Privacy Policy

Last updated: April 2, 2026

Overview

Shelf ("we", "us", or "our") is a read-it-later application that lets you save articles and books to your own Google Drive. We are committed to protecting your privacy. This policy explains what data we collect, how we use it, and what choices you have.

The core principle of Shelf is that your content lives in your cloud storage, not ours. We never store article text or book content on our servers.

Information We Collect

Account information

When you create an account via Clerk (our authentication provider), we receive your email address and optional display name. We store a user record in our database containing your Clerk user ID, email, and display name.

Article metadata

When you save a URL, we store metadata in our database: the URL, title, author, publication date, estimated reading time, word count, tags, read status, and a reference to where the file lives in your Google Drive. We do not store the article text or content on our servers — that goes directly into your Drive.

Google Drive access tokens

To write files to your Drive, we store OAuth tokens (access token and refresh token) encrypted at rest using AES-256-GCM. We request only the drive.file scope, which limits access to files that Shelf itself creates. We cannot access any other files in your Drive.

Usage data

We collect standard server logs (request timestamps, IP addresses, HTTP status codes) for security and debugging. These are not linked to individual users beyond what's needed for security purposes.

How We Use Your Information

  • To provide the Shelf service — saving, syncing, and reading your articles
  • To authenticate you and secure your account
  • To write article content to your Google Drive on your behalf
  • To send transactional emails (e.g., collection share invitations) via Resend
  • To improve the service and fix bugs

We do not sell your data. We do not use your data for advertising.

Third-Party Services

  • Clerk — handles authentication and session management
  • Google Drive — stores your article and book content (you control this data)
  • Supabase — hosts our PostgreSQL database (metadata only)
  • Resend — sends transactional emails (collection invites)
  • Vercel — hosts the web application
  • Railway — hosts the API server

Each of these services has its own privacy policy and data handling practices.

Data Retention and Deletion

You can delete your account at any time. When you do, we delete all metadata associated with your account from our database. Your Google Drive OAuth access is revoked. Files already written to your Drive remain there — they are yours and you control them.

You can also delete individual articles from Shelf. Doing so removes the metadata from our database and makes a best-effort attempt to delete the corresponding file from your Drive.

Security

OAuth tokens are encrypted at rest with AES-256-GCM. All data is transmitted over HTTPS. We apply the principle of least privilege — the Google Drive scope we request (drive.file) only allows access to files Shelf creates, not your entire Drive.

Your Rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data. To exercise these rights, contact us at the email below. Because your article content lives in your own Google Drive, you already have direct access to and control over it.

Children's Privacy

Shelf is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

Changes to This Policy

We may update this policy from time to time. We will update the "Last updated" date at the top. Continued use of Shelf after changes means you accept the updated policy.

Contact

Questions about this policy? Email us at privacy@get-shelf.com.