Privacy Policy

1. Who we are

BookSlash operates the BookSlash service. For the purposes of GDPR and UK GDPR, BookSlash acts as a processor for customer-uploaded content (boards, slugs, bookmarks, comments) on behalf of the workspace owner, and as a controller for its own account, billing, and product-analytics data.

2. Data we collect

Account data

• Name, email address, and authentication identifier (OAuth subject ID).
• Workspace membership, role, and permission grants.
• Two-factor authentication secrets (stored encrypted) if enabled.

Customer content

• Slugs, target URLs, boards, bookmarks, and any text or files you submit.
• Comments, reactions, and collaboration metadata.
• Audit-log entries describing actions taken in the workspace.

Usage data

• IP address, user-agent string, request timestamps, and request IDs.
• Aggregated product-analytics events used to improve the service.

Billing data

• Payments are processed by Paddle, who acts as Merchant of Record and as an independent data controller for payment data. BookSlash never receives or stores card numbers, CVV codes, or full bank details. Paddle’s handling of your payment information is governed by Paddle’s Privacy Policy.
• We retain Paddle customer IDs, subscription status, and invoice history.

3. How we use it

• To provide, secure, and improve the service.
• To send transactional email (sign-in links, account changes, billing receipts). We do not add you to marketing lists without an explicit opt-in.
• To detect and respond to abuse, fraud, and security incidents.
• To meet legal, accounting, and regulatory obligations (e.g. tax, anti-money-laundering).

4. Legal bases (EEA / UK)

• Contract — we need this data to provide the service you signed up for.
• Legitimate interest — for security monitoring, fraud prevention, and aggregated product analytics.
• Legal obligation — for tax, accounting, and lawful requests from authorities.
• Consent — for non-essential cookies and any optional marketing email. You can withdraw consent at any time.

5. Who we share it with

We share personal data only with sub-processors that are necessary to operate the service, and only the minimum required. Our current sub-processor list is published at /legal/subprocessors.

We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising. (CCPA/CPRA opt-out is therefore not applicable, but we honor Global Privacy Control signals.)

6. Retention

• Account data — kept for the life of the account and 30 days after deletion to allow recovery from accidental deletion.
• Customer content — kept for the life of the workspace; deleted within 30 days of workspace deletion.
• Audit logs — retention varies by plan; typical retention is 30 to 365 days. Plan-specific retention is described in your subscription.
• Billing records — retained for at least 7 years to meet US tax record retention requirements.

7. Your rights

Depending on where you live, you may have the right to access, correct, export, restrict, or delete your personal data, and to object to certain processing. To exercise any of these rights, email [email protected]. We respond within 30 days (45 days for CCPA requests).

We will not retaliate against you for exercising your privacy rights. If your request is denied, you may appeal by replying to our response email.

8. Security

We use TLS for data in transit and AES-256 encryption for data at rest. Two-factor authentication is available on every account. Our security program is described at /security.

9. Browser extension

The BookSlash browser extension stores a personal access token (PAT) in your browser’s local extension storage (chrome.storage.local). The token is used to authenticate API requests to app.bookslash.app and is never sent to any other party. It does not leave your browser except when making requests to the BookSlash API.

The extension sends the following data to the BookSlash API:

• Your shortcut slugs and target URLs, when you create or sync shortcuts.
• Your browser platform string (e.g. “MacIntel”), used to label the token during the initial sign-in flow.

The extension does not collect browsing history, page content, or any data from pages you visit. No third-party analytics or tracking scripts run in the extension. You can revoke the extension’s access token at any time from bookslash.app/account/extension.

10. International transfers

Personal data may be processed in the United States and other countries where our sub-processors operate. Where required, we rely on Standard Contractual Clauses and equivalent transfer mechanisms.

11. Children

The service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We will post any material changes to this page and update the “Last updated” date. For significant changes, we will notify account owners by email at least 30 days before the change takes effect.

13. Contact

BookSlash
Privacy: [email protected]
Security: [email protected]
General: [email protected]