Privacy Policy

Purly Inc. ("we," "us," or "our") operates Purly, a content curation and sharing platform. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

By using Purly, you agree to the collection and use of information as described here. If you do not agree, please do not use the Service.

1. Data We Collect

Information you provide

• Account information: Email address (from your auth provider), user handle, and optional display name
• Content you create: Purls (saved links), feed names and descriptions, labels and label groups, queue items, and chat messages (each message includes a URL and an optional caption up to 280 characters)
• Feedback responses: Answers to in-app feedback surveys about content you've consumed (e.g., whether it was worth your time)
• Settings and preferences: Theme choice, sidebar state, profile visibility (public or friends-only), and other preferences

Information collected automatically

• Activity data: We maintain an activity log of your actions within the Service (creating purls, publishing to feeds, managing labels, etc.). This log is visible only to you and is used to provide your activity timeline
• Usage metrics: Last active timestamp and active-day count, used to monitor Service health
• Metadata: When you save a URL, we fetch publicly available Open Graph metadata (title, description, image URL, content type) from the linked page to display previews

Information from third parties

• Authentication providers: When you sign in with Google or Apple, we receive your email address and basic profile information from those providers
• YouTube integration: If you connect your YouTube account to sync a playlist, we receive OAuth access and refresh tokens (encrypted at rest) and the playlist data you select for syncing

2. How We Use Your Data

We use the data we collect to:

• Provide, maintain, and improve the Service
• Authenticate your identity and secure your account
• Display content previews by fetching URL metadata
• Process subscriptions and billing
• Generate your activity log and personal usage statistics
• Use aggregated feedback survey responses to improve content recommendations (your individual responses are never shared with other users)
• Send you essential Service communications (security alerts, billing notices, Terms updates)
• Enforce our Terms of Service and respond to reports
• Comply with legal obligations

We do not use your data for advertising. We do not sell your personal information.

3. How We Share Your Data

We share your data only in the following circumstances:

• With other users: Content you publish in public feeds and your public profile information (handle, display name, avatar) are visible to other users. Chat messages are visible to chat participants. Friends-only content is visible only to your friends
• Service providers: We use third-party services to operate the platform, including hosting (Vercel), database (Supabase), and payment processing. These providers access your data only as needed to perform their services and are bound by their own privacy obligations
• Legal requirements: We may disclose your data if required by law, subpoena, court order, or government request
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy

We do not share your data with advertisers or data brokers.

4. Data Security

We protect your data with the following measures:

• Authentication is managed by Supabase Auth with magic links and OAuth — we never store passwords
• API tokens are stored as SHA-256 hashes; the plaintext token is shown only once at creation
• YouTube OAuth tokens are encrypted at rest
• Row-level security (RLS) policies enforce per-user access control at the database level
• All data is transmitted over HTTPS

No system is perfectly secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

5. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide the Service. Some data is soft-deleted (marked as deleted but retained briefly for recovery) before being permanently removed.

When you delete your account, we permanently delete all data you own, including: purls, feeds, labels, chat messages, queue items, activity history, feedback responses, API tokens, and connected integrations.

Content that other users independently saved from your public feeds or chats is not affected by your deletion — those are separate copies owned by those users.

Reports involving your account may be retained in anonymized form for safety and moderation purposes.

6. Your Rights and Choices

All users

• Access: View your data through your library, activity log, and account settings at any time
• Correction: Update your handle, display name, and other profile information from settings
• Deletion: Delete your account and all associated data from your account settings
• Profile visibility: Choose between a public or friends-only profile
• Integrations: Disconnect YouTube or other third-party integrations at any time

European Economic Area (GDPR)

If you are in the EEA, you have additional rights under the General Data Protection Regulation:

• Right to access, rectify, or erase your personal data
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent at any time
• Right to lodge a complaint with your local supervisory authority

Our legal bases for processing are: contractual necessity (to provide the Service), legitimate interest (to improve and secure the Service), and consent (where applicable). We will respond to data subject requests within 30 days.

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use it, request deletion, and opt out of the sale or sharing of personal information. We do not sell or share your personal information as defined by the CCPA.

We will not discriminate against you for exercising your privacy rights. To make a request, contact us at privacy@purly.app.

7. Cookies and Tracking

Purly uses essential cookies for authentication and session management. These are strictly necessary for the Service to function and cannot be disabled.

We do not use advertising cookies or third-party tracking pixels. We do not engage in cross-site tracking.

8. Children's Privacy

Purly is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete the account and associated data promptly. If you believe a child under 13 has created an account, please contact us at privacy@purly.app.

9. International Data Transfers

Purly is operated from the United States. If you access the Service from outside the U.S., your data may be transferred to and processed in the U.S. or other countries where our service providers operate. We rely on Standard Contractual Clauses and other appropriate safeguards for international transfers where required.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or an in-app notice at least 30 days before they take effect. The "Effective date" at the top of this page indicates when it was last revised.

11. Contact

Questions or requests about your privacy? Contact us at privacy@purly.app.

For general questions, see our Terms of Service.