Privacy Policy

Curio (“we”, “our”, or “the app”) is a personal collection app. This policy explains what data we collect, why we collect it, and how we use it. We keep things simple: your collections are yours, and we do not sell your data.

We collect only what is necessary to provide the service.

• Account information. If you create an account, we store your email address and a securely hashed password (or the OAuth token from Sign in with Apple / Google). We do not store your password in plain text.
• Your collections and items. The URLs, titles, notes, and metadata you save are stored on our servers so they sync across your devices. This is the core function of the app.
• Usage data. We collect anonymised, aggregated usage statistics (feature counts, crash reports) to improve the app. These are not linked to your identity.
• Shared collection links. When you share a collection, we generate a unique public URL. Anyone with that link can view the collection. We log basic access data (request count, approximate region) for rate-limiting and abuse prevention — not individual viewer identities.

• We do not build advertising profiles.
• We do not sell or rent your data to third parties.
• We do not read the content of pages you save for any purpose other than displaying them to you.
• We do not use third-party analytics SDKs that track you across other apps or websites.

• To provide the service. Sync your collections across devices, serve shared collection pages, and send transactional emails (password reset, etc.).
• To improve the app. Anonymised crash reports and feature-usage counts help us prioritise fixes and features.
• To prevent abuse. Rate limiting and spam detection on shared links.

We have no other use for your data.

Your data is stored on servers in the European Union. We use industry-standard encryption in transit (TLS) and at rest. Account passwords are hashed with bcrypt before storage.

No system is perfectly secure. If we become aware of a breach that affects your data, we will notify you by email within 72 hours.

We do not share your personal data with third parties except in these limited circumstances:

• Hosting infrastructure. Our servers run on a cloud provider that processes data on our behalf under a data processing agreement.
• Legal requirements. If required by law or a valid court order, we may disclose information. We will notify you in advance where legally permitted.
• Shared links. Content you choose to share via a collection link is intentionally made public. You control this; you can revoke a shared link at any time from within the app.

We retain your data for as long as your account is active. If you delete your account, all your collections, items, and personal data are permanently deleted within 30 days. Aggregated, anonymised statistics are not deleted as they contain no personal information.

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. To exercise any of these rights, contact us at privacy@curioapp.app. We will respond within 30 days.

You can export all your data at any time from Settings → Export data inside the app.

Curio is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

We may update this policy occasionally. When we make material changes, we will update the effective date above and notify registered users by email at least 14 days before the change takes effect. Continued use of the app after that date constitutes acceptance.

Questions or concerns about this policy? Email us at privacy@curioapp.app.