Backread · Privacy
Privacy Policy
1. Who we are
Backread (Pty) Ltd, operating backread.app and the Backread apps. Contact: privacy@backread.app.
2. What we collect — the honest inventory
- X account basics via OAuth sign-in: your X user ID, handle, display name, profile image. We never see your X password.
- OAuth tokens to act on your behalf (read bookmarks/likes/follows; delete a bookmark on X only when you explicitly run Cleanup). Stored encrypted at rest, revocable any time from X settings or by deleting your account.
- Your saves: bookmarks, likes (if you connect them), and links you share to Backread — post text, media references, engagement metrics, authors' public profiles.
- Derived data: AI-generated categories, summaries, tags, embeddings — computed to make your archive searchable and organised.
- Usage events: which screens/features are used, tied to a session id (first-party only, no third-party ad trackers). Crash/feedback reports you submit.
- Billing: handled by Lemon Squeezy (merchant of record) — we never see or store card numbers. We store your plan status.
3. What we do NOT do
No selling or sharing of personal data with advertisers. No ad trackers. No training AI models on your archive.
4. Processors we use
Your data crosses borders as part of how the service works: Fly.io (hosting, United Kingdom), Cloudflare R2 (encrypted backups + media storage), xAI / OpenAI (categorisation, summaries, embeddings — the content of your saves is sent for processing), Lemon Squeezy (payments), and X Corp (the API your data comes from). We choose processors with strong security practices and update this list as reality changes.
5. Retention & backups
Your archive persists while your account exists — that's the product. Continuous encrypted off-site backups (7-day point-in-time). Deleted accounts: purged from the live database immediately; backup copies age out within 7 days.
6. Deletion & your rights
Your data originates and travels across several jurisdictions; we endeavour to comply with all applicable data protection laws and best practices wherever our users are. In practice, for every user regardless of location:
- Access & portability — the in-app Export feature gives you your complete archive (Markdown, CSV, JSON, or an Obsidian vault) at any time.
- Correction — your derived data (categories, notes, tags) is directly editable in-app.
- Deletion — in-app Delete account removes your archive, Vault, Verified Snapshots (including their public verification pages), OAuth tokens, and derived data.
- Objection / questions — write to privacy@backread.app.
7. Security
Encryption in transit everywhere; OAuth tokens encrypted at rest; each account's data isolated per-tenant; continuous encrypted backups. No system is perfectly secure and we don't claim ours is — we apply current best practices, carefully. Found something? security.txt.
8. Children
Backread is not directed at children under 13; X itself requires users to be 13 or older.
9. Verified Snapshots — public pages & blockchain permanence
- Public proof pages. Each Verified Snapshot you create has a public page at
/v/<code>showing the captured content. Snapshots are an explicit action — nothing becomes public without you choosing it. Deleting your account deletes your Verified Snapshots and their public pages. - Irrevocable timestamps. When you verify a snapshot, a cryptographic fingerprint (not the content itself) is recorded permanently on the Bitcoin blockchain. The fingerprint reveals nothing about the content and cannot be removed — by anyone, including us. The content page remains under your control and is deleted with your account.
10. Changes & contact
We'll post material changes to this policy on this page with a new effective date, and note them in-app. Questions: privacy@backread.app.