Privacy Policy

The Data Controller for the personal data collected through the Stash application is [NOME COGNOME] (hereinafter "the Controller").

For any questions regarding the processing of personal data, you may contact the Controller at [email protected].

In the course of providing the service, Stash collects and processes the following categories of personal data:

Account data: email address, display name, authentication tokens, and user preferences (theme, language, search settings).

Saved content: links, text notes, images, documents (PDFs), user-assigned tags, and collection organization.

Automatically extracted data: web page metadata (title, description, preview image), text extracted from pages and PDF documents, text recognized in images via OCR, audio content transcriptions, and content extracted from social media platforms (Instagram, TikTok, Twitter/X, LinkedIn).

Waitlist data: email address, preferred language, registration source, and country of origin (derived from IP address).

Subscription data: plan type, purchase receipts, and usage quotas.

Technical data: IP address, device information (source app, source device), and request logs.

The personal data collected is processed for the following purposes:

Service delivery: enabling the saving, searching, and organizing of your personal content, including text, semantic, and hybrid search.

AI/ML processing: generating vector representations (embeddings) of content, optical character recognition in images, and audio content transcription, solely for the purpose of making your content searchable.

Account management: creating and maintaining your user account, authentication, and preference management.

Waitlist management: collecting and managing waitlist sign-ups for the service launch.

Subscription management: processing subscription plans, verifying purchase receipts, and monitoring usage quotas.

Security and fraud prevention: protecting the service from unauthorized access, cyber attacks, and misuse.

We do not sell or share your personal data with third parties for marketing or advertising purposes. We do not display ads. Your data is used exclusively to provide you with the service.

The processing of personal data is based on the following legal grounds under Article 6 of the GDPR:

Contract performance (Art. 6(1)(b)): processing is necessary for the performance of the service agreement with the user. This includes account creation and management, content saving and search, AI/ML processing (embeddings, OCR, transcription), and subscription management.

Consent (Art. 6(1)(a)): the collection of email addresses for the waitlist is based on the user's explicit consent, which may be withdrawn at any time.

Legitimate interest (Art. 6(1)(f)): processing for security and fraud prevention purposes is based on the Controller's legitimate interest in protecting the service and user data.

Stash uses artificial intelligence models for semantic search (embedding generation), image text recognition (OCR), and audio transcription. All processing takes place on our servers in the European Union.

No user content is shared with external AI providers for model training. We do not perform automated decision-making with legal effects under GDPR Article 22.

To provide the Service, your data may be processed by the following main processors:

Microsoft Azure (Microsoft Corporation) — hosting, database, and cloud infrastructure, located in the European Union (West Europe).

Cloudflare (Cloudflare Inc.) — CDN, DDoS protection, and website hosting.

We also use providers in the following categories: authentication services, web and social media content extraction services, in-app subscription management services, audio transcription services. These providers process data solely on our behalf and in compliance with GDPR.

A complete and up-to-date list of data processors is available upon request by writing to [email protected].

Some of the providers we use are based in the United States of America. Transfers of personal data to such parties are carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission or other mechanisms provided for by GDPR.

The Controller is committed to ensuring that all international transfers of personal data comply with the safeguards set out in Chapter V of the GDPR.

Personal data is retained for the following periods:

Active account data: data is retained for the entire duration of the account's activity. Users may request account deletion at any time.

Deleted accounts: after account deletion, data is retained for a period of 30 days, after which it is permanently erased.

Waitlist sign-ups: waitlist data is retained for a maximum of 180 days (6 months) from the date of registration, after which it is automatically deleted.

System logs: technical logs are retained for 30 days through Azure Log Analytics.

Under the GDPR, you have the right to:

Access (Art. 15): obtain confirmation of the processing of your personal data and access related information.

Rectification (Art. 16): obtain the correction of inaccurate personal data or the completion of incomplete data.

Erasure (Art. 17): obtain the deletion of your personal data in the cases provided for by law.

Restriction (Art. 18): obtain the restriction of processing in the cases provided for by law.

Data portability (Art. 20): receive your personal data in a structured, commonly used, and machine-readable format. Stash provides a data export feature via the GET /api/users/me/export endpoint.

Objection (Art. 21): object to the processing of your personal data on grounds relating to your particular situation.

Withdrawal of consent (Art. 7(3)): withdraw at any time the consent given for waitlist registration, without affecting the lawfulness of processing based on consent given prior to its withdrawal.

Complaint (Art. 77): lodge a complaint with the competent supervisory authority (see the Contact & Complaints section).

To exercise your rights, you may send a request to [email protected] or use the export and deletion features available directly within the application.

The Controller implements appropriate technical and organizational measures to protect personal data from unauthorized access, loss, destruction, or damage. These include:

Encryption of data in transit via TLS protocol; encrypted database connections; JWT-based authentication; rate limiting on access attempts; parameterized queries for SQL injection prevention; role-based and permission-based access controls.

Stash does not use profiling cookies, tracking pixels, or cookie-based analytics tools. We do not monitor your browsing behavior.

Cloudflare, which hosts our website, may set strictly necessary technical cookies for security purposes (DDoS protection). These cookies do not track your activity and are not used for marketing purposes.

The iOS app does not use any cookies.

The Stash service is not directed at children under the age of 16. The Controller does not knowingly collect personal data from children under 16.

If the Controller becomes aware that personal data from a child under 16 has been collected without the consent of a parent or legal guardian, such data will be deleted as promptly as possible. In such cases, please contact the Controller at [email protected].

The Controller reserves the right to amend this privacy policy at any time. Significant changes will be communicated to users through appropriate channels.

Continued use of the service after changes have been published constitutes acceptance of the updated policy. The effective date is indicated at the top of this document.

For any questions, requests, or complaints regarding the processing of personal data, you may contact the Controller at [email protected].

You also have the right to lodge a complaint with the Garante per la Protezione dei Dati Personali, the Italian supervisory authority for data protection. For more information, visit garanteprivacy.it.