Privacy Policy

This Privacy Policy explains how Shovl (“Shovl”, “we”, “us”, “our”) handles personal data when you visit our website, create an account, or use Shovl’s services (the “Service”). It applies to personal data we process as a controller unless a separate agreement states otherwise.

• Shovl is operated by the team reachable at ma10016@nyu.edu. For privacy requests, use that address with “Privacy” in the subject line.
• By using the Service, you acknowledge this Policy. If you do not agree, do not use the Service.
• This Policy is designed to work alongside our Terms of Service and Cookie Policy.

We collect data in three broad buckets: account data, content you choose to save, and technical/usage data needed to run and secure the Service.

• Account and profile: name, email address, password or authentication tokens (handled by our auth provider), account identifiers, and billing contact details if you subscribe.
• Library content: text you paste, URLs you save, files you upload (e.g. PDFs, images, audio, video when supported), derived text (e.g. extracted or transcribed content), tags, titles, summaries, embeddings, chat messages you send, and related metadata (timestamps, file types, processing status).
• Technical data: IP address, device/browser type, approximate location from IP, log and error data, security signals, and diagnostic information from hosting and infrastructure.
• Communications: messages you send us (e.g. support email) and records needed to respond.
• We do not require you to provide special categories of data (e.g. health). If you upload such content, you do so voluntarily.

We use personal data only where we have a valid legal basis under applicable law (such as performance of a contract, legitimate interests, consent, or legal obligation).

• Provide the Service: authenticate you, store and process your captures, run enrichment (e.g. summaries, embeddings), hybrid search, and grounded chat scoped to your library.
• Security and abuse prevention: detect fraud, spam, and unauthorized access; enforce rate limits; investigate incidents.
• Billing and administration: process payments, manage subscriptions, send transactional notices, and maintain business records.
• Product improvement: understand aggregate usage patterns, fix bugs, and develop features (using aggregated or de-identified information where feasible).
• Legal compliance: respond to lawful requests and protect our rights and users.
• Marketing: we do not sell your library content or use it for third-party advertising. Any optional marketing communications will be clearly identified and, where required, based on consent.

Shovl uses third-party AI models to generate titles, summaries, tags, embeddings, chat replies, and related outputs. Those providers process prompts and content you submit as part of providing the Service.

• We configure processing to align with our product design (e.g. grounded chat over your saved material). AI output can be wrong, incomplete, or inappropriate—you should verify important information.
• Subprocessors that provide AI receive only what is needed to fulfill the request. Their terms and privacy notices also apply.
• We do not use your content to train third-party models unless a provider’s default terms require otherwise; where we can opt out of training use for API data, we aim to do so. Check subprocessors’ documentation for current settings.

We implement appropriate technical and organizational measures designed to protect personal data, including encryption in transit (TLS), access controls, and reliance on reputable infrastructure providers.

• No method of transmission or storage is 100% secure. You are responsible for maintaining the confidentiality of your credentials.
• If we become aware of a breach that affects your personal data and requires notification under applicable law, we will notify you and regulators as required.

We use service providers (“subprocessors”) to host, authenticate, store files, run databases, and process AI workloads. They may process personal data on our instructions.

• Typical categories: cloud hosting (e.g. Vercel), database and authentication/storage (e.g. Supabase), AI inference (e.g. OpenAI), and payment processors when billing is enabled.
• We do not sell your personal data. We do not share your library content with advertisers.
• We may disclose information if required by law, to enforce our terms, or to protect rights, safety, and security.
• A business transfer (e.g. merger or acquisition) may involve transferring personal data to a successor under safeguards consistent with this Policy.

We and our subprocessors may process data in the United States and other countries where we or they operate. Those countries may have different data protection laws than your own.

• Where required, we use appropriate safeguards (such as Standard Contractual Clauses or equivalent mechanisms) for transfers from the EEA, UK, or Switzerland. You may request more information about safeguards by contacting us.

We retain personal data for as long as your account is active and as needed to provide the Service, comply with law, resolve disputes, and enforce agreements.

• You may delete content in your library or close your account where the product supports it. Residual copies may persist in encrypted backups for a limited period.
• Aggregated or de-identified data may be retained without time limit.

Depending on where you live, you may have rights to access, correct, delete, restrict or object to certain processing, data portability, and to withdraw consent where processing is consent-based.

• To exercise rights, email ma10016@nyu.edu. We may need to verify your identity before fulfilling a request.
• You may lodge a complaint with a supervisory authority in your country of residence.
• California residents: we do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA for targeted advertising. You may still request disclosure or deletion as applicable.

Shovl is not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have, contact us and we will take appropriate steps to delete it.

We may update this Policy from time to time. We will post the revised version on this page and update the “Last updated” date. If changes are material, we will provide additional notice as appropriate (e.g. email or in-product notice).