Privacy Policy

We collect only what we need to run the Service:

• Account data — your email address and a securely hashed password, or, if you choose “Continue with Google”, the name, email, and avatar your Google profile returns. We never receive your Google password.
• Content you save — the URLs you save, the article text and metadata we fetch from them, your highlights, notes, AI summaries, and the vector embeddings used to resurface them. This is content you choose to add; we do not scan your browsing.
• Usage data — save and surfacing counts (to enforce free-tier limits), your subscription tier, and feature interactions.
• Technical data — IP address, user-agent, request paths and timestamps in server logs, and error diagnostics, used for security, rate-limiting, and debugging.
• Payment data — if you subscribe, Stripe processes your card. We store only your Stripe customer/subscription identifiers and tier — never full card numbers.

We do not intentionally collect special-category data (health, religion, etc.). Please don’t save such content unless you’re comfortable storing it.

• Provide the Service — saving, parsing, summarising, searching, and resurfacing your content. Basis: performance of our contract with you.
• AI processing — saved article text is sent to our AI sub-processors to generate summaries and embeddings (see §4). Basis: contract / legitimate interests.
• Security & abuse prevention — rate-limiting, fraud and SSRF protection, and logging. Basis: legitimate interests / legal obligation.
• Billing — processing subscriptions. Basis: contract / legal obligation.
• Communications — transactional email (sign-in, receipts) on the basis of contract; any product or marketing email only with your consent, which you can withdraw at any time.

We do not use your data for automated decision-making that produces legal or similarly significant effects, and we do not use it to train our own foundation models.

To make saved content useful, the article text is sent to Groq to produce a short summary, and to a Supabase Edge Function to produce a numeric embedding for semantic search. These providers process the content to return a result to us and do not use your content to train their models for that API tier. If AI processing is unavailable, RECALL falls back to a local, non-AI placeholder so your save never fails.

We share data only with vendors that process it on our behalf to run the Service:

• Supabase — database, authentication, storage, and embedding edge function.
• Vercel — application hosting and content delivery.
• Groq — AI summarisation of saved article text.
• Stripe — payment processing (only if you subscribe).
• Resend — transactional email delivery.
• Sentry — error monitoring (when enabled).
• Google — identity (only if you choose Google sign-in) and, with your consent, Google Analytics 4 usage analytics.

We do not sell your personal data and do not “share” it for cross-context behavioural advertising as those terms are defined under CCPA/CPRA. We may disclose data if required by law or to protect our rights, users, or the public.

Our sub-processors may process data in the United States and other countries. Where data leaves the EEA, UK, or India, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and equivalent measures, and only use providers that commit to adequate protection.

We keep your account and saved content for as long as your account is active. When you delete content, or your account, it is removed from our live systems promptly and from routine backups within 30 days. Security and transaction logs are kept for a limited period as needed for security and legal compliance, then deleted or anonymised.

Data is encrypted in transit (HTTPS/TLS). Access is restricted by row-level security so each account can only reach its own rows, and server credentials are scoped and secret. No system is perfectly secure, but we work to protect your data and will notify you and the relevant authority of a qualifying breach as required by law.

Depending on where you live, you have some or all of these rights:

• Access a copy of your data and information about how we use it.
• Correct inaccurate data and delete your data (“right to be forgotten”).
• Port your data to another service in a machine-readable format.
• Restrict or object to certain processing, and withdraw consent at any time.
• Opt out of any sale/share of personal data (we do neither) and not be discriminated against for exercising your rights (CCPA/CPRA).
• Nominate another person to exercise your rights, and seek grievance redressal (DPDP).

To exercise any right, email privacy@recall.everture.ai. We’ll respond within the timeframe your law requires (generally 30 days). You can also access and delete most data yourself from your account settings. EU/UK users may complain to their data protection authority; Indian users may escalate to the Data Protection Board of India.

RECALL is not directed to children. You must be at least 18 years old (or the age of majority where you live) to use the Service. We do not knowingly collect data from children; if you believe a child has provided us data, contact privacy@recall.everture.ai and we will delete it.

We use essential cookies needed to keep you signed in and secure the Service. We do not use advertising or cross-context behavioural-advertising cookies.

To understand which pages and flows work (and where people get stuck), we use Google Analytics 4. It sets analytics cookies and records page views plus a few product events (for example, a save or an upgrade click), and may associate them with a pseudonymous identifier so we can measure a journey across sessions. Because these analytics cookies are not strictly necessary, we ask for your consent before they run — Google Consent Mode starts denied until you accept, and you can decline or change your mind at any time. We enable IP anonymisation; Google acts as our processor and may transfer data to the United States under its EU–US Data Privacy Framework certification. You can opt out via the consent prompt, a browser/Google Analytics opt-out, or by emailing privacy@recall.everture.ai.

We may update this policy as the Service evolves. We’ll change the “Effective” date above and, for material changes, notify you by email or in-app before they take effect.

Questions, requests, or complaints: privacy@recall.everture.ai. Everture is finalising its corporate registration; this policy will be updated with our registered legal entity and, where required, our EU/UK representative and India grievance officer details. Until then, the contact above is our designated point for all privacy and grievance matters.