Skip to main content
Privacy Policy

Your data belongs to you

We collect only what is necessary and we never sell your data.

Last updated: March 8, 2026

1. Information We Collect

We collect only what is necessary to provide the service.

  • Account information: Name, email address, and profile picture from your Google account when you sign in
  • Documents: PDFs you upload, web pages you clip, and YouTube transcripts you save
  • Highlights and annotations: Text selections, color assignments, notes, and comments you create
  • Usage data: Basic device information (browser type, IP address) collected automatically
  • Chrome Extension: URLs and page content of web pages you explicitly choose to save. We do not track your browsing history.

2. How We Use Your Information

  • To store and sync your documents, highlights, and annotations across devices
  • To provide search functionality across your library
  • To generate knowledge graphs and structured exports from your highlights
  • To enforce account quotas and feature access based on your plan
  • To send essential service communications (account access, security alerts)

3. Data Storage and Security

  • All data is stored on Supabase infrastructure (PostgreSQL database and object storage) with encryption at rest
  • All data in transit is encrypted using HTTPS/TLS
  • Authentication is handled via Supabase Auth with Row Level Security (RLS) ensuring users can only access their own data
  • PDF files are stored in isolated per-user storage folders
  • We do not sell, rent, or share your personal data with third parties
  • API keys for MCP server access are stored as SHA-256 hashes, never in plain text

4. Chrome Extension

  • The extension only captures page content when you explicitly click "Save" or use the keyboard shortcut
  • It does not run in the background, track browsing activity, or collect data from pages you do not save
  • Authentication tokens are stored in the browser's session storage and cleared on sign out
  • The extension communicates only with the Highlyt backend API and Supabase authentication service

5. Your Rights

  • Delete any document, highlight, or annotation at any time from your library
  • Request a full export of your data by contacting us
  • Request complete deletion of your account and all associated data
  • Revoke Chrome extension permissions at any time by uninstalling it

6. Third-Party Services

  • Supabase: Database hosting, authentication, and file storage
  • Azure: Frontend and backend hosting
  • Google OAuth: Sign-in authentication

7. Changes to This Policy

We may update this policy as new features become available. Significant changes will be communicated via the app or email.

Contact

Questions about your privacy?

[email protected]