Last updated: April 23, 2026
DevStash ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our read-it-later application for developers. Our Terms of Use apply to your use of the Service and are incorporated by reference where relevant.
When you sign in with GitHub, we receive the following information from GitHub OAuth:
We use JSON Web Tokens (JWTs) for session management. Session tokens are stored in your browser and are used to authenticate your requests to the Service.
Your bookmarks (URLs, titles, descriptions, notes, tags, folders, and related metadata) are stored in Supabase, a cloud database platform. Access to your rows is enforced with Supabase Row Level Security (RLS) so that only you can access your own data.
When you add or refresh a bookmark, our servers may request the bookmarked URL (and in some cases related endpoints, such as oEmbed or structured JSON APIs) to retrieve titles, descriptions, thumbnails, or favicons. Those third-party sites may see requests from our infrastructure as part of providing previews. We do not control their privacy practices.
We use OpenReplay to record how the Service is used in the browser (for example interactions and technical context) to debug issues and improve the product. Recordings may be associated with your internal user identifier (Supabase user ID). OpenReplay processes this data on our behalf; see their documentation and privacy materials for details.
We use Google Analytics (Google LLC) on our marketing site and web application to understand how visitors and users interact with pages (for example page views, general traffic, and device or browser information). Google Analytics may set cookies or use similar technologies and may collect or process IP addresses and identifiers in accordance with Google's policies. You can learn more in Google's Privacy Policy and use Google's opt-out tools or your browser settings to limit analytics cookies where available.
Certain features send content to OpenAI (for example when generating or refining bookmark metadata, or when you use AI-assisted search or chat about your bookmarks). That may include bookmark titles, descriptions, URLs, tags, and messages you submit in those flows. OpenAI processes such content under its terms and policies as a subprocessor.
If you use the feedback form, we collect the name, email address, and message you provide so we can respond and improve the Service.
We use the information we collect to:
Your bookmark data is stored in Supabase. Row Level Security (RLS) restricts access so that, under normal operation, only you can read and modify your bookmarks. Supabase provides encryption in transit and at rest as described in their documentation; RLS itself is an access-control mechanism, not encryption.
Session data is stored as JSON Web Tokens (JWTs) in your browser. These tokens are used for authentication and session management.
We use browser storage and cookies (or similar mechanisms) required for authentication and sessions, including Supabase and JWT-related storage. OpenReplay may use its own cookies or local storage to associate recordings with sessions. Google Analytics may set first-party or related cookies to measure traffic and usage. You can control cookies through your browser settings; disabling some of them may limit sign-in or app functionality or affect analytics accuracy.
We use the following categories of third-party services:
We disclose information to these providers only as needed to operate the Service. Each has its own privacy policy governing how it handles data on our behalf. We do not sell your personal information.
Session tokens remain valid until you sign out or they expire. Your bookmark data remains in Supabase until you delete it or request deletion. OpenReplay retains replay data according to OpenReplay's settings and policies. Google Analytics data is retained according to our configuration and Google's data policies. Feedback email content is retained as needed for support and operations.
You may:
If you are in the European Economic Area, United Kingdom, or other regions with privacy laws, you may have additional rights (such as to object to or restrict certain processing, or to lodge a complaint with a supervisory authority). Contact us and we will respond in line with applicable law.
We implement appropriate technical and organizational measures to protect your information. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.
DevStash is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.
We and our subprocessors may process and store information in the United States and other countries where we or they operate. Those countries may have different data protection rules than your country. Where required, we rely on appropriate safeguards (such as standard contractual clauses) or other lawful transfer mechanisms described by our vendors.
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.
If you have any questions about this Privacy Policy, please contact us at @_davidnemes on X (Twitter).