Bookmarkjar ® logoBookmarkjar ®

Privacy Policy

Last updated: January 2025

Data Controller Information

Bookmarkjar
Tax ID (NIF): 514845678
Registered Address: Rua do Comércio, 100, 1200-080 Lisbon, Portugal
Email: [email protected]
Legal Contact: [email protected]

1. Introduction

Welcome to Bookmarkjar's Privacy Policy. We respect your privacy and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and Portuguese data protection laws.

This Privacy Policy explains:

  • What personal data we collect and why
  • How we use, process, and store your data
  • Your rights regarding your personal data
  • How to contact us about privacy concerns

Important: You must be at least 18 years of age to use our Service. We do not knowingly collect or process personal data from individuals under 18.

2. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

  • Contract Performance (Article 6(1)(b)): To provide our bookmark management services
  • Legitimate Interest (Article 6(1)(f)): To improve our Service, prevent fraud, and ensure security
  • Consent (Article 6(1)(a)): For optional features like marketing communications
  • Legal Obligation (Article 6(1)(c)): To comply with legal requirements (tax, accounting, law enforcement)

You have the right to withdraw consent at any time where we rely on consent as the legal basis.

3. Information We Collect

3.1 Account and Profile Data

We collect when you create an account:

  • Email address (required for account creation and communication)
  • Name and profile information (optional, if provided)
  • Password (stored as encrypted hash, never in plain text)
  • Profile picture (if uploaded or synced from OAuth providers)
  • Account preferences and settings

Legal Basis: Contract performance, consent

3.2 Authentication Data from Third-Party Services

When you connect social authentication (OAuth):

  • Google: Email, name, profile picture
  • Discord: Username, email, profile picture
  • Twitter/X: Username, profile picture, email (if available)
  • GitHub: Username, email, profile picture
  • Reddit: Username

We only access data you explicitly authorize during the OAuth flow.

Legal Basis: Consent, contract performance

3.3 Bookmark Data

We collect and store:

  • URLs and titles of bookmarks you save
  • Metadata: Description, author, publication date, site name
  • Content: Full text content of bookmarked pages (for search and AI processing)
  • Images: Screenshots, thumbnails, and media from bookmarked content
  • Tags and categories you create
  • Notes and annotations you add
  • Sync data from integrated services (Twitter likes, GitHub stars, Reddit saves)
  • Organization: Folders, collections, sharing settings

Legal Basis: Contract performance, legitimate interest

3.4 Integration Data

When you connect third-party integrations:

  • Access tokens and refresh tokens (encrypted)
  • Integration metadata: Username, account ID, last sync timestamp
  • Synced content: Bookmarks from Twitter, GitHub, Reddit, Instagram, YouTube
  • OAuth session data: State, code verifier, expiration

Legal Basis: Consent, contract performance

3.5 Usage and Analytics Data

We automatically collect:

  • Browser information: Type, version, user agent
  • Device information: Operating system, device type, screen resolution
  • IP address: For security, fraud prevention, and geolocation (country-level)
  • Pages visited: URLs accessed within our Service
  • Time and date of access
  • Referral source: How you arrived at our Service
  • Feature usage: Which features you use and how often
  • Session data: Duration, actions performed
  • Error logs: Technical errors and debugging information

Legal Basis: Legitimate interest (service improvement, security, fraud prevention)

3.6 AI Processing Data

For AI-powered features, we process:

  • Bookmark content: Sent to OpenAI/Google AI for summarization and tagging
  • Search queries: Processed for semantic search
  • Chat messages: Sent to AI providers for conversational features
  • Token usage: Amount of AI processing consumed

Note: AI providers (OpenAI, Google) may temporarily process your data according to their own privacy policies. We use business-tier services with data processing agreements where available.

Legal Basis: Contract performance, legitimate interest

3.7 Payment and Subscription Data

We collect (via Stripe):

  • Billing information: Name, email, country
  • Payment method details: Handled entirely by Stripe (we never see full card numbers)
  • Transaction history: Subscription status, invoices, payment dates
  • Tax information: VAT numbers (if provided)

Stripe is our payment processor and handles sensitive payment data. We receive only transaction confirmations and subscription status.

