Legal

Privacy Policy

Last updated: 17 March 2026

1. Who we are

Alejandría ("we", "us", "our") is a personal knowledge library application available at readalejandria.com. We are currently operating as an independent project in public beta.

For any privacy-related questions, contact us at: privacy@alejandria.app

2. What data we collect

We collect only what is strictly necessary to provide the service:

  • Account data: email address and, if you sign in with Google, your Google profile name and avatar URL.
  • Content you save: URLs, article text extracted from those URLs, highlights, notes, tags, and folders you create.
  • Usage data: timestamps of when items are saved or read (no behavioural tracking, no analytics platform).
  • AI key (optional): if you choose to bring your own OpenAI API key, it is stored encrypted in Supabase Vault and never logged or transmitted to us.

We do not collect:

  • Browser fingerprints, device identifiers, or IP address logs
  • Advertising identifiers or cross-site tracking data
  • Any data from third-party marketing or analytics SDKs

3. How we use your data

Your data is used exclusively to:

  • Authenticate you and manage your account
  • Store and display the content you save
  • Generate vector embeddings for semantic search (processed via your own OpenAI key)
  • Export your library to Markdown on request

We do not use your data to train AI models, show you advertisements, or share it with third parties for any purpose.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area (EEA), we process your data under the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): security monitoring and abuse prevention.
  • Consent (Art. 6(1)(a) GDPR): for any optional features that process additional data (e.g. AI key storage).

5. Data storage and security

Your data is stored in Supabase (PostgreSQL), hosted on AWS in the EU region (eu-central-1, Frankfurt). Supabase is SOC 2 Type II certified.

All data is encrypted in transit (TLS 1.2+) and at rest. Row-Level Security (RLS) policies ensure that your data is only accessible to your account.

6. Data retention

We retain your data for as long as your account is active. If you delete your account, all associated data is permanently deleted within 30 days.

Items you move to Trash are soft-deleted and permanently removed after 7 days unless you restore them.

7. Your rights (GDPR)

If you are in the EEA, you have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your account and all data
  • Portability — export your library to Markdown at any time, for free, from within the app
  • Restriction — request we limit processing of your data
  • Objection — object to processing based on legitimate interest

To exercise any of these rights, email us at privacy@alejandria.app. We will respond within 30 days.

8. Third-party services

We use the following sub-processors:

  • Supabase (database, authentication, storage) — Privacy Policy
  • Vercel (hosting) — Privacy Policy
  • OpenAI (only if you provide your own API key; we do not have an OpenAI relationship on your behalf) — Privacy Policy

9. Cookies

We use a single session cookie to keep you authenticated. We do not use advertising cookies, tracking pixels, or any third-party cookies. No cookie consent banner is required because we only use strictly necessary cookies.

10. Children's privacy

Alejandría is not directed at children under 16. We do not knowingly collect personal data from anyone under 16 years of age.

11. Changes to this policy

If we make material changes to this policy, we will notify you by email and update the "Last updated" date above. Continued use of the service after notification constitutes acceptance of the updated policy.

← Back to Alejandría