. If you delete your account, we delete or anonymize your account data, user content, and archived snapshots within 30 days, except for data we must retain to meet legal obligations (e.g. tax records for billing) or to resolve disputes and enforce our agreements.

Operational logs are typically retained for 30–90 days. Backup copies may persist for a short window after deletion before they age out.

Depending on where you live, you may have the following rights over your personal data:

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Deletion / erasure — ask us to delete your account and personal data.
• Portability — ask for an export of your content in a machine-readable format.
• Restriction or objection — ask us to limit how we process your data, or object to processing based on our legitimate interests.
• Withdraw consent — where we relied on consent, you can withdraw it at any time.
• Lodge a complaint — with your local data protection authority. We’d ask you to contact us first so we can try to resolve your concern.

To exercise any of these rights, email {CONTACT EMAIL}. We will respond within the timeframe required by applicable law (typically 30 days under the GDPR).

California residents have similar rights under the CCPA/CPRA, including the right to know, delete, correct, and limit use of sensitive personal information. We do not sell personal information and we do not share it for cross-context behavioral advertising.

We use a small number of strictly necessary cookies to keep you signed in and to remember UI preferences. PostHog may set additional cookies or use local storage to record product analytics events; you can opt out of analytics tracking from within the Service settings where required by your jurisdiction.

The Service is not directed to children under 13 (or under 16 in jurisdictions where that is the applicable threshold), and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us so we can delete it.

We use industry-standard safeguards to protect your data — encryption in transit (TLS), encryption at rest for stored content, access controls, rate limiting, and regular monitoring. No service is perfectly secure, however; please use a strong, unique password and let us know promptly if you suspect a breach of your account.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you (for example, by email or an in-app notice) before they take effect. The “Last updated” date at the top of this page reflects when this policy was last revised.

Questions about this policy or how we handle your data? Email {CONTACT EMAIL}, or write to us at {REGISTERED ADDRESS}.