Legal
Privacy policy
Last updated: 10 June 2026
Who we are
CurioStack is a personal reading and knowledge tool operated as a sole-proprietor product. We are the data controller for everything described below. You can reach us at privacy@curiostack.io.
What we collect
- Account information. When you sign in with Google, LinkedIn, or email/password, we receive your name, email address, and (where the identity provider supplies it) profile picture URL. We never receive your password from the identity provider, only an opaque identifier and the basic profile claims.
- Content you create or save. Saved articles, podcasts, highlights, notes, tags, and follows. This is the data that makes CurioStack useful to you.
- Usage signals. Basic activity such as which items you opened, scroll progress, and dismissals. We use this only to power features like the inbox, weekly digest, and reading history.
- Technical data. Server logs (IP address, user agent, request paths) kept for up to 30 days for debugging and abuse prevention.
How we use it
We use your data solely to operate CurioStack — to authenticate you, render your saves and reading activity, send the digest email if you have it enabled, and improve reliability. We do not sell your data and we do not use it for advertising profiling.
Data received from Google or LinkedIn sign-in (name, email, profile photo URL) is used only to create and identify your CurioStack account. It is not shared with third parties, used to train AI models, or transferred outside the processors listed below.
Who we share it with
We share data only with a small set of infrastructure providers who process it on our behalf:
- Hetzner — server hosting (EU).
- Keycloak (self-hosted on Hetzner) — authentication. Google and LinkedIn receive standard OAuth requests when you sign in with them; no other data flows back to them.
- Resend — transactional email delivery.
- Cloudflare — CDN, DNS, and bot protection (Turnstile).
- Dash0 — application observability (server-side telemetry, no personal browsing data).
- Stripe — payment processing, if you subscribe. We never see or store your card details.
We do not share or sell your data to anyone else.
Cookies
We use a session cookie set by Keycloak to keep you signed in, and a Cloudflare Turnstile token cookie during sign-in / sign-up to block bots. We do not use third-party analytics or advertising cookies.
Your rights
You can access, export, or delete your account and associated data at any time from Settings, or by emailing privacy@curiostack.io. Under GDPR you also have the right to lodge a complaint with your local data protection authority.
Retention
Account data is retained for as long as your account is active. If you delete your account, your saves, reading history, and profile are removed within 30 days. Server access logs are retained for up to 30 days. Backups are pruned within 90 days.
Children
CurioStack is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, email privacy@curiostack.io and we will delete it.
Changes
We may update this policy as the product evolves. Material changes will be announced in-app or via the digest email. The "Last updated" date at the top of this page always reflects the current version.