Privacy Policy

1. Data We Collect

Information you provide

• Account: Google account email, name, and profile photo (via Google OAuth).
• Contacts: Names, phone numbers, emails, affiliations, meeting notes, and tags you create in Recallink. These fields are encrypted on your device before upload to Supabase. We cannot read them.
• Interaction logs: What you discussed, when, where, and with whom — as entered by you. The textual content (title, detail, location, mood, keywords, tags) is encrypted on your device before upload. We cannot read them. The event time itself remains visible to us as plaintext metadata so the sync engine can order rows (see section 3.5).

Information collected automatically

• Usage data: Pages visited, features used, timestamps. Collected only if you consent to analytics cookies.
• Device info: Browser type, OS, screen size — for responsive layout and debugging.
• IP address: For security (rate limiting, abuse prevention). Not used for tracking.

2. How We Use Your Data

• Authenticate your identity and maintain your session.
• Store and sync your contacts and logs across devices (when cloud sync is enabled).
• Process payments via Stripe.
• Prevent abuse, fraud, and unauthorized access.
• Improve the Service based on aggregate, anonymized usage patterns.

We do not sell your data, use it for advertising, or share it with third parties for their marketing purposes.

3. Where Your Data Lives

Local-first architecture

Your contact data is stored on your device first (browser IndexedDB or native app database). No server request is required for core features.

Cloud sync (optional, paid)

When enabled, data syncs to Supabase (PostgreSQL hosted by Supabase Inc.). Row-Level Security ensures only you can access your rows. Data is encrypted in transit (TLS 1.3) and at rest (AES-256). In addition, the sensitive content fields of every row are encrypted on your device before upload using a key derived from your passphrase. See section 3.5 below for the full zero-knowledge model and the exact list of fields a Recallink admin can and cannot see.

Data residency

Cloud data is stored in Supabase's infrastructure. For current server locations, see Supabase Regions.

3.5 Zero-Knowledge Encryption (Cloud Sync)

Cloud sync is designed so that Recallink staff cannot read your contact content, even though we operate the database it lives in. This section explains exactly how that works and — just as importantly — what an admin can still see.

How the encryption works

• Sensitive content fields are encrypted on your device with AES-256-GCM before any HTTP request leaves your browser or app.
• The encryption key is derived from your passphrase using PBKDF2-HMAC-SHA256 with 250,000 iterations, salted with your user ID.
• Your passphrase is never transmitted to Recallink, never stored on any Recallink server, and cannot be recovered if forgotten. Only ciphertext reaches Supabase.
• Backup files exported from Settings > Data Management (.recallink-backup) are also fully encrypted with your passphrase before download. Their contents are opaque to anyone without the passphrase, including us.

What Recallink admins CANNOT see

• Any contact name, nickname, phone number, email, or address.
• Any memo, affiliation, occupation, nationality, birth date, gender, first-met place, or relationship summary.
• Any interaction title, detail, location text, mood, keywords, or tags.
• Any custom category name, template content, or saved preference.
• Attachment file content, filenames, MIME types, or remote URLs (encrypted before upload, even if the file itself is later uploaded).
• Any field-level changelog entry (old value / new value of an edit).
• Your passphrase.
• The contents of any .recallink-backup export file.

Specifically, the following fields are encrypted on-device before upload: Contact: display_name, nickname, memo, affiliations, occupation, nationality, birth_date, gender, first_met_place, relationship_summary, tags, profile_photo, action_memo, action_memo_history; Link/Interaction log: title, detail, location, mood, keywords, tags; Event: name, location, description, tags; Contact channel: type, value, label, note; Attachment: local_path, remote_url, original_filename, mime_type, url, title; Changelog: field_name, old_value, new_value; Settings: categories, templates, preferences.

What Recallink admins CAN see (operational metadata)

To make sync work — ordering rows, resolving conflicts, enforcing Row-Level Security, billing, and abuse prevention — some metadata is intentionally kept in plaintext. An admin with database access can see:

• Your user ID (a UUID; not a human-readable identifier).
• Row IDs (UUIDs) and foreign-key relationships (for example, that a Link belongs to a Contact via contact_id) — these reveal the shape of your network graph but not who anyone is.
• Timestamps: created_at, updated_at, deleted_at, event_time, last_contact_date, last_met_date.
• Category code (a number such as "99", not the human name — the name lives inside your encrypted Settings).
• The device UUID that uploaded each row (_device_id).
• Billing identifiers: Stripe customer ID, Google Play purchase token, bank-transfer intent ID, subscription status / plan / period end. These are used for billing and entitlement only.

