← Back to Bookmark Minder

Privacy policy

Last updated: 2026-05-16

Bookmark Minder is a subscription product. You pay a flat fee; we store your bookmarks. We have no advertising business, no data-brokering side deals, and no interest in profiling you. This policy explains exactly what we collect, why, and what we do not do.

What we collect

Account data

Your email address and the display name you choose. We use your email address to send magic-link sign-in emails and, if you subscribe, receipts from Stripe. Nothing else.

Bookmark data

The URLs, titles, notes, and tags you save — the whole point of the service. For Standard collections this data is stored in readable form so the server can run search and AI features on your behalf. For Private (E2EE) collections it never leaves your device unencrypted; see the section below.

Operational logs

We log authentication events, quota checks, imports, exports, and errors. These logs exist so we can debug problems and detect abuse. IP addresses in these logs are never stored raw: before writing to the database, we truncate each address to its /24 subnet (e.g. 203.0.113.x) and then apply an HMAC-SHA-256 hash keyed to a secret that rotates. The result is a one-way fingerprint we can use to correlate events during an incident, not a number you can reverse back to a person. User-agent strings are hashed the same way. Logs are retained for 90 days.

Session data

When you sign in, we create a 30-day session. The session token is stored as a SHA-256 hash — not the raw token — so a database compromise does not yield usable bearer tokens. Each session is bound to the IP /24 range and user-agent hash recorded at sign-in; a mismatch automatically revokes it. You can view and revoke all active sessions from Settings → Security.

Operational metrics

We use Cloudflare Analytics Engine — Cloudflare's built-in, first-party metrics product — to record aggregate counters: sign-ins, bookmark creates, quota trips, import completions, and error rates. These are operational metrics used to monitor the service. They are not shared with any third party and are not used to build a profile of you.

Billing data

If you subscribe, payment is handled entirely by Stripe. We never receive or store card numbers, bank details, or billing addresses. Stripe is a data processor under this policy; see the subprocessors page for details.

Private collections — client-side E2EE

When you mark a collection as Private, your bookmark titles, URLs, notes, and tags are encrypted on your device before they leave it. The encryption key is derived from your master passphrase using a key-stretching function; the passphrase itself is never transmitted to our servers. We store only ciphertext. We cannot read your Private collections. We cannot hand their contents to a third party or government. If you lose your passphrase and your Recovery Kit, the data is gone — there is no server-side recovery path.

Shared Private items use a fragment-key scheme: the decryption key travels in the URL fragment, which is not sent to our server. The recipient's browser decrypts locally.

What we do not do

  • We do not sell your data to anyone, for any purpose.
  • We do not share your bookmarks with advertisers, data brokers, or analytics companies.
  • We do not track your browsing outside of Bookmark Minder.
  • We do not use third-party analytics scripts (no Google Analytics, Mixpanel, Segment, or equivalent).
  • We do not use your bookmarks to train AI models without your explicit opt-in. AI features run on infrastructure we control; your data does not go to an external LLM provider unless you enable that option and are shown a clear disclosure before it happens.
  • We do not show ads or sponsored results.

Cookies

We set one session cookie when you sign in. It holds a reference to your server-side session and is marked HttpOnly, Secure, and SameSite=Lax. We do not set tracking cookies, advertising cookies, or analytics cookies of any kind.

Data storage and subprocessors

Your data is stored on Cloudflare's infrastructure (D1 database, R2 object storage, Workers KV). Cloudflare operates globally distributed data centers; data may be replicated across regions for availability. Transactional email (magic-link sign-in, receipts) is sent via Brevo. See the subprocessors page for the complete list with links to each provider's data processing terms.

Data retention

We keep your data for as long as your account is active. When you delete your account:

  • Standard deletion: data is purged within 90 days.
  • Immediate deletion (available in account settings): data is purged within 24 hours.

Backup copies held in R2 are deleted within 30 days of the primary deletion. Audit log entries referencing your account are anonymized (the member ID is nulled) at purge time; the hashed operational records are retained for the remainder of their 90-day window.

Your rights

You can export all your data (bookmarks, collections, tags, settings) at any time from Settings → Export. The export is a standard JSON file. You can delete your account at any time from Settings → Account. Both actions are available without contacting us.

If you are in the EU or UK, you also have rights under GDPR/UK GDPR: access, rectification, erasure, restriction, portability, and objection. To exercise any of these, email [email protected]. We will respond within 30 days.

Security

All traffic is served over TLS. Session tokens are stored hashed. IP addresses are hashed before logging. Private collections are encrypted client-side. We run Cloudflare's WAF and Bot Fight Mode at the edge. Rate limiting on authentication endpoints is enforced both at the edge and in the application layer.

If you discover a security vulnerability, please email [email protected]. We do not have a formal bug bounty program but we take disclosures seriously.

Changes to this policy

If we make a material change — new data collected, new subprocessor, change in retention — we will email you at least 30 days before it takes effect. Minor clarifications (grammar, formatting, non-substantive rewording) may be made without notice; the "last updated" date above will reflect any change.

Contact

Privacy questions: [email protected]