Privacy Policy
Last updated: February 28, 2026
Abunch ("we", "us", or "our") operates abunch.io. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your personal data.
1. Information We Collect
1.1 Information You Provide
| Data | When Collected | Purpose |
|---|---|---|
| Email address | Account registration | Account identification, email notifications |
| Full name (optional) | Registration / profile | Display name |
| Password (hashed) | Email/password registration | Authentication |
| Interests/topics (optional) | Onboarding | Personalized collection recommendations |
| Links and categories you save | Normal service use | Core service functionality |
1.2 Information Collected Automatically
- IP address — Rate limiting, security, abuse prevention
- User agent — Debugging, compatibility
- Request logs (method, path, status, duration) — Service monitoring
1.3 Information from Third Parties
When you sign in with Google OAuth, we receive from Google: your Google account email address, display name, and profile photo URL (if available). We do not receive your Google password.
1.4 Payment Information
We do not collect or store your payment card information. All payment processing is handled by Paddle, our payment processor. For more information on how Paddle handles your data, see Paddle's Privacy Policy.
2. How We Use Your Information
- Providing the Abunch service (account management, saving links and categories)
- Authentication (verifying your identity on each request)
- Transactional email notifications (email verification, password reset, team invitations)
- Account security (detecting suspicious login activity via IP address)
- Service monitoring and debugging (aggregated request logs)
- Processing payments (email passed to Paddle, subscription status management)
We do not use your data for advertising, sell your data to third parties, or share it with third parties except as described in Section 4.
3. Email Communications
We send emails only for the following transactional purposes:
- Email address verification (on signup or email change)
- Password reset
- Team workspace invitations
- Subscription confirmation and plan change notifications
- Team membership changes (Business plan cancellation, member removal)
We do not send marketing or promotional emails.
4. Third-Party Services
We share your data with the following third parties only as necessary to provide the service:
| Service | Purpose | Data Shared |
|---|---|---|
| Paddle | Payment processing (Reseller of Record) | Email address, subscription details |
| Resend | Transactional email delivery | Email address, email content |
| Google Cloud Platform | Application hosting, database, logging | All service data (hosted on GCP infrastructure) |
| Cloudflare | CDN, DDoS protection, DNS | IP address, request metadata |
| Google OAuth | Social login (if used) | Google account email, name, photo URL |
We do not sell your personal data to any third party.
5. Data Storage and Security
Your data is stored on Google Cloud Platform servers in us-central1 (Iowa, USA). Security measures include:
- Passwords hashed with bcrypt (cost factor 12)
- All data in transit encrypted via HTTPS/TLS (enforced by Cloudflare)
- Database accessible only via Google Cloud SQL private IP
- API authentication uses short-lived JWT tokens (15-minute expiry) with rotation
- All secrets stored in Google Cloud Secret Manager
6. Data Retention
| Data | Retention Period |
|---|---|
| Active account data | Until account deletion |
| Soft-deleted accounts | 30 days after deletion request, then permanently deleted |
| Archived team workspaces | 30 days after Business cancellation, then permanently deleted |
| Request logs | 30 days (Google Cloud Logging default) |
| Payment records | As required by Paddle and applicable tax law |
7. Your Rights
You may have the following rights regarding your personal data:
- Access & Export — Download your data via Settings → Data → Export (JSON format)
- Correction — Update your profile via Settings → Profile
- Deletion — Delete your account via Settings → Account. Data is permanently deleted within 30 days.
- Other requests — Contact support@abunch.io
8. Children's Privacy
Abunch is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has created an account, please contact support@abunch.io and we will delete the account.
9. Cookies and Local Storage
See our Cookie Policy for details. In summary: we use browser localStorage (not cookies) to store authentication tokens. We do not use advertising cookies or tracking pixels. Third-party services (Paddle, Google OAuth) may set their own cookies during checkout/login.
10. International Data Transfers
Your data is stored and processed in the United States (Google Cloud Platform, us-central1). If you are accessing Abunch from outside the United States, your data is transferred to the US for processing. We rely on standard contractual clauses and the data processing agreements of our sub-processors to ensure adequate protection.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. The "Last Updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related questions, requests, or to exercise your rights — we aim to respond within 30 days:
- Email: support@abunch.io
- Website: abunch.io/about