Privacy Policy

Last updated: March 2026

Stashmark ("we", "us", "our") is operated by a sole proprietor based in Amsterdam, the Netherlands. We are committed to protecting your privacy and handling your data transparently. This policy explains what data we collect, why, and how we protect it.

This policy applies to the cloud-hosted service at app.stashmark.app. If you self-host Stashmark, you are the data controller for your own instance and this policy does not apply.

1. Data We Collect

We collect only what is necessary to provide the service:

  • Account information - email address and display name. If you sign in with Google, we receive your name and email from Google; we do not access your Google data beyond authentication.
  • Bookmarks - URLs, titles, descriptions, and metadata you save.
  • Highlights - text selections you highlight on web pages.
  • Notes - any notes you attach to bookmarks or highlights.
  • Folders and tags - your organizational structure.
  • Preserved pages - article content and screenshots/PDFs if you use the preservation feature.
  • Technical data - IP address, browser type, and request timestamps in server logs. These are retained for up to 30 days for security and debugging.

We do not collect browsing history, track your activity across websites, build advertising profiles, or sell your data. Ever.

2. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

  • Contract performance (Art. 6(1)(b)) - processing necessary to provide the Stashmark service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) - server logs for security, fraud prevention, and service reliability.
  • Consent (Art. 6(1)(a)) - optional features like Google OAuth sign-in. You can withdraw consent at any time.

3. How We Use Your Data

Your data is used exclusively to:

  • Provide, maintain, and improve the Stashmark service
  • Sync your bookmarks, highlights, and notes across your devices
  • Send transactional emails (account verification, password resets, security alerts)
  • Diagnose technical issues and prevent abuse

We do not use your data for advertising, profiling, or automated decision-making.

4. Third-Party Services

We use a limited number of third-party services to operate Stashmark. Each is selected for privacy, reliability, and EU data residency where possible:

  • Polar.sh - payment processing. Polar acts as our merchant of record and handles all billing data. We do not store your credit card details.
  • Backblaze B2 (EU region) - file storage for screenshots and preserved page PDFs.
  • Resend - transactional email delivery (account verification, password resets).
  • Sentry - error tracking. Captures technical error data (stack traces, request metadata) to help us fix bugs. Does not capture your bookmark content.
  • Grafana Cloud - infrastructure metrics and logs for monitoring service health.
  • Netcup (Germany) - VPS hosting. All application data is stored on servers in Germany.
  • Google OAuth - only if you choose to sign in with Google. We receive your name and email; Google's own privacy policy applies to data Google collects.
  • PostHog - analytics on the marketing website (stashmark.app) only. PostHog is not used in the Stashmark application, browser extension, or mobile app. PostHog respects Do Not Track.

5. Data Storage and Retention

  • Location - all data is stored on servers in Germany (EU). We do not transfer your data outside the European Economic Area.
  • Active accounts - your data is retained as long as your account is active.
  • Account deletion - when you delete your account, all your data (bookmarks, highlights, notes, preserved pages, and account information) is permanently deleted within 30 days.
  • Server logs - retained for up to 30 days, then automatically purged.
  • Backups - encrypted backups may retain data for up to 30 additional days after deletion, after which it is permanently removed.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access - request a copy of all data we hold about you.
  • Rectification - correct inaccurate data.
  • Erasure - delete your account and all associated data.
  • Data portability - export your bookmarks, highlights, and notes in standard formats (JSON, HTML, CSV).
  • Restriction - request that we limit processing of your data.
  • Objection - object to processing based on legitimate interest.
  • Withdraw consent - for consent-based processing (e.g., Google OAuth), you can withdraw at any time.

To exercise any of these rights, email us at privacy@stashmark.app. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.

7. Cookies

Stashmark uses only essential cookies required for the service to function:

  • Session token - a secure, HTTP-only cookie used to keep you signed in. This is strictly necessary for authentication and does not track you across websites.

We do not use advertising cookies, social media tracking pixels, or third-party analytics cookies in the application. Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

The marketing website (stashmark.app) uses PostHog for anonymous, aggregated analytics. PostHog respects Do Not Track browser settings.

8. Security

We take the security of your data seriously:

  • All connections are encrypted with TLS (HTTPS).
  • Passwords are hashed with Argon2id, a memory-hard hashing algorithm.
  • Two-factor authentication (TOTP) is available for all accounts. 2FA secrets are encrypted with AES-256-GCM at rest.
  • Recovery codes are individually hashed with Argon2id.
  • Sessions are managed server-side with secure, HTTP-only tokens.
  • Database access is restricted and monitored.

If you discover a security vulnerability, please report it to security@stashmark.app.

9. Children

Stashmark is not intended for children under 16 years of age, in accordance with the Dutch Uitvoeringswet AVG (UAVG). We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly.

10. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice in the application. The "Last updated" date at the top reflects the most recent revision.

11. Contact Us

For privacy-related questions or to exercise your data rights: