← Back to Bookmarks Pal

Privacy Policy

Last updated: 27 March 2026

1. Introduction

This Privacy Policy explains how Bookmarks Pal collects, uses, stores, and shares information about you when you use our Service. We are committed to handling your data with transparency and care.

Data controller: Flow Inc Studios Un Ltd, 128 City Road, London, United Kingdom, EC1V 2NX (Company No. 13612261).

If you are located in the European Economic Area (EEA) or the United Kingdom, this policy complies with the General Data Protection Regulation (GDPR) and the UK GDPR.

2. Minimum Age

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us personal data, please contact us and we will delete it promptly.

3. Data We Collect

3.1 Account data

When you register, we collect your email address and a securely hashed version of your password (we never store your password in plain text and cannot recover it).

3.2 Bookmark data

When you import bookmarks or sync your browser's bookmark tree, we store:

  • Your bookmark folder structure and bookmark URLs/titles
  • Your review session state (which bookmarks you have kept, deleted, or moved)
  • Pending changes awaiting commit to your browser

Guest-mode data is stored only in your browser (localStorage / sessionStorage) and is never sent to our servers.

3.3 Technical data

Our server infrastructure automatically logs:

  • IP address (used for rate limiting and security)
  • Browser type and version (from the User-Agent header)
  • Request timestamps and HTTP status codes

These logs are retained for 30 days and are not used for profiling.

3.4 Payment data

We do not store your payment card details. Payments are processed by Stripe. We receive from Stripe only a subscription status, plan identifier, and customer ID. Stripe's own privacy policy applies to the payment transaction.

3.5 Analytics data (with your consent)

If you consent via the cookie banner, we use PostHog to collect anonymised product analytics: which features you use, how often you complete sessions, and general usage patterns. This data does not include the content of your bookmarks.

4. Legal Basis for Processing (GDPR)

DataLegal basis
Account dataContract — necessary to provide the Service
Bookmark dataContract — core functionality of the Service
Payment dataContract — processing your subscription
Server logsLegitimate interest — security, abuse prevention
AnalyticsConsent — only after you accept via the cookie banner

5. Cookies and Local Storage

Essential (always active)

  • Refresh token cookie — an HttpOnly, Secure cookie that keeps you signed in. Set by our server; cannot be read by JavaScript. Expires after 30 days of inactivity.
  • Appearance preferences — theme, font, and text size stored in localStorage. Contains no personal data.
  • Session state — guest-mode review progress stored in sessionStorage. Cleared when you close the tab.

Analytics (consent required)

  • PostHog — collects anonymised usage events when you accept analytics. You can withdraw consent at any time via the cookie settings link in the footer.

6. Data Sharing and Sub-processors

We do not sell your data. We share it only with the following sub-processors, each bound by data processing agreements:

ProcessorPurposeLocation
Amazon Web ServicesHosting, database, infrastructureUSA (SCCs apply)
StripePayment processingUSA / EU
SentryError trackingUSA (SCCs apply)
PostHogProduct analytics (consent only)EU or USA (your choice)

SCCs = Standard Contractual Clauses, the EU-approved mechanism for international data transfers.

7. Data Retention

  • Account and bookmark data is retained for as long as your account is active.
  • When you delete your account, all personal data is permanently deleted within 30 days.
  • Server access logs are retained for 30 days.
  • Stripe retains payment records as required by financial regulations (typically 7 years).
  • Analytics data is retained for 12 months, then aggregated or deleted.

8. Your Rights

Under GDPR and similar laws, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format (bookmark export is available from your account)
  • Restriction — ask us to limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time, for analytics cookies, without affecting prior processing

To exercise any of these rights, email bookmarks.pal+legal@flowinc.studio. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Security

We implement appropriate technical and organisational measures to protect your data, including encryption at rest and in transit, access controls, and regular security reviews. However, no system is completely secure. If we become aware of a data breach that affects your rights, we will notify you and the relevant supervisory authority as required by law.

10. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will post the updated policy with a new "last updated" date. For material changes, we will notify registered users by email.

11. Contact

For any privacy-related questions or to exercise your rights, contact us at: bookmarks.pal+legal@flowinc.studio

Bookmarks Pal is a product of Flow Inc Studios Un Ltd, registered in England & Wales (No. 13612261). Registered office: 128 City Road, London, United Kingdom, EC1V 2NX.

Terms of Service← Back to app