Privacy Policy

Last updated: April 7, 2026

Burrowly ("we," "our," or "us") operates the Rabbit Hole platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

Account Information: When you create an account, we collect your email address and basic profile information provided through your OAuth provider (Google, Apple, GitHub, or X/Twitter). We do not store your OAuth password.

Content You Create: Burrows, Collections, sources, notes, comments, direct messages, flashcards, and any files you upload to your Vault are stored in our database and file storage systems.

Usage Data: We collect anonymized analytics about feature usage, page views, and session duration to improve the Service. We do not use third-party advertising trackers.

API Keys (BYOK): If you choose to provide your own AI API keys (Google Gemini, OpenAI, Anthropic, or Grok), they are stored in your profile record. These keys are only used to make AI requests on your behalf and are never shared with other users or third parties.

2. How We Use Your Information

• To provide, maintain, and improve the Service
• To process AI-powered features (summarization, study plans, semantic search)
• To send you notifications related to your account activity (comments, follows, DMs)
• To enforce tier-based usage limits and prevent abuse
• To respond to support requests

3. Data Storage & Security

Your data is stored on Supabase (backed by AWS) with Row Level Security (RLS) policies that ensure only you can access your private content. Files uploaded to your Vault are stored in Supabase Storage with per-tier encryption and access policies.

All data in transit is encrypted via TLS. We do not sell, rent, or trade your personal information to third parties.

4. AI & Third-Party Processing

When you use AI features, your source content (text, URLs, or file references) may be sent to Google's Gemini API or your chosen BYOK provider for processing. These providers have their own privacy policies. We do not send content from private Burrows to any AI service unless you explicitly invoke an AI feature on that content.

5. Data Retention & Deletion

Your data is retained as long as your account is active. You can delete individual Burrows, sources, notes, or your entire account at any time. When you delete your account, all associated data is permanently removed within 30 days.

6. Cookies

We use essential cookies and local storage for authentication tokens and offline caching. We do not use marketing or tracking cookies.

7. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us and we will promptly delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date.

9. Contact Us

If you have questions about this Privacy Policy, please contact us at privacy@burrowly.app.