Privacy Policy
Effective date: April 15, 2026
Overview
Kurate ("we", "us", or "our") operates the Kurate web application at kurate.co.in and the Kurate browser extension for Google Chrome. This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, and what rights you have over your data.
We collect only what is necessary to provide the service. We do not sell, rent, or trade your personal information to any third party — ever.
By using Kurate you agree to the practices described in this policy. If you do not agree, please discontinue use and contact us to request deletion of your data.
Data We Collect
We collect data in three ways: data you provide directly, data generated automatically when you use the service, and data collected by the browser extension when you explicitly trigger a save.
Account & authentication
- Email address — used to create and identify your account. Collected when you sign up or log in via magic link.
- Authentication tokens — short-lived access tokens and refresh tokens issued by Supabase Auth to keep you signed in. Stored encrypted in your browser.
Content you save (vault items)
- Page URL — the web address of the page you saved.
- Page title & description — extracted from the page's metadata (og:title, og:description) at the time of saving.
- Preview image URL — the og:image of the saved page, stored as a reference URL (we do not copy or re-host images).
- Content type, author, read time — extracted automatically from page metadata where available.
- Remarks & tags — any notes or labels you add manually to a saved item.
Profile & preferences
- Username & display name — chosen during onboarding.
- Interests — topic preferences you select to personalise your discover feed.
Usage & analytics
- Page views & navigation events — collected by Vercel Analytics (privacy-friendly, no cookies, no fingerprinting, IP is not stored).
- Performance metrics — collected by Vercel Speed Insights. Aggregated only; no individual user profiles are built.
How We Use Your Data
We use the data we collect solely to:
- Create and manage your account
- Save, display, and organise content in your personal vault
- Power the AI-assisted discover feed based on your saved content and interests
- Authenticate requests from the browser extension to your account
- Send transactional emails (magic-link login, account changes) — no marketing emails without explicit opt-in
- Monitor service health, diagnose errors, and improve performance
Legal basis (GDPR): Processing is necessary for the performance of the contract between you and Kurate (Art. 6(1)(b) GDPR), or based on our legitimate interest in operating and improving the service (Art. 6(1)(f) GDPR). Where we rely on consent (e.g. optional marketing communications), you can withdraw it at any time.
Data Processors
We use the following third-party sub-processors to operate the service. Each is bound by a Data Processing Agreement and handles your data only under our instructions.
Supabase (database & authentication)
Supabase stores all vault items, user profiles, and authentication credentials. Data is hosted in their managed cloud infrastructure. Supabase is SOC 2 Type II certified and GDPR-compliant. Data is encrypted at rest and in transit. For details, see Supabase Privacy Policy.
Vercel (hosting & analytics)
Vercel hosts the Kurate web application. Vercel Analytics and Speed Insights are used for aggregate, cookie-free performance monitoring. No personal data is shared with Vercel beyond what is necessary to serve web requests. See Vercel Privacy Policy.
We do not use any advertising networks, data brokers, or social media tracking pixels.
Browser Extension — Specific Disclosures
The Kurate Chrome extension has the following Chrome-declared permissions. We disclose exactly why each is needed.
| Permission | Why it is needed |
|---|---|
| tabs | To read the URL and title of the currently active browser tab when you click "Save to Vault", and to open the Kurate login page in a new tab during authentication. |
| storage | To persist your authentication session locally in the browser so you stay signed in between browser restarts. Data is stored only in chrome.storage.local on your device and is never sent to any third party other than Supabase for token verification. |
| alarms | To schedule a background token refresh every 10 minutes so your session does not expire while the extension is open. |
What the extension does NOT do: It does not read page content, intercept network requests, inject scripts into web pages, monitor your browsing history, or collect any data beyond the URL and title of a page you explicitly choose to save.
Authentication tokens stored by the extension are scoped to chrome.storage.local — they are not synced across devices via Chrome Sync.
Data Retention
- Account data is retained for as long as your account is active. When you delete your account, all personal data including vault items, profile, and preferences is permanently deleted within 30 days.
- Authentication tokens stored by the extension are cleared immediately when you sign out or uninstall the extension.
- Analytics data from Vercel is aggregate and not linked to individual users; it is retained per Vercel's default retention schedule.
- Backups — data may persist in encrypted database backups for up to 30 days after deletion.
Your Rights
Depending on your location, you may have the following rights over your personal data. To exercise any of them, email noreply@kurate.co.in.
Access
Request a copy of all personal data we hold about you.
Rectification
Correct inaccurate or incomplete data.
Erasure
Delete your account and all associated data ("right to be forgotten").
Portability
Receive your vault data in a structured, machine-readable format (JSON).
Restriction
Request that we limit processing of your data in certain circumstances.
Objection
Object to processing based on legitimate interests.
California residents (CCPA/CPRA): You have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information. You also have the right to non-discrimination for exercising your privacy rights.
EU/UK residents (GDPR/UK GDPR): You have the right to lodge a complaint with your local supervisory authority if you believe we are processing your data unlawfully.
We will respond to all rights requests within 30 days (or within the timeframe required by applicable law).
Children's Privacy
Kurate is not directed to children under the age of 16 (or 13 where applicable by local law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at noreply@kurate.co.in and we will promptly delete it.
Changes to This Policy
We may update this policy from time to time. When we make material changes we will notify you by email (at the address associated with your account) at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects when the current version was published.
Continued use of the service after the effective date constitutes acceptance of the revised policy.
Contact
For any questions, concerns, or rights requests regarding this Privacy Policy or your personal data, please contact us: