Back to Shelf

Documentation · this section

Legal — 01

Privacy policy

Last updated · 2026-05-13

Short version

Shelf is a local-first Chrome extension. Your saved articles, videos, podcasts, collections, and tags live in chrome.storage.local on your own device. Nothing is uploaded to a Shelf server — there is no Shelf server.

Network calls only happen when you trigger them: exporting to Notion, fetching a YouTube transcript, generating an AI summary, or activating a Pro license. Each of those calls goes directly from your browser to the third-party service involved — never through us.

Limited Use of data (Chrome Web Store policy)

Shelf complies with the Chrome Web Store Limited Use policy. We do not sell user data, do not transfer it for advertising or credit-scoring purposes, do not allow human reading of user data outside of a security investigation or with the user’s explicit consent, and only use the data we describe below for the purposes explicitly listed on this page.

What we collect

For free users: nothing. Shelf does not run analytics, telemetry, error reporting, or usage tracking. The extension does not send heartbeats, ping a Shelf server on launch, or report which features you use.

For Pro users: the minimal seat-tracking record described below under License seat tracking — an opaque random install identifier, a timestamp, and a short browser/OS family hint. That is the entire set; no library content, no reading habits, no analytics. The record exists solely to enforce the device limit you contracted for at purchase.

What lives on your device

Inside chrome.storage.local, scoped to the Shelf extension:

  • Saved items: title, URL, excerpt, thumbnail URL, hostname, reading time, your tags, AI-generated tags and summaries when Pro is active, YouTube transcript when fetched, highlights you select.
  • Collections + memberships: your folder structure and which items belong to which folders.
  • Smart Rules: the auto-routing rules you create.
  • Preferences: AI configuration, active destinations, streak data, daily-pick state.
  • License: when Pro is activated, the signed license key (JWT) and the time of last validation.

This data does not leave the device unless you trigger an export or a network operation listed below.

Third-party services (only when you opt in)

Notion

When you click “Send to Notion” or set up a Notion destination, Shelf sends your saved item to api.notion.com directly from your browser, authenticated with the Internal Integration token you pasted into Shelf. We never see this token. The data sent is the item itself: title, URL, tags, excerpt, AI summary, YouTube transcript, source link.

Notion’s privacy policy applies to anything that lands in your Notion workspace.

Stripe (payments + license issuance)

When you purchase Shelf Pro or Shelf Founder Lifetime, Stripe Payments Europe Ltd. processes the payment as a payment processor — name, email, billing details and payment method data are handled by Stripe under their privacy policy. We (Shelf) receive only the email you used at checkout and the resulting customer/subscription identifiers.

When you activate the license inside Shelf, the extension calls our own endpoint at www.shelf-extension.com/api/license/validate with the license key. The endpoint verifies the cryptographic signature locally, then asks Stripe whether your subscription is still active. No personal data is logged beyond an internal error trace if the call fails. The license key itself contains your email and Stripe customer/subscription identifiers in a signed payload that cannot be modified without invalidating the signature.

Resend (license delivery email)

After a successful purchase, our Stripe webhook generates the license key and sends it to your email through Resend (a transactional email provider, based in the EU). Resend stores delivery metadata (email address, send timestamp, delivery status, bounce/complaint events) under their data retention policy for as long as needed to provide the service.

Cloudflare (inbound email forwarding)

When you email support@shelf-extension.com, Cloudflare Email Routing receives the message and forwards it to the maker’s personal mailbox. Cloudflare sees the message envelope (sender address, recipient alias, timestamp) and the message contents in transit. Cloudflare does not retain the message body once forwarding has completed; envelope/log metadata is retained per their email-routing terms. We use Cloudflare Email Routing solely so the maker can receive your message at the public support alias without exposing a personal address. The forwarded message lands in a standard email inbox; from that point onwards the maker’s own email provider applies.

License seat tracking (Stripe customer metadata)

To enforce the device limits described in our Terms of Service, Shelf maintains a small record of which extension installs have your license activated. Here is exactly what that involves.

What is stored. For each install that has activated your license, three values:

  • installId — a random 16-character hexadecimal string (e.g. a3f9c2b1e7d04582). It is generated locally by your extension the first time it activates a license, using your browser’s cryptographic random source. It is not derived from your hardware, your IP, your Chrome profile ID, your Google account, or any other identifier — it is fresh randomness, scoped to that one install. Uninstalling the extension destroys it; we cannot reconstruct it.
  • lastSeen — the timestamp of the most recent license validation call from that install. Used to auto-release inactive seats after 60 days.
  • hint — a short human-readable string like "Chrome/Mac" or "Edge/Win". It is derived from the User-Agent request header at validation time, reduced to browser family and OS family only. The full User-Agent string is never stored. The hint exists so that when you open the manage page you can tell your laptop from your work desktop without us knowing more than that.

Where it is stored. Inside your Stripe customer metadata, under a single key shelf_seats. Stripe is the source of truth — we do not run our own database for this. The list is read and updated by our serverless license endpoint on each validation call.

What we use it for. Solely:

  1. Enforcing the device limit (5 for Pro, 10 for Founder Lifetime).
  2. Showing you your active devices at shelf-extension.com/manage so you can revoke any of them.
  3. Auto-releasing seats that haven’t checked in for 60 days.

We do not use this data for analytics, profiling, feature-usage tracking, advertising, or any kind of behavioral inference. The installId is opaque to us.

Legal basis. Performance of the contract between you and the maker — the device cap is a defined term of your Pro purchase (GDPR Art. 6(1)(b)).

