AppHealer

Privacy Policy

Privacy Policy — Stash

Effective date
2026-05-24
Last updated
2026-05-24

1.Who we are

Stash is published by Ankit Agrawal, contact ankit@apphealer.ai. The service is hosted at stash.apphealer.ai and is part of the AppHealer family of small tools.

If you have a privacy concern, question, or data-subject request, you can reach us at the email above. We aim to respond within 30 days.

2.What Stash does

Stash keeps a private library of links that you choose to save. You sign in with your Google account, click the Save button on any page (or on a specific tweet via the Stash browser extension), and Stash records the URL and a preview of the page. Your library is private to your account.

3.What data we collect

3.1 Account identity (from Google sign-in)

When you sign in with Google, we receive a small set of standard profile fields from Google’s ID token:

  • Your Google account’s stable user ID (the JWT “sub” claim).
  • Your email address.
  • Your display name.
  • Your profile picture URL.
  • Your account’s locale (if Google sends it).
  • Email-verified flag.

We do not request any further Google scopes — no Drive, no Calendar, no Gmail, no contacts. We never receive your Google password.

We store this so we can show your name and avatar in the app, so we know whose library is whose, and so that two people who save the same link each have their own private copy of it. Stash’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3.2 Links you save

Each time you save a page, we store:

  • The URL you saved.
  • The timestamp of when you saved it.
  • A snapshot of the page’s public metadata at save time — title, description, og:image URL, og:video URL, hostname. Standard meta tags that any browser sees when visiting the page.
  • For posts on X / Twitter, we additionally pull the public tweet text and the URLs of the tweet’s media via the public Twitter syndication endpoint (the same endpoint embedded tweets use). We do not log in to X on your behalf.
  • A copy of the saved page’s preview image and video files, fetched once and stored in our own object storage so that the link card in your library keeps working even if the original host goes down. See section 4.

We do not save the body of the page, the rest of the article, the comments, or anything you did not explicitly choose to save.

3.3 What we do NOT collect

  • No analytics SDKs, no ad SDKs, no telemetry.
  • No tracking of which links you click on, hover over, or read from your library.
  • No browsing history — we only see URLs you explicitly save.
  • No IP-based location lookup. Our backend logs include source IPs for the standard period needed to investigate abuse and outages (≤ 30 days), and are not joined to your account or shared.

4.Where the data lives

Stash runs on the following infrastructure. Each provider is listed alongside the data it touches.

  • Google Cloud Run (Singapore, asia-southeast1) — runs the Stash backend. Handles your requests, scrapes page metadata, talks to the database and storage below.
  • Neon (managed PostgreSQL, Singapore, ap-southeast-1) — stores your user row and the URLs you have saved.
  • Cloudflare R2 — object storage for cached preview images and videos. Each file is stored under an opaque content hash; the bucket is publicly readable per object so the images can be served fast worldwide.
  • Vercel — hosts the web frontend. The frontend sends authenticated HTTPS calls to our backend; Vercel never receives your account data.

All traffic between your browser, the frontend, the backend, and the database is encrypted in transit with TLS. Database credentials and storage keys are held in Google Cloud Secret Manager and are not committed to source code or shared with third parties.

5.Who we share data with

We do not sell your data, ever. We do not share your data for advertising, marketing, profiling, or model training.

We share data with the infrastructure providers listed in section 4 — strictly to operate the service. Each acts as a processor under our instructions:

  • Google Cloud (compute, secret storage)
  • Neon (database)
  • Cloudflare (object storage + CDN)
  • Vercel (frontend hosting)
  • Google (identity provider — when you sign in, your browser talks to Google directly; we receive only the signed ID token Google issues to us)

We will disclose data if compelled by valid legal process. We will tell you if that ever happens, unless we are legally barred from doing so.

6.How long we keep your data

Your account and saved links are kept for as long as your account exists. You can delete individual links from your library at any time — this removes the user-link association immediately; the cached preview image / video and the underlying URL record may stay for a short window so that other users who have saved the same URL still see it.

To delete your entire account and all your saved links, email us at ankit@apphealer.ai from the address tied to your Google sign-in. We will action the deletion within 14 days and confirm by email.

7.Mobile apps (iOS and Android)

Native iOS and Android apps are in development. When they launch, they will use the same backend and the same data model described above — no additional collection. Mobile-specific permissions (camera, photos, contacts, microphone, location) are not required and will not be requested. This policy will be updated to reflect the launch when it happens.

8.Children

Stash is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has signed in, email us and we will delete the account.

9.Cookies

We do not set tracking cookies. The web app uses localStorage to remember your signed-in session (your Google ID token plus a copy of the user record returned by our backend). Clearing site data signs you out.

10.Your rights

You can request a copy of all data we hold about you, ask us to correct it, or ask us to delete it, at any time. Email ankit@apphealer.ai. We do not condition these rights on providing any additional information beyond what is needed to verify the request comes from you.

11.Changes to this policy

If we change this policy, we will update the “Last updated” date at the top of the page and post the new version at https://stash.apphealer.ai/privacy and on apphealer.ai/privacy?tool=stash. Material changes will be announced via a notice inside the app the next time you sign in.

12.Contact

Questions, requests, or anything else — ankit@apphealer.ai.