Legal Basis: Contract performance, legal obligation

3.8 Communications Data

When you contact us:

  • Email correspondence: Support requests, inquiries
  • Feedback and surveys: If you choose to participate
  • Marketing preferences: Newsletter subscriptions (opt-in only)

Legal Basis: Consent, contract performance, legitimate interest

4. How We Use Your Information

We use your personal data to:

4.1 Provide Core Services

  • Create and manage your account
  • Store and organize your bookmarks
  • Sync bookmarks from integrated platforms
  • Enable search (keyword and semantic)
  • Process AI features (tagging, summarization, chat)
  • Deliver real-time notifications
  • Provide browser extension functionality
  • Offer API access (Pro users)

4.2 Improve and Develop the Service

  • Analyze usage patterns to improve features
  • Identify and fix bugs and technical issues
  • Conduct A/B testing and experimentation
  • Develop new features and functionality
  • Optimize performance and user experience

4.3 Communicate with You

  • Send service-related notifications (account, security, updates)
  • Respond to support requests and inquiries
  • Send subscription and billing information
  • Notify of Terms or Privacy Policy changes
  • Send marketing communications (only if you opt in)

4.4 Security and Fraud Prevention

  • Detect and prevent fraud, abuse, and security threats
  • Verify account ownership
  • Enforce our Terms of Service
  • Protect against unauthorized access
  • Maintain system integrity

4.5 Legal Compliance

  • Comply with legal obligations (tax, accounting)
  • Respond to lawful requests from authorities
  • Protect our legal rights and interests
  • Enforce contracts and policies

5. Data Sharing and Third-Party Services

We do not sell your personal data. We share data only as described below:

5.1 Third-Party Service Providers

We use the following services to operate:

AI Processing:

  • OpenAI (United States) - AI summarization, tagging, chat
  • Google AI (United States) - AI features and processing
  • Privacy Policies: OpenAI, Google

Payment Processing:

  • Stripe, Inc. (United States) - Payment processing, subscription management
  • Privacy Policy: Stripe Privacy

Search and Indexing:

  • Meilisearch (Self-hosted or managed) - Search functionality
  • Privacy Policy: Meilisearch

Storage:

  • Amazon S3/Cloudflare R2 (United States/Global) - Media and file storage
  • Privacy Policies: AWS, Cloudflare

Background Jobs:

  • BullMQ (United States) - Background jobs and scheduled tasks
  • Privacy Policy: BullMQ Privacy

Real-time Services:

  • Pusher (United States/EU) - Real-time notifications and updates
  • Privacy Policy: Pusher Privacy

Monitoring and Error Tracking:

  • Sentry/GlitchTip - Error monitoring and debugging
  • Privacy Policy: Varies by provider

Social Platform APIs:

  • Twitter/X, GitHub, Reddit, Instagram, YouTube - OAuth authentication and bookmark syncing
  • Data accessed only with your explicit permission
  • Privacy Policies: Respective platform policies apply

5.2 Data Processing Agreements

For services that process personal data on our behalf, we have data processing agreements (DPAs) in place where required by GDPR Article 28, ensuring appropriate safeguards.

5.3 Cross-Border Data Transfers

Some of our service providers are located in the United States and other countries outside the European Economic Area (EEA). We ensure adequate safeguards for cross-border transfers through:

  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with GDPR-compliant terms

Under GDPR Article 46, these mechanisms ensure your data receives adequate protection when transferred outside the EEA.

5.4 Legal Disclosures

We may disclose personal data when:

  • Required by law, regulation, or legal process
  • Requested by law enforcement or government authorities
  • Necessary to protect our rights, property, or safety
  • Necessary to protect users' rights, property, or safety
  • In connection with corporate transactions (merger, acquisition, asset sale)

5.5 Public Information

Bookmarks you explicitly mark as "public" or share publicly may be visible to other users or third parties. You control the privacy settings of your content.

6. Data Retention

6.1 Active Accounts

We retain your personal data while your account is active and for as long as necessary to provide services.

