Privacy Policy

Last updated: April 27, 2026

Stash is a tool for capturing and recalling things you find on the web. We only collect what we need to make that work, we don't sell your data, and you can delete your account and stored captures at any time.

1. Who we are

"Stash" (we, us) refers to the operator of the Stash Chrome extension, the web application at app.stashcapture.com, and the marketing site at stashcapture.com.

Contact: stash.admin@gmail.com

2. What data we collect

Account information

• Email address, display name, and profile picture, supplied by your OAuth provider (currently Google) when you sign in.
• An internal user ID generated by our authentication provider.

Captures and content you save

When you use Stash to save something, we store the content you choose to capture. Depending on the capture type, this can include:

• The source URL and page title.
• Selected text, screenshots, or images you explicitly capture.
• AI-generated summaries, tags, and metadata derived from that content.
• Notes, tags, and edits you add yourself.

Stash does not passively read pages you visit. Captures are created only when you explicitly trigger them.

Usage and diagnostic data

• Basic event logs (e.g. capture saved, sign-in succeeded) used to operate the service and diagnose issues.
• Standard request metadata such as IP address, user agent, and timestamps, retained briefly for security and abuse prevention.

What we do not collect

• We do not sell personal data to third parties.
• We do not use third-party advertising trackers on stashcapture.com or app.stashcapture.com.
• We do not access your browsing history outside of explicit captures.

3. How we use your data

• Provide the service. Sign you in, store and serve your captures, and sync between the extension and the web app.
• AI processing. When you save a capture, we send the captured content to AI providers (see Section 4) to generate titles, summaries, tags, and other enrichments.
• Improve reliability. Diagnose bugs, prevent abuse, and monitor service health.
• Communicate with you. Send transactional messages tied to your account (e.g. account changes). We do not send marketing email unless you opt in.

4. Third-party services we use

To run Stash we rely on a small set of vendors:

• Google OAuth — for sign-in. Google receives a standard OAuth handshake. Stash never receives your Google password.
• Supabase (database, authentication, storage) — stores your account record, captures, and uploaded media.
• AI providers (currently Anthropic and OpenAI) — process the content of a capture at the moment you save it, in order to generate summaries, tags, and other metadata. Content sent to AI providers is not used to train their public models per their enterprise API terms.
• Cloudflare — DNS, CDN, and static site hosting for stashcapture.com and app.stashcapture.com.

Each vendor handles data under its own privacy policy. We share only the minimum required for the feature to work.

5. Data retention

• Captures and account data are retained until you delete them or delete your account.
• Diagnostic logs are retained for up to 90 days, then rotated.
• Backups may persist for up to 30 days after deletion before being fully purged.

6. Your rights

You can, at any time:

• Access and export your captures from the web app.
• Delete individual captures.
• Request full account deletion by emailing stash.admin@gmail.com. We will honor verified deletion requests within 30 days.

If you are in the EEA, UK, California, or another jurisdiction with similar laws, you have additional rights (access, correction, portability, objection, restriction). Reach out to the email above to exercise them.

7. Children

Stash is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will delete it.

8. Security

We use industry-standard practices: TLS in transit, encryption at rest via our hosting providers, scoped database access, and least-privilege service credentials. No system is perfectly secure; please use a strong unique password on the OAuth account you use to sign in.

9. International transfers

Stash is operated globally. Your data may be processed in countries other than your country of residence, including the United States. By using Stash you consent to this transfer where local law permits.

10. Changes to this policy

We may update this Privacy Policy as the service evolves. Material changes will be announced in-app or via email, and the "Last updated" date above will be revised. Continued use of Stash after changes constitutes acceptance of the updated policy.

11. Contact

Questions, concerns, or data requests: stash.admin@gmail.com.