Last updated · 2026-05-12

Privacy policy

Plain-English summary of what Nexmark stores, why, and what we do (and don't) do with it. We'll keep this page in sync with the product as it evolves.

What we collect

  • Account identity — the email and provider-id from Google, GitHub, or magic-link sign-in. No password is stored for Nexmark itself.
  • Your bookmarks — URL, title, folder path, and the metadata we fetch from the page (og:title, og:description, og:image, favicon, optional AI summary).
  • Visit activity — only the events you choose to send (e.g. click-throughs from inside Nexmark). The Chrome extension does not stream your browsing history.
  • Operational logs — short-lived request and error logs for keeping the service alive. No content is logged.

What we don't collect

  • Your general browsing history.
  • Form contents, cookies, or any per-page tracking signal.
  • Third-party analytics. We do not run Google Analytics, Segment, or similar inside the authenticated app.
  • Your password — sign-in is delegated to your provider.

Why we fetch pages

When you bookmark a URL, our worker fetches it once to extract standard metadata (og:title, og:description, og:image, favicon) and to generate an AI summary. We also re-check links periodically to flag the ones that have gone dead. Fetches carry a Nexmark user-agent and respect robots.txt where applicable. Each fetched page is at most ~1.5 MB and times out after 15 s.

Sharing & sale

We do not sell your data. We do not share your URL set with third parties. We may share aggregated, fully anonymized domain-level signal (e.g. "N users bookmarked this domain") inside Nexmark's discovery features — aggregated such that no individual user is identifiable.

Subprocessors we currently use: our hosting provider, our object store for screenshots, and the AI provider that generates page summaries (data sent to them is the page text we fetched, not your identity).

Your controls

  • Delete account — purges your bookmarks, tags, collections, and enrichment records. /settings.
  • Hide individual bookmarks from the cloud sync. The Hidden Collection is passcode-gated and excluded from search + discovery surfaces while locked.
  • Revoke the extension — invalidates the API token immediately. /settings/extensions.

Security

Data is encrypted in transit (TLS) and at rest. Extension API tokens are stored as bcrypt hashes. Cookies for the web session are httpOnly, sameSite=lax, and secure in production. If we ever discover a security incident affecting your data, we'll notify you.

Contact

Privacy questions or data-export requests: [email protected].