6.2 Retention Periods

  • Account data: Retained while account is active
  • Bookmarks: Retained while account is active or until you delete them
  • Deleted bookmarks: Removed immediately or within 24 hours
  • Integration tokens: Retained while integration is active
  • Usage analytics: Aggregated and retained for up to 2 years
  • Backup copies: Retained for up to 90 days for disaster recovery
  • Legal/financial records: Retained as required by law (typically 7-10 years for tax purposes)

6.3 Account Deletion

When you delete your account:

  • Personal data is deleted within 30 days
  • You have 30 days to export your data before permanent deletion
  • Backups may retain data for up to 90 days before complete removal
  • Legal/financial records retained as required by law

6.4 Inactive Accounts

Accounts inactive for 3 years or more may be deleted after notice to your registered email address.

7. Data Security

7.1 Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit: TLS/SSL for all data transmission
  • Encryption at rest: Database and file storage encryption
  • Access controls: Role-based access, principle of least privilege
  • Authentication: Strong password requirements, OAuth support, optional 2FA
  • Monitoring: Security monitoring, intrusion detection, logging
  • Regular updates: Security patches and software updates
  • Secure development: Code reviews, security testing
  • Data minimization: We collect only necessary data
  • Pseudonymization: Where appropriate for analytics

7.2 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

  • We will notify the Portuguese Data Protection Authority (CNPD) within 72 hours
  • We will notify affected users without undue delay
  • Notifications will include nature of breach, potential consequences, and mitigation measures

7.3 Your Responsibilities

You are responsible for:

  • Keeping your password secure
  • Not sharing account credentials
  • Using strong, unique passwords
  • Maintaining security of your devices
  • Regularly reviewing account activity

Note: While we implement robust security measures, no method of transmission or storage is 100% secure. You use the Service at your own risk.

8. Cookies and Tracking Technologies

8.1 What We Use

We use cookies and similar technologies:

Essential Cookies (Required for service operation):

  • Session cookies: Maintain login state
  • Authentication tokens: Verify identity
  • Security cookies: Prevent CSRF attacks, detect fraud

Functional Cookies (Enhance functionality):

  • Preferences: Remember settings, language, theme
  • Feature flags: Enable/disable features for testing

Analytics Cookies (Help us improve):

  • Usage analytics: Track feature usage, page views
  • Error tracking: Identify and debug issues

Third-Party Cookies:

  • Stripe: Payment processing
  • OAuth providers: Social authentication
  • Analytics tools: Service improvement

8.2 Cookie Management

You can control cookies through:

  • Browser settings: Most browsers allow you to refuse cookies
  • Opt-out tools: Some third-party cookies can be disabled
  • Our settings: Manage non-essential cookies in account preferences

Note: Disabling essential cookies will prevent you from using the Service.

8.3 Do Not Track

We honor Do Not Track (DNT) browser signals where technically feasible.

9. Your Data Protection Rights

Under GDPR and Portuguese data protection law, you have the following rights:

9.1 Right of Access (Article 15)

You can request:

  • Confirmation of what personal data we process
  • Access to your personal data
  • Information about processing purposes, categories, recipients

How to exercise: Email [email protected] or use account export feature

9.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete data.

How to exercise: Update in account settings or email [email protected]

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

  • Data no longer necessary for original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing (and no overriding legitimate grounds exist)
  • Data processed unlawfully
  • Required by legal obligation

How to exercise: Delete account in settings or email [email protected]

Exceptions: We may retain data if required by legal obligation or to establish/defend legal claims.

9.4 Right to Restriction of Processing (Article 18)

You can request we limit processing when:

  • You contest the accuracy of data (during verification)
  • Processing is unlawful but you prefer restriction to deletion
  • We no longer need data but you need it for legal claims
  • You object to processing (pending verification of legitimate grounds)

How to exercise: Email [email protected]

9.5 Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format (JSON, CSV) and have it transmitted to another controller.

How to exercise: Use account export feature or email [email protected]

9.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

How to exercise: Email [email protected] or unsubscribe from marketing emails

9.7 Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal or similarly significant effects. AI features are assistive tools, not automated decisions.

