Privacy Policy

Last updated: May 2026 · Applies to: web app, Chrome extension · Operated by: HuCo, ON, Canada

Contents

Who we are
What we collect and why
How we process your data — step by step
Third-party services
What we retain and what we discard
How your data is protected
Your rights
Children
Changes to this policy
How to contact us

1. Who we are

UseSaved is a personal link library that lets you save, organise, and rediscover web content using plain natural language. It is operated by HuCo, registered at ON, Canada

Privacy queries: privacy@usesaved.com

2. What we collect and why

2a. Account information

We collect your email address and a bcrypt hash of your password.

Basis: Contractual necessity. We never store your password in plaintext.

2b. URLs you save

We store the URLs you choose to save.

Basis: Contractual necessity. URLs are stored unencrypted. Page content is not.

2c. Page content snapshots

We temporarily handle the text content of the web page at the time of saving in order to generate AI tags and a search embedding.

Basis: Legitimate interest.

Raw page text is held in server memory temporarily during AI processing, then permanently discarded. It is NEVER written to our database. What is stored: URL, AI-generated tags, and a numerical embedding vector.

2d. Notes you add to saves

Any text you attach to a saved link is optional and collected on the basis of your consent.

Notes are encrypted using AES-256-GCM before storage. We cannot read them. Note content is never sent to any third-party API.

2e. Search queries

We log the text of your search queries and which results you clicked.

Basis: Legitimate interest. You can opt out at any time in Settings.

Search logs are pseudonymised and auto-deleted after 30 days. They are never shared with third parties.

2f. Beta enrollment consent

We record whether you opted in for beta access and product updates.

Basis: Consent. You can withdraw consent at any time.

We record your consent state, the date and time of consent, and the policy version you accepted.

2g. Waitlist signals

When you join the waitlist we invisibly collect: country, city, timezone, device type, referrer URL, and UTM parameters (source, medium, campaign).

Basis: Legitimate interest. This data is used solely to understand demand geography and product-market fit. It is never used for advertising and never sold.

3. How we process your data — step by step

The save pipeline

Our backend fetches the public web page at the URL you saved.
The page text is sent to the Anthropic Claude API, which returns tags and a summary. The text is held in server memory only during this API call.
The page text is sent to the OpenAI embeddings API, which returns a numerical vector. The text is held in server memory only during this API call.
Raw page text is permanently discarded from server memory once both API calls complete. It is never written to the database.
What is stored: your URL (plaintext), AI-generated tags (plaintext), the embedding vector (numbers only), and your encrypted note (if you added one).

Our database contains your URL, tags, a numerical vector, and optionally an encrypted note. The page content is never in our database.

The search pipeline

Your search query is sent to OpenAI to generate a numerical vector.
We compare that vector against the embedding vectors of your saved links.
The most semantically relevant results are returned to you.
If search logging is enabled, your query is stored pseudonymously and deleted automatically after 30 days.

Pseudonymous identifiers in AI calls

Every API call to Anthropic and OpenAI includes your internal user UUID — not your email address. This allows providers to detect abuse patterns without being able to identify you by name.

4. Third-party services

Anthropic Claude — generates tags and summaries from page content. Under Anthropic's paid API, inputs are not used to train models and are not retained beyond the response. Privacy policy

OpenAI — generates embedding vectors for saves and search queries. Under OpenAI's paid API, inputs are not used to train models. Privacy policy

Supabase — database and authentication infrastructure. Privacy policy

Vercel — frontend hosting. Privacy policy

Render — backend hosting. Privacy policy

5. What we retain and what we discard

Data	Retained	Discarded
Email address	Until account deletion	On deletion
Password hash (bcrypt)	Until account deletion	On deletion
URLs you saved	Until save or account deletion	On deletion
AI-generated tags	Until save or account deletion	On deletion
Embedding vectors	Until save or account deletion	On deletion
Encrypted notes	Until note or account deletion	On deletion
Raw page content	Never stored in database	After AI processing in server memory
Search logs	30 days pseudonymised (or never if opted out)	Auto after 30 days
Usage and technical logs	90 days	Auto after 90 days
Beta consent record	Until account deletion	On deletion
Waitlist GTM signals	Until deletion request	On request to privacy@usesaved.com

6. How your data is protected

Encryption at rest

Notes are encrypted with AES-256-GCM before being written to the database. Raw page content is never stored.

Encryption in transit

All data in transit between your device, our servers, and third-party APIs is protected by TLS.

Password storage

Passwords are hashed with bcrypt — an irreversible, salted algorithm. We cannot recover your password from what we store.

Access controls

Database access is restricted to authorised engineers. No member of staff can read your encrypted notes; the encryption key is derived from your credentials.

Breach notification

In the event of a data breach, we will notify affected users and the relevant authorities within 72 hours, in accordance with GDPR and the India Digital Personal Data Protection Act 2023.

7. Your rights

All users have the right to:

Access — request an export of all data we hold about you.
Deletion — delete your account and all associated saves.
Opt-out — disable search logging and unsubscribe from beta emails at any time in Settings.
Correction — edit or retag any saved link at any time.

GDPR users (EEA and UK) additionally have the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority.

India DPDP Act 2023 users have the right to access, correct, and erase personal data, the right to nominate a representative, and the right to lodge a grievance with the Data Protection Board of India.

To exercise any right, contact privacy@usesaved.com. We will respond within 30 days.

8. Children

UseSaved is not intended for children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has registered, please contact privacy@usesaved.com with a valid proof, and we will delete the account promptly.

9. Changes to this policy

We will give you at least 14 days' notice by email before any material changes take effect. Where required by law, we will ask for your re-consent before changes apply to your existing data.

10. How to contact us

privacy@usesaved.com — privacy queries

security@usesaved.com — security concerns

HuCo, ON, Canada