Privacy Policy

TL;DR

• We store your account (email and name from Google), the links you save, the AI summaries we generate for them, and basic usage counts.
• We don’t sell your data, we don’t train AI on it, and we don’t read your links ourselves.
• To make summaries, we send the page content to Cloudflare’s Workers AI service (running Meta’s Llama 3.3 model). It runs on Cloudflare infrastructure — the content doesn’t leave Cloudflare for this step. The Pro chat feature is different: it goes through OpenRouter to Google Gemini.
• You can export everything and delete your account at any time. Delete means delete.
• If you live in the EU/UK or California, you have specific legal rights — see “Your rights” below.

Who we are

Cloudstash is operated by Phantom Edtech LLC, a Wyoming limited liability company:

We’re the data controller for the information described here.

What we collect

Account information. When you sign in with Google, we receive your email address, your name, and your Google account ID. We don’t get access to your Gmail, Drive, Calendar, or anything else in your Google account.

The links you save. The URL, the page title and metadata, any tags you add, the AI-generated summary, and timestamps. If you save through Telegram, Raycast, the iOS Shortcut, the Chrome extension, or X bookmarks, the link arrives the same way.

Content fetched from links. When you save a link, our server fetches the page so we can extract the title, a description, and the text we send to the AI for summarization. The summary itself is generated on Cloudflare Workers AI — content for summaries doesn’t leave Cloudflare infrastructure. We don’t store the full page — only what’s needed for the summary and a small metadata snapshot.

Usage information. Cloudflare Analytics Engine records counts of in-app events tied to your user ID (for example, how many links you’ve saved this month) so we can enforce plan limits and understand what’s used.

Technical information. Standard server logs (IP address, user agent, timestamps) generated by Cloudflare. These are short-lived and used for security, abuse prevention, and debugging.

Analytics scripts. Every page on cloudstash.dev currently loads two scripts in the browser: Meta Pixel (a Facebook tracking script used to measure ads) and OneDollarStats (a lightweight page-view counter we use to see traffic). Both run on the public pages and inside the signed-in app. They record that a browser visited a page; they don’t see the contents of your archive. We’re working to scope Meta Pixel to the marketing pages only — until then, treat the app as if a third-party page-view counter is watching, because one is.

What we don’t collect

• We don’t read your links manually.
• We don’t sell your data.
• We don’t use your links, summaries, or chats to train any AI model — ours or anyone else’s.
• We don’t take your payment card details ourselves — those go straight to Stripe (see “Who we share data with” below).
• We don’t share data with advertisers other than the Meta Pixel page-visit signal described above.

Why we collect it (legal bases under GDPR)

If you’re in the EU, UK, or Switzerland, we rely on these legal bases:

• Performance of a contract — we need your account and your saved links to actually run the service.
• Legitimate interests — protecting against abuse, improving the product in aggregate, measuring marketing.
• Consent — where we ask for it (for example, optional emails).
• Legal obligation — when the law requires us to keep or share information.

Who we share data with

We use a small number of vendors (“sub-processors”) to run the service. We share only what each one needs:

• Cloudflare, Inc. — hosting, database, storage, edge cache, and the Workers AI service that generates your link summaries. Everything you store with us is on Cloudflare infrastructure.
• Google LLC (Sign in with Google) — the OAuth handshake when you sign in. We receive your email, name, and Google user ID.
• OpenRouter, Inc. — used only for the Pro chat-with-your-archive feature. If you’re on Pro and you chat with your archive, your messages are routed through OpenRouter. Free and Plus users never hit OpenRouter.
• Google LLC (Gemini) — the AI model behind the Pro chat feature, reached through OpenRouter. Free and Plus summaries don’t go through Gemini.
• Stripe, Inc. — subscription billing. Your card details go directly to Stripe and are never seen or stored by Cloudstash. We share your email, name, and billing details when you subscribe.
• Telegram FZ-LLC — only if you connect the Cloudstash Telegram bot. It receives the messages you send to the bot.
• Meta Platforms, Inc. — Meta Pixel for ad measurement. It currently fires on every page on cloudstash.dev, including pages inside the signed-in app. It receives the fact that a browser visited a URL on our domain; it does not see your archive contents.
• OneDollarStats — a lightweight page-view counter that runs on every page. It records anonymous visit counts so we can see traffic without running a heavy analytics product.

Where required, we sign Data Processing Agreements with these vendors. We update this list when we change vendors — material changes are announced via email.

We don’t share your data with anyone else except (a) when you tell us to, (b) when required by law, or (c) if Cloudstash is acquired (we’ll tell you before this happens and you’ll be able to delete your account first).

Where your data lives

Cloudflare runs Cloudstash on its global network. Your data is stored primarily in the United States, with caches served from the Cloudflare edge location closest to you. When data leaves the EU/UK, we rely on Standard Contractual Clauses with our vendors.

How long we keep it

We keep your account and saved links for as long as your account is open.

When you delete your account (Settings → Account → Delete), we:

1. Wipe your archive — links, summaries, tags, chat history — promptly (typically within minutes; longer only if a step has to retry).
2. Remove your account record within 30 days, including any backups still in rotation.

Server logs from Cloudflare typically roll off within 30 days. Aggregated, anonymous usage counts may be kept for analytics.

Cookies and similar storage

We use the minimum cookies and local storage needed to keep you signed in, remember your preferences, and run features like offline sync. Meta Pixel and OneDollarStats set their own cookies in your browser when they run, on both marketing and in-app pages.

We don’t respond to the legacy “Do Not Track” browser signal — no major service does, and the spec was never finalized. Use the in-app controls and Settings → Account → Delete to control your data instead. If you’re a California resident, you can also use the Global Privacy Control browser signal — we treat it as a valid opt-out request under California law.

Your rights

If you live in the EU, UK, or Switzerland, you have the right to:

• Access the data we hold about you.
• Correct it if it’s wrong.
• Delete your account and the data tied to it.
• Receive a copy in a portable format (we have an Export button in-app).
• Restrict or object to how we process it.
• Withdraw consent at any time (for the parts where we relied on consent).
• Complain to your local Data Protection Authority.

If you live in California, you have the right to:

• Know what personal information we collect, why, and who we share it with.
• Request a copy of that information.
• Delete it.
• Not be discriminated against for exercising your rights.

We don’t sell personal information for money. Meta Pixel page-view data may be considered a “share” for cross-context behavioral advertising under California law — if you’re a California resident and you don’t want this, email support@cloudstash.dev or send a Global Privacy Control signal and we’ll treat that as your opt-out.

If you live in Virginia, Colorado, Connecticut, Utah, Texas, or another US state with a consumer privacy law, you have similar rights — typically access, correction, deletion, portability, and the right to opt out of targeted advertising or “sales.” Use the same support email to exercise them.

To exercise any of these rights, email support@cloudstash.dev. We’ll verify your identity and respond within 30 days (up to 45 days for California, extendable once if the law allows).

Children

Cloudstash is not for children under 13, and we don’t knowingly collect data from them. If you’re in the EU, you must be at least 16 to use Cloudstash unless your country has set a lower age (we follow your country’s age of consent for data processing).

Security

We host on Cloudflare, which encrypts data in transit and at rest. We use short-lived access tokens, scoped database queries, and follow standard security practices. No system is perfect — if we ever have a breach that affects you, we’ll notify you without unreasonable delay, and within 72 hours where the law requires it.

Changes

If we change this policy in a way that materially affects your rights, we’ll email you and post a notice in-app. Otherwise we’ll just update the date at the top.

Contact