Privacy Policy

Last updated: June 6, 2026

1. Information We Collect

When you use Postclyp (the "Service"), we collect the following categories of information:

  • Account information — your email address and Google account identifier when you sign in with Google OAuth.
  • Authentication data — Supabase session tokens and authentication cookies required to keep you signed in.
  • Saved content — the page text, image URLs, hyperlinks, titles, source URL, and platform metadata of any web page you save through the Postclyp Chrome extension or web app.
  • Usage and organization data — timestamps, AI-generated tags, clusters, save counts, and other metadata derived from your saved content.
  • Product analytics— behavioral events from the web app and the Chrome extension (page views, feature usage, save-and-extract funnel, content-script lifecycle, auth-bridge outcomes, error reports, and autocaptured interaction events such as clicks and form submissions — input field values are never captured). We also use PostHog's session replay to record a sample of your sessions (see §10). Events use an anonymous device-scoped distinct ID before sign-in. After sign-in, your account is identified to our analytics processor (PostHog) using your Supabase user ID (an opaque UUID), your email address, and the name on your Google account as person properties so we can triage per-user reports. Your password, saved content, and authentication tokens are never sent to PostHog. See §4 for processor scope and §7 for retention.

We do not collect health, financial, payment, location, browsing history outside of saves you initiate, or personal communications.

Providing your account information (email and Google account identifier) is necessary to use Postclyp — without it we cannot create or maintain your account. Saving content is entirely at your initiative; you choose what, if anything, to save.

2. How We Use Your Information

We use the information we collect to (a) provide and maintain Postclyp, (b) authenticate you and secure your account, (c) generate AI-powered tags and clusters from your saved content, (d) communicate service-related updates, and (e) measure and improve product quality. We do not sell or share your personal data, and we do not use it to train third-party AI models.

3. Legal Basis for Processing

If you are in the EEA or UK, we process your personal data only where we have a lawful basis under Article 6 of the GDPR. The basis depends on what we are doing:

  • Account and authentication data — to create your account, keep you signed in, and secure access. Lawful basis: performance of a contract (Art. 6(1)(b)).
  • Saved content, tags, clusters, and embeddings — to provide the save-and-organize feature you asked for. Lawful basis: performance of a contract (Art. 6(1)(b)).
  • Product analytics (PostHog events, autocapture, and session replay) — to understand how Postclyp is used so we can improve it. Lawful basis: legitimate interests (Art. 6(1)(f)). You can object to this processing at any time (see §8).
  • Service communications — to tell you about important changes to the Service. Lawful basis: performance of a contract or legitimate interests (Art. 6(1)(b)/(f)).
  • In-product feedback — to receive, triage, and respond to feedback you send. Lawful basis: legitimate interests (Art. 6(1)(f)); you initiate the submission.
  • Export to Google Docs — to create the document you explicitly asked us to create. Lawful basis: consent(Art. 6(1)(a)), given through Google's OAuth screen.
  • Security, abuse prevention, and legal compliance — to protect the Service and meet our legal obligations. Lawful basis: legitimate interests or a legal obligation (Art. 6(1)(f)/(c)).

Where we rely on legitimate interests, you have the right to object (see §8). Where we rely on consent, you can withdraw it at any time without affecting processing that already took place.

4. Data Storage and Security

Your data is stored using industry-standard encryption (TLS in transit, AES-256 at rest) and access controls. Specifically:

  • Supabase — hosts your account, sessions, saved content, tags, and clusters. Row-level security (RLS) policies ensure only you can access your data.
  • OpenAI — receives only the text portion of a save (no email, no account identifier) to generate tags, clusters, and semantic-search embeddings. OpenAI is contractually bound not to use the content to train its models.
  • PostHog (US region, us.i.posthog.com) — receives product analytics events. Pre-sign-in events use an anonymous device-scoped distinct ID. Post-sign-in events carry your Supabase user ID (UUID), your email address, and the name on your Google account as person properties so engineering can triage per-user reports. PostHog also records a sample of user sessions as session replays (see §10). Your password, saved content, and authentication tokens are never sent to PostHog.
  • Vercel Speed Insights(Core Web Vitals collected via Vercel's edge proxy on the same origin as the site) — receives anonymous Core Web Vitals measurements (page load timing, layout shift, interaction latency). No cookies or persistent user identifiers are stored; transient request metadata (IP, User-Agent) is used only to compute aggregate Core Web Vitals for this site and is not used to build persistent user profiles. Vercel's handling of this data is governed by the Vercel Privacy Policy.

