SoulStack

Privacy Policy

Effective date: April 15, 2026

This policy explains what data SoulStack collects, why, how it is used, and the choices you have. It covers the SoulStack website at soulstack.so and the SoulStack Chrome extension. We designed SoulStack to collect as little as possible while still letting you read, highlight, and keep a library of your own reflections.

SoulStack (“SoulStack,” “we,” “us,” or “our”) is the data controller for the personal information described below. If you have questions, reach us at privacy@soulstack.so.

1. What we collect

Account information

When you create an account we store your email address, a username you choose, a hashed password (if you sign up with email and password), and optionally a display name and profile image. If you sign in with a third-party provider (for example Google), we receive the basic profile information that provider sends us.

Content you create

SoulStack stores the books, articles, and files you import, the highlights and notes you take, the patterns and collections you build, and any reactions or reflections you write. This content belongs to you; we only store it to provide the service.

Content from the Chrome extension

The SoulStack Chrome extension only sends data when you explicitly choose a right-click menu item. When you pick “Open in SoulStack,” the extension sends the URL of the page you chose. When you pick “Save highlight to SoulStack,” the extension sends the URL of the page and the text you selected so we can save it to your library. The extension does not track browsing history, record activity, read pages in the background, or collect any data unless you invoke one of those actions.

Usage and device information

When you use SoulStack we record limited technical information needed to run the service: IP address, browser type, operating system, pages or features used, the time of requests, and error diagnostics. We may record product analytics events (for example, “book opened,” “highlight created,” “import completed”) to understand which features work and which do not. Analytics events are tied to your account identifier but contain no highlight passages or note text.

Cookies and local storage

We use a small number of strictly necessary cookies to keep you signed in and to remember basic preferences. SoulStack is local-first: most of your content is also cached in your browser’s IndexedDB so reading and writing stay fast offline. We do not use advertising cookies or cross-site tracking cookies.

2. How we use your data

  • To provide and secure the SoulStack service and your account.
  • To store your reading library, highlights, notes, and patterns so they are available across devices.
  • To generate Polaris AI responses and to create the semantic embeddings that let SoulStack surface connections across your notes. Embedding and AI processing are only performed on content you saved to SoulStack.
  • To extract readable content from URLs or files you import.
  • To diagnose errors, prevent abuse, and monitor service health.
  • To measure how the product is used in aggregate so we can improve it. You can disable product analytics at any time from your account settings.
  • To communicate with you about your account or important service changes.

We do not sell your personal information. We do not use your highlights, notes, or imported content to train third-party AI models. We do not show advertising inside SoulStack.

3. Legal bases (for users in the EEA and UK)

We rely on the following legal bases under GDPR:

  • Contract. We process your account data and your content to deliver the service you signed up for.
  • Legitimate interests. We process limited diagnostic and analytics data to keep SoulStack secure, stable, and working well.
  • Consent. Where required, we ask for your consent before enabling optional features (for example, session replay or marketing email).
  • Legal obligation. We may process data to comply with applicable laws.

4. Service providers we use

We rely on a small number of trusted subprocessors to operate SoulStack. Each one only receives the data it needs to do its job and is contractually bound to protect it.

  • Supabase — database, authentication, storage, and serverless functions.
  • Vercel — web hosting and request routing.
  • Amazon Web Services (Amazon Bedrock) — large language model inference for Polaris and related AI features.
  • Voyage AI — embedding generation for semantic search across your notes.
  • PostHog — product analytics (enabled only when you have not opted out).
  • Sentry — error diagnostics (enabled when configured by the operator).
  • Upstash — rate limiting and abuse prevention (when configured).

We do not otherwise share your personal information with third parties except when required by law, to protect rights and safety, or as part of a merger or acquisition (in which case you will be notified).

5. International data transfers

SoulStack is operated from the United States and our subprocessors may process data in the United States and other countries. Where data is transferred out of the EEA or the UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

6. How long we keep your data

We keep your account and your content for as long as your account is active. If you delete specific content (a book, a highlight, a note), it is removed from our active systems promptly and from backups within 30 days. If you delete your account, all of your personal data is removed within 30 days, except where we must retain limited information to comply with legal obligations or resolve disputes.

7. Your rights

Depending on where you live, you have the right to access, correct, export, delete, or restrict the processing of your personal information, and to object to certain uses. You can also withdraw consent at any time where processing relies on consent. To exercise any of these rights, email privacy@soulstack.so. We will respond within 30 days.

Residents of California have additional rights under the CCPA/CPRA, including the right to know what personal information we collect and the right to request deletion. We do not sell or share personal information as those terms are defined under California law.

You may also lodge a complaint with your local data protection authority. We would appreciate the chance to address your concern first, so please reach out to us before you do.

8. Security

We use industry-standard measures to protect your data, including encryption in transit (HTTPS/TLS), encryption at rest for the database, hashed and salted passwords, row-level security policies so users can only read their own content, and audit logging on sensitive actions. No system is perfectly secure, so if you believe your account has been compromised please contact us immediately at security@soulstack.so.

9. Children’s privacy

SoulStack is not directed to children under 13 and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, email privacy@soulstack.so and we will delete it.

10. Changes to this policy

We may update this policy from time to time. If we make material changes we will post the updated policy here and, where appropriate, notify you by email or inside the product. Continued use of SoulStack after the effective date means you accept the updated policy.

11. Contact

Questions about this policy, or requests about your data, should go to privacy@soulstack.so.