When it is deleted. Seat data is deleted in all of these cases:

  • Automatically, when an installId has not checked in for 60 days.
  • When you revoke a device from the manage page.
  • When your subscription is cancelled and the cancellation reaches the end of the billing period (Pro), or when a refund is issued (Founder Lifetime).
  • Within 30 days of an erasure request emailed to support@shelf-extension.com, subject to the Stripe fiscal-retention limits already described under Data retention.

Gemini Nano (on-device, default)

Shelf Pro uses Chrome’s built-in Gemini Nano AI model for auto-tagging and summary generation by default. The model is provided by Google as part of recent Chrome versions and runs entirely on your device — no data leaves the machine when Nano is the active path. Google’s terms for Chrome AI features apply to the underlying model itself; nothing about that path involves Shelf as a processor.

Groq (optional cloud AI fallback)

If Nano is unavailable on your machine (older Chrome versions, ChromeOS Flex, low-RAM Linux), you can optionally configure a Groq API key. When enabled, Shelf sends the item’s title, URL, hostname, and excerpt to api.groq.com for tag and summary inference, using your own Groq key. Groq is US-based — their data retention policy applies and your prompts are processed in the US.

YouTube

When you save a YouTube page and request a transcript, Shelf reads the transcript panel directly from the YouTube tab you have open — same as the page does. No third-party transcript service is contacted.

Ko-fi

The “Tip the maker” link points to ko-fi.com/riccalmo. Clicking it opens Ko-fi in a new tab, where Ko-fi’s privacy policy applies. Shelf does not transmit any data to Ko-fi.

Browser permissions and why

  • storage — to keep your library in chrome.storage.local.
  • activeTab — to capture the page you’re viewing when you press the save shortcut or use the right-click menu.
  • scripting — to read the page metadata (title, excerpt, etc.) when you save.
  • contextMenus — to add the “Save to Shelf” right-click option.
  • alarms — to schedule the Daily Pick notification and the weekly license re-validation.
  • notifications — to show the Daily Pick.
  • host_permissions for api.notion.com — to send your saved items to Notion when you’ve configured that destination (see Notion above).
  • host_permissions for www.youtube.com — to read the transcript panel when you save a YouTube page and request a transcript (see YouTube above).
  • host_permissions for www.shelf-extension.com — to validate your Pro license against our endpoint after activation and on the weekly refresh (see Stripe (payments + license issuance) above). Not contacted for free users.
  • host_permissions for api.groq.com — only contacted when you have opted into the Groq cloud AI fallback with your own API key (see Groq (optional cloud AI fallback) above). Not used otherwise.

Data retention

We do not operate a database of users. The data that exists about you, by source:

  • On your device (chrome.storage.local): persists until you uninstall the extension, clear extension storage, or manually delete entries. Uninstalling Shelf in Chrome wipes everything.
  • Stripe: customer records, payment history and subscription state are retained by Stripe under their merchant retention policy (typically 7 years for fiscal/AML compliance, per EU regulation).
  • Resend: email delivery metadata (subject, recipient, timestamp, delivery status) retained per Resend’s policy, typically 30-90 days for the message body and longer for aggregate logs.
  • Cloudflare: inbound email-routing envelope metadata (sender, recipient alias, timestamp) retained per Cloudflare’s Email Routing terms. The message body is not retained beyond the forward.
  • Our servers: none of our own. The Vercel serverless functions that issue and validate licenses are stateless — request/response data is not persisted beyond standard infrastructure logs (which roll over within 30 days). The only state-of-record we maintain about Pro users sits inside Stripe customer metadata (seat list + optional founder display preferences) as described under License seat tracking above.

If you want anything purged earlier, see Your rights below.

Your rights (GDPR — for EU/UK residents)

Under the GDPR (Regulation (EU) 2016/679) and the equivalent UK Data Protection Act 2018, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — you may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — you may ask us to correct inaccurate data (e.g., a wrong email tied to a license).
  • Right to erasure / right to be forgotten (Art. 17) — you may request deletion of your data. Note: data held by Stripe for fiscal compliance cannot be deleted before the legal retention period expires (typically 7 years).
  • Right to restriction of processing (Art. 18) — you may ask us to pause processing while a dispute is resolved.
  • Right to data portability (Art. 20) — you may receive a machine-readable export of the data we hold about you. (For your saved library: use the built-in Library Backup feature to export everything yourself.)
  • Right to object (Art. 21) — you may object to processing for any specific purpose.
  • Right not to be subject to automated decision-making (Art. 22) — Shelf does not make automated decisions that affect you legally; this right is informational here.
  • Right to lodge a complaint with your local supervisory authority. In Italy this is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).

To exercise any of these rights, email support@shelf-extension.com. We respond within 30 days (typically within 5 working days). No account is required to contact us.

Children

Shelf is not directed at children under 13. We do not knowingly collect any data from any user — children included.

International transfers

Stripe is incorporated in Ireland (EU) for its European business; the company also has US infrastructure for some operations. Stripe relies on Standard Contractual Clauses for EU→US data transfers. Resend is EU-based and hosts your delivery metadata in the EU when you choose the EU region (we do). Groq is US-based; if you opt into Groq fallback, your prompts are processed in the US under their Privacy Policy.

Data Controller

For the purposes of this policy, the Data Controller of your personal data is the maker of Shelf, an Italian sole proprietor (P.IVA detailed in the footer of every page). You can reach the controller directly at support@shelf-extension.com.

Under GDPR Article 37, the maker is not required to designate a Data Protection Officer (small-scale processing, no special-category data, no large-scale monitoring). The maker fulfils the data-controller duties directly via the contact above.

Changes

If this policy changes, the date at the top of the page updates. Material changes that affect your rights will also be announced by email to active Pro subscribers (via Stripe). If it matters to you, periodically check this page.