Beyond the encryption above, we isolate accounts with Row-Level Security, apply least-privilege access controls, and authenticate through Google OAuth — we never store a Postclyp password. No system is perfectly secure, but we use industry-standard safeguards to protect your data.

If we become aware of a personal-data breach that affects you, we will act promptly. Where the law requires it, we will notify the relevant supervisory authority without undue delay — under the GDPR, within 72 hours of becoming aware — and, if the breach is likely to result in a high risk to your rights, we will notify you directly without undue delay. We will also meet the breach-notification requirements of any other applicable law, including United States state laws.

5. Third-Party Services

Postclyp relies on the following sub-processors. Each is bound by a data processing agreement and has its own privacy policy:

6. International Data Transfers

Postclyp is operated from India, and your data is processed in more than one country. Your account and saved content are stored in India (Supabase, Mumbai region), and some sub-processors process data in the United States — PostHog (analytics), our AI providers, Google (sign-in and Drive export), and Vercel (hosting).

If you are in the EEA or UK, this means your personal data is transferred outside your home region to countries that may not provide an equivalent level of data protection. Where we make such a transfer, we rely on appropriate safeguards — principally the European Commission's Standard Contractual Clauses (and, for UK users, the UK International Data Transfer Addendum), incorporated into the data processing agreements we hold with each sub-processor listed in §5. You can request a copy of the relevant safeguards by emailing legal@postclyp.com.

7. Data Retention

  • Account data and saved content are retained for as long as your account is active.
  • Saved items are deleted from our primary database immediately when you delete them, and purged from encrypted backups within 30 days.
  • Product analytics events are retained for up to 90 days. Pre-sign-in events stay pseudonymized; post-sign-in events stay associated with your Supabase user ID and identifying person properties (email, name) for the same 90-day window, then drop to aggregate-only reporting.
  • In-product feedback submissions — when you send feedback through the in-app composer, your message and any screenshot attachments are mirrored to a private Slack channel (90-day retention on the Slack side under our current plan) and to a private GitHub repository for triage. The durable archive in our database, including the original screenshot files, remains until you request deletion. To request deletion of feedback you submitted, email feedback@postclyp.com from the address associated with your account.
  • If you delete your account, all personal data is removed within 7 days from primary storage and within 30 days from backups.

8. Your Rights

Depending on where you live, you have the following rights with respect to your personal data:

  • GDPR (EU/UK/EEA) — access, rectification, erasure, portability, restriction of processing, and objection to processing. You also have the right to lodge a complaint with your local supervisory authority.
  • CCPA / CPRA (California) — the right to know what personal information we collect, the right to delete it, the right to correct it, the right to opt out of any sale or sharing of personal information, and the right not to be discriminated against for exercising any of these rights. We do not sell or share personal information.

To exercise GDPR or CCPA rights, email legal@postclyp.com. For any other privacy questions, email hello@postclyp.com. We will respond within 30 days.

9. Account Deletion

You can delete your Postclyp account at any time from Settings → Delete Account in the app, or by emailing hello@postclyp.com from the address associated with your account. Deletion removes your profile, saved content, tags, clusters, and authentication tokens. The action is irreversible and takes effect within 7 days, with encrypted backups purged within 30 days.

10. Cookies and Tracking

We use essential cookies for authentication and session management. We use product analytics (PostHog, listed as a sub-processor in §5) to understand how Postclyp is used so we can improve it. This includes autocapture, which records interaction events (clicks and form submissions) and the metadata of the elements you interact with; input field values are not captured. See §1 and §4 for the data scope and identifier handling. We do not use third-party advertising cookies or cross-site tracking.

Session replay.To diagnose bugs and improve usability, we use PostHog's session replay to record a sample of user sessions — a reconstruction of how you interact with a page. Values you type into input fields are masked, and we exclude internal and admin accounts; we never use replay for advertising. Lawful basis: legitimate interest (see §3); you can object at any time (see §8).

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of Postclyp after the effective date constitutes acceptance of the revised policy.

12. Google API Services Limited Use Disclosure

Postclyp's use of information received from Google APIs adheres to the Google API Services User Data Policy (opens in new tab), including the Limited Use requirements. Specifically:

  • We use Google user data only to provide the user-facing "Export to Google Docs" feature inside Postclyp.
  • We do not transfer the data to third parties except as necessary to provide the feature, comply with applicable law, or as part of a merger or acquisition with the same protections in place.
  • We do not use the data for serving advertisements.
  • We do not allow humans to read the data unless we have the user's explicit consent for specific messages, doing so is necessary for security purposes, or doing so is necessary to comply with applicable law.

13. Contact Us

If you have questions about this privacy policy or our data practices, contact us at hello@postclyp.com.