9.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

How to exercise: Disconnect integrations in settings, unsubscribe from emails, or email [email protected]

9.9 Right to Lodge a Complaint

You have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD):

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134, 1º
1200-651 Lisboa, Portugal
Phone: +351 213 928 400
Email: [email protected]
Website: www.cnpd.pt

9.10 Response Time

We will respond to rights requests within 30 days (may be extended by 2 additional months for complex requests).

9.11 Verification

We may request additional information to verify your identity before fulfilling rights requests.

10. AI and Automated Processing

10.1 AI Features

We use third-party AI services (OpenAI, Google AI) to provide:

  • Automatic tagging: Suggest tags based on bookmark content
  • Summarization: Generate brief summaries of articles
  • Semantic search: Understand meaning of search queries
  • Chat assistant: Answer questions about your bookmarks

10.2 How AI Processes Your Data

  • Your bookmark content is sent to AI providers via API
  • Processing occurs in real-time, typically not stored by providers (business tier)
  • AI-generated outputs (tags, summaries) are stored in our database
  • You can delete AI-generated content at any time

10.3 AI Accuracy Disclaimer

AI-generated content may be:

  • Inaccurate, incomplete, or misleading
  • Biased based on training data
  • Inappropriate or unexpected

You should verify important information independently. AI features are assistive tools, not authoritative sources.

10.4 Opt-Out

You can disable AI features in account settings. This will:

  • Prevent new AI processing
  • Retain previously generated AI content (unless you delete it)
  • Not affect manual tagging or organization

11. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18.

If we become aware that we have collected data from someone under 18:

  • We will delete the account and associated data
  • We will take steps to prevent future access

If you believe we have collected data from someone under 18, please contact [email protected] immediately.

12. International Data Transfers

Bookmarkjar is based in Portugal (EU), but we use service providers in the United States and other countries.

When transferring data outside the EEA, we ensure:

  • Adequacy decisions: Transfers to countries deemed adequate by EU Commission
  • Standard Contractual Clauses: For transfers to countries without adequacy decisions
  • Data Processing Agreements: GDPR-compliant terms with processors
  • Additional safeguards: Technical measures (encryption, access controls)

You have the right to request information about safeguards in place for your data transfers.

13. Changes to This Privacy Policy

13.1 Notification of Changes

We may update this Privacy Policy from time to time. When we make changes:

For Material Changes:

  • We will notify you via email at least 30 days in advance
  • We will update the "Last updated" date
  • We will provide a summary of changes

For Minor Changes:

  • We will update the "Last updated" date
  • Continued use constitutes acceptance

13.2 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

14. Business Transfers

If Bookmarkjar is involved in a merger, acquisition, asset sale, or bankruptcy:

  • Your personal data may be transferred to the successor entity
  • You will be notified via email and prominent notice on our Service
  • The new entity will be bound by this Privacy Policy (or you'll be notified of changes)
  • You have the right to delete your account before the transfer

15. Data Protection Officer

For privacy-related questions or concerns, contact:

Email: [email protected]
Legal Contact: [email protected]
Postal Address:
Bookmarkjar
Rua do Comércio, 100
1200-080 Lisbon, Portugal

16. Additional Information for EEA/EU Users

16.1 Legal Framework

This Privacy Policy complies with:

  • GDPR (EU Regulation 2016/679)
  • Portuguese Law 58/2019 (GDPR implementation)
  • ePrivacy Directive (2002/58/EC)

16.2 Data Controller

Bookmarkjar is the data controller for your personal data.

16.3 Data Protection Authority

The CNPD (Comissão Nacional de Proteção de Dados) is the supervisory authority for Portugal.

16.4 EU Representative

As we are established in the EU (Portugal), we do not require a separate EU representative.

17. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

Privacy Inquiries: [email protected]
Legal Matters: [email protected]
Support: [email protected]
Data Subject Rights: [email protected]

Postal Address:
Bookmarkjar
Rua do Comércio, 100
1200-080 Lisbon, Portugal

Response Time: We aim to respond to all inquiries within 5 business days.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

© 2025 Bookmarkjar®. All rights reserved. Bookmarkjar and the Bookmarkjar logo are registered trademarks.