Privacy Policy

Stash · effective 2026-05-19 · last updated 2026-05-19

Stash is a single-owner cloud note-vault. This page describes what data Stash collects, how it's used, and the choices you have. It applies to both the web PWA at stashvault.cc and any future native iOS app submitted to the App Store.

What we collect

• Account info — email address (for sign-in only).
• Vault content — every note, link, file, image, and voice memo you save, plus folders, tags, favorites, sub-accounts you create. Stored in your private Supabase project with row-level security so only you (and any sub-accounts you grant access to) can read it.
• Usage metadata — timestamps, last-viewed-at, view counts on shared links. Used to power "Recents" and link-expiry logic.
• Diagnostics — anonymized crash reports and performance traces via Sentry. We never include vault content in error reports.

What we don't collect

• No analytics scripts, no third-party trackers, no ads.
• No location data, no contacts, no device identifiers beyond what's strictly required for session auth.
• No use of your vault content to train AI models — period.

AI features

When you opt-in to AI operations (summarize, rewrite, ask-my-notes), the relevant note text is sent to Anthropic's Claude API over an authenticated request from Stash's server. Anthropic's terms apply to that request. We don't store any AI response server-side beyond per-month usage counters for cost caps. You can disable AI per-feature in settings.

Public sharing

Items you explicitly share via "Share" become readable by anyone with the link until you delete the link or its expiry date passes. The link's view-count is visible to you. Anonymous viewers see only the single item — never your other notes, your email, or your account.

Data location

All data is stored in Supabase's us-west-1 region. The PWA's static assets are served by Vercel's global edge. No third-party processors beyond Anthropic (for AI calls you initiate) and Sentry (for crash diagnostics).

Your rights

• Export your vault — Settings → Export downloads a full JSON archive of everything you've saved.
• Delete your account — Settings → Account → Delete account. All your data is irreversibly removed within 24 hours.
• Lock individual notes — sensitive items can be password-locked; the password hash is stored alongside the item but the plaintext password never leaves your device.

Children's privacy

Stash is rated 4+ but is not directed at children under 13. We don't knowingly collect personal information from children under 13.

Changes to this policy

If we materially change how Stash handles your data, the new policy will be posted at this URL with a new "last updated" date. Substantive changes will be surfaced in-app.

Contact

Stash is operated as a personal project by Kevin Leakes. Reach out at kleakes3@gmail.com for any privacy question or data-deletion request.