Privacy Policy

Moodshelf is operated by Fractiliti Private Limited, a company registered in Mumbai, Maharashtra, India. References to “we”, “us”, or “Moodshelf” in this policy mean Fractiliti Private Limited.

This policy covers both the Moodshelf web app at moodshelf.com and the Moodshelf browser extension. It explains what personal data we collect, how we use it, who we share it with, and the rights you have under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and applicable Indian law.

We only collect what we need to run the product:

• Account data. The email address you sign in with, plus any display name, username, or avatar you choose to add. We also store your authentication provider (email link or Google OAuth).
• Saves and shelves. The URL, title, page description, thumbnail, content type, and a scraped copy of the page text for anything you save. Any moods, notes, or shelf names you attach. Anything you import from other tools (Pocket, Readwise, Pinterest, etc.) when you run an import.
• Derived data. Vector embeddings of your saves, generated so search can match on feeling and meaning. These are stored alongside the save they came from.
• Social activity. Shelves you publish, accounts you follow, and public profile information you choose to share.
• Billing. If you upgrade to Moodshelf Plus, our payment processor (Polar.sh) handles your payment method directly. We receive a customer identifier, subscription status, plan, and renewal dates — not your card details.
• Technical data. Session cookies required to keep you signed in, API tokens (stored as SHA-256 hashes only), IP address and basic request logs retained for security and abuse prevention.
• Product analytics. When you use the web app, we record pageviews and product events (such as signing in or saving an item) so we can understand which features land and where flows break. Once you sign in, these events are linked to your Moodshelf user ID and email so we can support your account. The browser extension is excluded and sends no analytics events.
• Session replays. We record a video-like reconstruction of how you interact with the web app (clicks, scrolls, page transitions) so we can see where flows are confusing. The values you type into form fields are masked before leaving your browser, so passwords, one-time codes, and email addresses you type are never recorded. Replays are stored by PostHog and tied to your user ID once you sign in.

We do not sell your data. We do not run advertising trackers. We do not profile you for third-party ad networks.

The Moodshelf extension reads data from a web page only when you deliberately ask it to. There are three such moments:

• Single-page save. When you click the extension icon or use its keyboard shortcut on a page, the extension sends the URL and title of the active tab, page metadata (Open Graph description, primary image, author, publish date), content type (webpage, image, video, product, book, movie, music), and — for article-like pages — the extracted article text to Moodshelf.
• Bulk import from Kindle, X bookmarks, and Instagram saves. When you click Import for one of these platforms inside Moodshelf, the extension reads your library directly from your existing browser session on read.amazon.com (or the regional Amazon equivalent for your store, e.g. read.amazon.in), x.com, or instagram.com. The items themselves — titles, cover or post images, authors, captions, tweet text — are sent to Moodshelf. Your login credentials for these platforms never reach our servers.
• Keep in sync (optional, off by default). If you explicitly enable Keep in sync for a platform, the extension repeats the same import in the background roughly once a day so newly bookmarked items appear in Moodshelf without you needing to click Import again. You can turn it off at any time from the same dialog.

To make import calls to x.com and instagram.com work, the extension reads your existing session cookies (ct0 on x.com, csrftoken on instagram.com) at the moment of import, solely to construct the CSRF headers those platforms require for their own internal API. Cookie values are passed as request headers back to those same platforms; they never reach Moodshelf’s servers and are not stored.

Outside of these explicit user actions, the extension does not run on pages, does not track your browsing history, and does not send telemetry or analytics. It does not read form fields or passwords on any site.

The extension stores the following locally in your browser (in chrome.storage.local); none of it is transmitted except where noted:

• Your Moodshelf API token, which authenticates requests to Moodshelf’s API.
• A cached copy of your Moodshelf account info (display name, avatar, email) so the extension UI doesn’t refetch on every open.
• Your theme preference and last-save timestamp so the UI stays in sync with the web app.
• Per-platform Keep in sync flags so we remember which platforms you’ve opted into auto-sync for.
• For Kindle imports only: the regional Amazon store host that responded to your library (e.g. read.amazon.in if your account is with Amazon India), so we skip the region probe on subsequent imports.

• To run the product — save, organise, search, and sync.
• To generate moods, clusters, and embeddings so search works on feeling and meaning.
• To provide subscription billing and customer support.
• To detect and prevent abuse, fraud, and security incidents.
• To send occasional service emails (security alerts, billing receipts, policy changes). We will not send marketing email without your explicit opt-in.

The legal basis for this processing under the DPDP Act is your consent (given at signup) and the performance of our contract with you for the product you’ve signed up for.

We use the following trusted sub-processors to operate the service. Each has its own security and privacy commitments:

• Supabase (Supabase Inc., US) — database, authentication, and file storage.
• Vercel (Vercel Inc., US) — web hosting and CDN.
• Polar.sh (Polar Software Inc., US) — payment processing and subscription management.
• Google Gemini API (Google LLC, US) — text embedding and image understanding for search and moods. We send page text and thumbnail URLs; Google’s API does not use this data to train its models per the Gemini API terms.
• PostHog (PostHog Inc., US) — product analytics for the web app. PostHog does not sell data or use it for advertising.

Because these providers are based outside India, your data is transferred internationally. We rely on the providers’ contractual commitments and industry-standard security practices for these transfers, as permitted under the DPDP Act.

We will also disclose data when required to comply with Indian law, a valid legal process, or to protect the rights and safety of Moodshelf or its users.

We keep your account data for as long as your account is active. When you delete your account, we delete your saves, shelves, moods, tokens, and profile from our primary database within 30 days. Backups are retained for up to 90 days before being overwritten. Billing records are retained for the period required by Indian tax and accounting law (currently 7 years).

Your data is encrypted in transit using TLS and at rest by our database provider. API tokens are stored only as SHA-256 hashes — we cannot recover a lost token and can only revoke it. Access to production systems is limited to authorised personnel and protected by multi-factor authentication.

No system is perfectly secure. If we become aware of a breach that materially affects your data, we will notify you and the Data Protection Board of India as required under the DPDP Act.

Under the DPDP Act you have the right to:

• Access and correct the personal data we hold about you.
• Request deletion of your personal data (equivalent to deleting your account).
• Withdraw consent at any time, with prospective effect.
• Nominate another person to exercise these rights on your behalf in the event of your death or incapacity.
• Raise a grievance with our grievance officer.

To exercise any of these rights, email hello@moodshelf.com. We will respond within a reasonable time, and in any event within the period required by law.

Prakhar Shivam, Director, Fractiliti Private Limited. Email: hello@moodshelf.com. If your concern is not addressed to your satisfaction, you may escalate to the Data Protection Board of India.

Moodshelf is not intended for users under the age of 18. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us and we will delete it.

We may update this policy from time to time. The “last updated” date at the top reflects the most recent revision. If we make material changes we will notify you by email or in-product notice before they take effect.

Fractiliti Private Limited
Mumbai, Maharashtra, India
hello@moodshelf.com

See also our Terms & Conditions.