This metadata is the explicit exception to the "we cannot read your data" promise. It tells us "a row exists, it was last edited at this time, by this user, from this device" — but not what is inside.

Server-side search index removed

Earlier versions of the Recallink database held server-side full-text search columns (Postgres tsvector) generated fromdisplay_name, nickname, memo,title, and detail. Those columns were removed in migration 004 so that no plaintext index of your contact content remains on our servers, including any data indexed before May 15, 2026.

What this means for you

• Forgot your passphrase?We cannot recover your synced data. There is no "reset link" we can email — the key never leaves your device, so we do not have it to reset. The data on your current device is still accessible (the local database is plaintext on-device for fast queries; only the cloud copy is encrypted), so export a backup while you still can.
• Switching devices? You must type the same passphrase on the new device to decrypt the synced data.
• Keep the passphrase safe. A password manager entry is strongly recommended. Treat it like a wallet seed phrase — losing it means losing the synced copy.

4. Third-Party Processors

Each processor is bound by their own privacy policies and data processing agreements.

5. Cookies

Essential cookies

Session and authentication cookies. Required for the Service to function. Cannot be disabled.

Analytics cookies

We may use analytics tools to understand aggregate usage patterns. Analytics cookies are not loaded until you explicitly consent via the cookie banner. You can withdraw consent at any time.

No advertising cookies

We do not use advertising or tracking cookies. Ever.

6. Your Rights

Regardless of where you live, you can:

• Access your data — view all contacts, logs, and account information in the app.
• Exportyour data — CSV, vCard, or JSON from Settings > Data Management.
• Correct your data — edit any contact or link at any time.
• Delete your data — delete individual records or your entire account from Settings.
• Withdraw consent — disable analytics cookies, revoke cloud sync, or delete your account.

For EU/EEA residents (GDPR)

You additionally have the right to data portability, the right to restrict processing, and the right to lodge a complaint with your local data protection authority. Our legal basis for processing is contract performance (providing the Service) and legitimate interest (security, abuse prevention).

For California residents (CCPA)

We do not sell personal information. You have the right to know what data we collect, request deletion, and opt out of any future sales (none planned).

For Korean residents (개인정보 보호법)

You have the rights to access (열람), correction (정정), deletion (삭제), processing suspension (처리정지), and data portability (이동). Exercise these via Settings or email.

7. Data Retention

• Active account: Data retained while your account exists.
• Account deletion:30-day grace period, then permanent deletion of the encrypted cloud copy of your contacts, logs, events, attachments, settings, and changelog rows. Billing records required for legal compliance are kept under "Legal obligations" below. Local data on your device is not touched by an account deletion— the on-device database remains so you can continue using Recallink offline or export a backup. To remove it, clear the app's storage from your browser or device settings, or use Settings > Data Management > Clear local data.
• Legal obligations: Transaction records (5 years), service usage logs (3 years), consumer complaint records (3 years), per applicable law.

8. Security

• HTTPS/TLS encryption for all connections.
• Database encryption at rest (AES-256).
• Row-Level Security: each user can only access their own data.
• Stripe webhook signature verification with idempotency protection.
• Content Security Policy, HSTS, and other security headers.
• Network Security Config on Android (cleartext denied), allowBackup disabled.

9. Children

Recallink is not intended for users under 14 years of age (or 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy. For material changes affecting your rights, we will provide 30 days' notice. The "Effective" date at the top reflects the latest version.

11. Contact & Remediation

Data Protection Officer: support@recallink.com

Korean residents may also contact: 개인정보 침해신고센터 (KISA) 118, privacy.kisa.or.kr · 개인정보 분쟁조정위원회 1833-6972, www.kopico.go.kr · 대검찰청 사이버수사과 1301, www.spo.go.kr · 경찰청 사이버수사국 182, ecrm.cyber.go.kr