Privacy Policy

Last updated: March 24, 2026

1. Introduction

CrossShelf ("we," "us," or "our") operates the CrossShelf platform at crossshelf.app (the "Service"), a cross-media review and recommendation platform. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), the Brazilian General Data Protection Law (LGPD), and the Children's Online Privacy Protection Act (COPPA).

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect the following information:

• Email address
• Display name / username
• Password (stored only as a bcrypt hash; we never store or have access to your plain-text password)
• Profile information you choose to provide (bio, avatar image)
• Privacy preferences (public or private profile setting)

2.2 User Content

When you use the Service, we store the content you create:

• Ratings (star scores and recommend/mixed/skip tags)
• Written reviews
• Library entries (status tracking: Completed, In Progress, Want To, Dropped)
• Progress data for In Progress items (episodes watched, chapters read, etc.)
• Follow relationships (which users you follow)
• Helpful votes on reviews

2.3 Authentication Data

If you sign in via Google or Apple OAuth, we receive limited profile information from those providers (name, email address, and profile picture). We do not receive or store your Google or Apple password. We store only the minimum information needed to authenticate your account.

2.4 Usage Data Collected Automatically

We automatically collect limited usage data through our servers:

• Page views: We record which pages you visit on CrossShelf through our implicit signals system. This data is used to understand general platform usage patterns and may inform future recommendation features.
• Standard server request logs: Our servers automatically log your IP address, browser type (user agent string), and timestamp for each request. These logs are used for security monitoring, debugging, and abuse prevention.

We do not currently track search queries, filter selections, time spent on individual pages, mouse movements, click patterns, or other detailed behavioral analytics.

2.5 Device Data

Through standard server request logs, we may receive general device information included in HTTP headers, such as browser type, operating system, and device category (desktop or mobile). We do not use fingerprinting techniques or collect detailed hardware information.

2.6 Cookies

We use only essential session cookies required for authentication. These cookies allow you to stay logged in during your session. We do not use advertising cookies, analytics cookies, third-party tracking cookies, or social media tracking cookies. For more details, see our Cookie Policy.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: Displaying your ratings, reviews, and library data; enabling your profile; showing your activity to followers (if your profile is public).
• Recommendations: Generating personalized recommendations based on your ratings, reviews, and library data, including cross-media suggestions.
• Aggregated Statistics: Computing community scores, rating distributions, and recommend percentages from anonymized, aggregated user data.
• Security and Abuse Prevention: Monitoring server logs for unauthorized access, spam, and abuse.
• Service Improvement: Using aggregated, anonymized page view data to understand how the platform is used and identify areas for improvement.
• Communications: Sending essential service communications such as password reset emails, account security alerts, and notices of changes to our terms or privacy policy.

We do not use your personal data for advertising. We do not build advertising profiles. We do not send marketing emails unless you explicitly opt in to receive them.

4. Legal Basis for Processing (GDPR)

For users in the European Union and United Kingdom, we process your personal data under the following legal bases:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you signed up for, including storing your account data, ratings, reviews, and library entries.
• Legitimate Interests (Article 6(1)(f)): Processing for security monitoring, abuse prevention, and aggregated analytics to improve the Service. We balance these interests against your rights and freedoms.
• Consent (Article 6(1)(a)): Where we rely on your consent (such as optional marketing communications), you may withdraw consent at any time.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements, such as responding to lawful data access requests.

5. Data Sharing

We do not sell your personal data. We have never sold personal data and have no plans to do so.

We share data only with the following categories of service providers, solely to operate the Service:

• Vercel: Hosts our frontend application. Vercel processes HTTP requests which include your IP address and browser information as part of standard web hosting.
• Supabase: Hosts our PostgreSQL database and provides authentication services. Stores your account data, ratings, reviews, and library entries.
• Google (OAuth): If you choose to sign in with Google, Google processes your authentication. We receive only your name, email, and profile picture.

