Privacy and user data

Privacy Policy

Last updated: June 17, 2026

This policy explains how Nodus Vault handles personal information in the web app and Chromium extension. It is written to cover the Chrome Web Store disclosure requirements, Brazil’s LGPD, and applicable United States privacy laws.

At a glance

  • Nodus Vault saves only the pages and data you choose to save.
  • The extension does not collect your full browsing history or run on every page automatically.
  • We do not sell personal information or use it for behavioral advertising.
  • You can export your data or delete your account from the app.

1. Who is responsible for your data

Nodus Vault is operated by Rubens Rodrigues Sôto Filho, based in São Paulo, Brazil. For privacy, support, or account questions, contact [email protected].

This policy applies to the Nodus Vault website, authenticated web app, backend services, and Chromium browser extension.

2. Information we collect

We collect the information needed to create accounts, save bookmarks, search and organize saved links, provide paid access, prevent abuse, and operate the service.

  • Account information: email address, hashed password, email verification status, language, timezone, account status, trial/subscription state, and account timestamps.
  • Saved bookmark data: URLs, normalized/canonical URLs, titles, descriptions, authors, publication dates, language, image URLs, notes, tags, collections, highlights, reading/watch/archive status, and related timestamps.
  • Optional page content: when you save a page and extraction succeeds, Nodus Vault may store readable page text so search, reader mode, embeddings, and tag suggestions can work. The extension does not save page text unless you choose to save that page.
  • Extension-local data: the extension may store an authentication token, connection status, cached tags, recent tag selections, and a limited offline retry queue in Chrome local storage.
  • Billing data: Stripe customer and subscription identifiers, billing status, and limited payment-method metadata such as the last four digits returned by Stripe. We do not store full card numbers or card security codes.
  • Technical and security data: request metadata such as method, route, status, duration, request id, IP-derived rate-limit signals, user-agent family, timestamps, and error information needed to operate and secure the service.
  • Analytics data: we use Google Analytics to understand page visits, product usage, device/browser information, and aggregated traffic patterns.

3. Chrome extension data practices

The extension has a single purpose: saving the current browser page to your Nodus Vault account.

The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

  • It accesses the active tab only after a user action, such as opening the popup, using the context menu, or pressing the save shortcut.
  • It does not collect your complete browsing history.
  • It does not use remotely hosted code; extension scripts are packaged with the extension.
  • If a save fails because you are offline or the API is unavailable, a sanitized offline queue may be stored locally and retried later. Full page text is removed from offline queue storage.
  • Disconnecting, revocation, or reconnecting clears account-derived local extension data such as queue, tags, and recent tag selections.

4. How we use information

  • To create and authenticate your account.
  • To save, display, organize, search, export, and delete your bookmarks.
  • To provide reader, watch, notes, highlights, Daily Check, forgotten-link, tag, collection, and search features.
  • To process subscriptions and billing through Stripe.
  • To send transactional emails such as verification, password reset, account deletion, and export notifications through Resend.
  • To detect abuse, secure accounts, rate-limit sensitive actions, and troubleshoot service issues.
  • To measure and improve the website and product using Google Analytics.

6. Service providers and sharing

We share information only as needed to run Nodus Vault, comply with the law, or protect the service. We do not sell personal information.

  • Hostinger provides hosting infrastructure.
  • Cloudflare sits in front of the hosting environment for traffic routing, security, and availability.
  • Resend sends transactional email.
  • Stripe handles checkout, subscriptions, invoices, the billing portal, and payment processing.
  • Google Analytics provides website and product analytics.
  • Google Gemini provides AI/embedding capabilities when those features are used.
  • Public content services may receive the URL or public identifier of a saved item when metadata enrichment is enabled.

8. Retention

  • Account and saved bookmark data are kept while your account is active, unless you delete specific items or delete your account.
  • You may request a data export from the app. Export archives are made available through signed download links for a limited time.
  • If you request account deletion, live account data is deleted after password verification. Operational backups may retain deleted data for up to 30 days before they expire.
  • Technical logs are retained for 7 days unless a longer period is required to investigate abuse, security, or legal issues.
  • Production backups are retained for up to 30 days.
  • Trial-abuse prevention records store HMAC hashes rather than raw identifiers and are retained for the configured anti-abuse window, currently up to 30 days.
  • Extension-local data remains in your browser until you disconnect, reconnect, revoke the token, clear extension storage, or uninstall the extension.

9. Your rights and choices

Depending on your location, you may have rights to access, confirm processing, correct, export, delete, restrict, or object to the use of your personal information. You may also have rights under Brazil’s LGPD and applicable United States privacy laws.

  • Use the app’s export control to request a copy of supported saved data.
  • Use the account deletion control to delete your account.
  • Contact [email protected] to ask privacy questions or exercise rights not available directly in the app.
  • Use your browser settings or Google’s controls to limit Google Analytics where available.
  • Nodus Vault does not sell personal information or use it for cross-context behavioral advertising.

10. Security and international processing

We use technical and organizational safeguards such as hashed passwords, token peppering, limited extension permissions, rate limits, signed export links, and access controls. No system is perfectly secure, so please use a strong unique password and contact us if you suspect unauthorized access.

Nodus Vault is operated from Brazil and uses service providers that may process information in Brazil, the United States, and other countries where they operate.

11. Children

Nodus Vault is not intended for children under 16, and we do not knowingly collect personal information from children under 16.

12. Changes and contact

We may update this policy as the product, providers, or legal requirements change. If a change is material, we will take reasonable steps to notify users through the product or another appropriate channel.

Questions or requests: [email protected].