Browser Extension · Legal

Privacy Policy

Last updated: May 14, 2026

StashSync ("we", "the extension") is a personal knowledge tool that lets you save, organize, and sync notes, bookmarks, and file attachments from a Chrome side panel. This policy explains what data we collect, how we store it, and the choices you have.

Data we collect

  • Account information — your name and email address, collected by our authentication provider (Clerk) when you sign in.
  • Content you create — notes, bookmarks, tags, stashes, and file attachments that you explicitly save in the extension.
  • Page metadata — when you choose to bookmark a page, we read its URL, title, and Open Graph tags (description, image, site name) so the saved bookmark has a useful preview.
  • Authentication tokens — a short-lived JWT issued by Clerk, cached locally and refreshed automatically so you stay signed in.

We do not collect browsing history, analytics, telemetry, keystrokes, form data, or the contents of pages you do not explicitly bookmark.

How we store data

  • Locally, in the browser's IndexedDB, via the y-indexeddb library. This is what makes the extension work offline.
  • Remotely, on a Cloudflare Worker running y-partyserver, which synchronizes your encrypted Yjs document across your signed-in devices.
  • File attachments are stored in Cloudflare R2 and served back to you over authenticated HTTPS requests.
  • Authentication is handled by Clerk; we never see or store your password.

Sharing

We do not sell, rent, or share your data with third parties. Data is transmitted only between (a) your browser, (b) our sync server, and (c) our authentication provider (Clerk). We do not use your data for advertising, profiling, or training machine-learning models.

Data deletion

  • You can delete individual notes, bookmarks, tags, or files from within the extension.
  • To delete your account and all associated data, contact us at the email address below; we will remove your records from the sync server and storage within 30 days.
  • Uninstalling the extension removes the local IndexedDB copy but does not delete remote data.

Security

All network traffic uses TLS. Authentication tokens are short-lived (≈60 seconds) and refreshed automatically. Access to your synced data requires a valid signed token tied to your account.

Children

StashSync is not directed to children under 13 and we do not knowingly collect data from them.

Changes

We may update this policy from time to time. Material changes will be reflected by the "Last updated" date above.

Contact

Questions or deletion requests:

StashSync

Email: jaironlanda@gmail.com

Website: stashsync.app