We use the following third-party APIs to source media metadata (titles, descriptions, cover art, release dates). We send only search queries and media identifiers to these services — we do not send any of your personal data:

• TMDB (The Movie Database) — movie and TV show metadata
• IGDB (Internet Game Database) — video game metadata
• Spotify API — music and podcast metadata
• Jikan (MyAnimeList API) — manga and anime metadata
• Google Books API — book metadata
• Comic Vine API — comic book metadata

We may also disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For users in the EU/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transferring personal data outside the European Economic Area. Our service providers (Vercel and Supabase) maintain appropriate data transfer safeguards.

7. Data Retention

• Active accounts: We retain your account data, ratings, reviews, and library entries for as long as your account is active.
• Account deletion: When you delete your account, all your personal data, ratings, reviews, library entries, and follow relationships are permanently deleted within 30 days. Some anonymized, aggregated data (such as contribution to community averages) may be retained.
• Server logs: Standard server request logs (IP addresses, timestamps, browser information) are automatically deleted after 90 days.
• Page view data: Implicit signal data (page views) associated with your account is deleted when you delete your account.

8. Your Rights

8.1 All Users

Regardless of your location, you have the right to:

• Access your personal data through your profile and settings pages
• Edit or correct your personal information at any time
• Delete your account and all associated data
• Export your data (ratings, reviews, library entries)
• Control your profile visibility (public or private)

8.2 EU/UK Residents (GDPR)

If you are located in the European Union or United Kingdom, you additionally have the right to:

• Right of access (Article 15): Request a copy of all personal data we hold about you.
• Right to rectification (Article 16): Request correction of inaccurate personal data.
• Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
• Right to restrict processing (Article 18): Request that we limit how we use your data.
• Right to data portability (Article 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): Object to processing based on legitimate interests.
• Right to withdraw consent (Article 7(3)): Where processing is based on consent, withdraw it at any time.
• Right to lodge a complaint: File a complaint with your local data protection supervisory authority.

To exercise these rights, contact us at privacy@crossshelf.app. We will respond within 30 days.

8.3 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of your personal information.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale: We do not sell personal information. See our Do Not Sell page.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by CPRA beyond what is necessary for the Service.

Categories of personal information collected in the last 12 months:

• Identifiers: Email address, display name, IP address, account ID
• Internet activity: Page views on CrossShelf, browser type, server request logs
• User-generated content: Ratings, reviews, library entries, profile information

Categories sold: None. We do not sell personal information.
Categories shared for cross-context behavioral advertising: None.

8.4 Brazilian Residents (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with the following rights:

• Confirmation of the existence of processing of your data
• Access to your personal data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or excessive data
• Data portability to another service provider
• Deletion of data processed with your consent
• Information about public and private entities with which we share your data
• Information about the possibility of denying consent and the consequences
• Revocation of consent

To exercise your rights under LGPD, contact us at privacy@crossshelf.app.

9. Children's Privacy

CrossShelf is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13, in compliance with the Children's Online Privacy Protection Act (COPPA).

In the European Union, users under the age of 16 require verifiable parental consent to create an account, in accordance with GDPR Article 8.

If we discover that we have collected personal information from a child under the applicable age threshold without appropriate consent, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@crossshelf.app.

10. Security

We take the security of your personal data seriously and implement industry-standard measures to protect it:

• All data is transmitted over HTTPS (TLS encryption in transit)
• Passwords are hashed using bcrypt with appropriate salt rounds
• Session tokens are stored as HTTP-only cookies that cannot be accessed by client-side JavaScript
• Database access is restricted and authenticated
• Server logs are monitored for unauthorized access attempts
• We follow industry best practices for web application security

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email (if you have an account) and by posting a prominent notice on the Service at least 30 days before the changes take effect.

Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes. If you do not agree with the updated policy, you may delete your account.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your information, please contact us:

Email: privacy@crossshelf.app

For GDPR inquiries, you may also contact your local data protection supervisory authority.