stash← Back

Privacy Policy

Effective: May 28, 2026 · Last updated: May 28, 2026

Gabriel Pineda ("Gabriel," "we," "our," or "us") operates the Stash mobile application and web platform (collectively, the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights regarding that information.

By creating an account or using Stash, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, please do not use our Service.

For questions, please contact us at gabriel@creator-stash.com.

Table of Contents

  1. 1. Who We Are
  2. 2. Information We Collect
  3. 3. How We Use Your Information
  4. 4. How We Share Your Information
  5. 5. Third-Party Service Providers
  6. 6. AI Processing
  7. 7. Data Retention
  8. 8. Your Privacy Rights
  9. 9. Account Deletion
  10. 10. Children's Privacy
  11. 11. Tracking & ATT
  12. 12. Cookies & Storage
  13. 13. Security
  14. 14. International Transfers
  15. 15. California (CCPA/CPRA)
  16. 16. European Rights (GDPR)
  17. 17. Changes to This Policy
  18. 18. Contact Us

1. Who We Are

Gabriel Pineda is an individual based in the Philippines. Stash is a viral content research and organization tool for marketing professionals, content creators, and agencies. It allows users to save short-form videos from platforms such as TikTok and Instagram, automatically enriches saved content with AI-generated transcripts, analysis, and classifications, and enables teams to organize, study, and collaborate on that content.

Gabriel Pineda is the data controller for personal information processed through the Service. Our privacy contact is: gabriel@creator-stash.com.

2. Information We Collect

2.1 Account and Identity Information

When you create an account, we collect:

  • Email address — used for authentication (magic-link sign-in), account recovery, and service communications.
  • Display name — set by you during onboarding or profile updates; shown to teammates within shared workspaces.
  • Profile avatar — an optional image URL you provide.
  • Apple Sign-In tokens — if you sign in via Apple, we receive an anonymized Apple-issued identifier and, at your discretion, your name and email from Apple. We do not receive your Apple password.
  • Account creation timestamp — used for internal analytics and fraud prevention.

2.2 Workspace and Organizational Data

When you create or join a workspace, we collect:

  • Workspace name and URL slug
  • Your role within the workspace (owner, admin, editor, or viewer)
  • Workspace brand color (optional customization)
  • Subscription plan, Stripe customer identifier, and subscription identifier (not your payment card details — see Section 2.5)
  • Monthly usage counters (number of saves per billing period)
  • Trial start and end dates

2.3 Content You Save

Stash's core feature is saving short-form video content. When you save a video, we collect and store:

  • Source URL — the original TikTok or Instagram URL you shared into the app.
  • Canonical URL — the platform-resolved permanent URL for that video.
  • Video and audio files — a copy of the video is downloaded from the source platform and stored in our private Cloudflare R2 storage bucket. Audio is extracted for transcription and then discarded after processing.
  • Thumbnail image — the video's cover image.
  • Sampled video frames — a small number of still images extracted from the video (approximately 2 frames per second) for OCR text extraction. Frames are processed and may be retained as image references in our systems.
  • Platform metadata — caption text, video duration, like/view/comment/share counts (captured at the time of save and periodically updated), sound name and identifier.
  • Creator metadata — the creator's public handle, display name, public avatar image URL, and follower count at the time of capture.
  • Your notes and tags — any annotations or organizational tags you add to saved videos.
  • Board and column placement — which kanban board and column (e.g., "To Study," "In Production") you have placed the video in.
  • Capture timestamp — when you saved the video.

2.4 AI-Processed Enrichment Data

We automatically process saved videos through an AI enrichment pipeline to extract additional information. This generates and stores:

  • Transcript — a full text transcript of the video's speech, including time-synchronized segment data (generated via OpenAI Whisper).
  • Hook transcript — a transcript of the first approximately three seconds of the video.
  • Hook clip — a three-second video clip extracted from the beginning of the saved video.
  • OCR text — text visible in the video frames, extracted using AI vision models (GPT-4o-mini via OpenAI).
  • Format classification — a category label describing the video's style (e.g., "talking head," "POV," "listicle").
  • Call-to-action detection — identification of any call-to-action phrases present in the transcript.
  • Semantic embeddings — numerical vector representations of the transcript and caption text, generated via OpenAI's text-embedding-3-small model. These enable semantic search within your library and are stored in our database. They are not human-readable.
  • Visual metrics — cuts-per-second and other cinematographic measurements derived from the video.

2.5 Payment and Billing Information

When you subscribe to a paid plan, billing is processed by Stripe, Inc. We do not directly collect or store your credit card number, bank account details, or other raw payment credentials. Stripe provides us with:

  • Stripe customer ID and subscription ID
  • Subscription status (active, past due, cancelled, trialing)
  • Plan tier and billing cycle
  • Payment method type and last four digits (stored by Stripe, surfaced to us for display only)

Stripe's privacy practices are governed by the Stripe Privacy Policy.

2.6 Usage and Operational Data

We collect data to operate, secure, and improve the Service:

  • Feature interaction data — which features you use (e.g., boards visited, searches performed, columns used), used internally for product improvement.
  • Capture job logs — status, error messages, and pipeline identifiers for each video save operation, used for debugging and reliability monitoring.
  • Share link tokens — read-only share tokens you generate to share boards with external viewers, including expiration dates.
  • Invite tokens — tokens generated when you invite teammates to your workspace.

2.7 Device and Technical Information

When you use the iOS app or web platform, we may automatically receive the following technical information:

  • IP address (used for security and rate-limiting; not retained long-term)
  • Device type and operating system version
  • App version number
  • Authentication tokens (JWT), which are stored in your device's secure storage and the app's App Group container to enable the iOS Share Extension
  • Crash and error information (if applicable diagnostics tooling is enabled)

2.8 Information We Do Not Collect

We do not collect:

  • Precise or coarse device location
  • Contacts from your device address book
  • Biometric data
  • Health or fitness data
  • Browsing history outside the Stash app
  • Advertising identifiers (IDFA) for ad targeting
  • Camera, microphone, or photo library access (beyond what you explicitly share via the iOS Share Sheet)

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

  • Authenticating your identity and maintaining your session
  • Processing video saves through the enrichment pipeline
  • Storing and serving your saved video library and associated metadata
  • Enabling team collaboration within workspaces
  • Enforcing subscription limits and plan entitlements
  • Generating and serving read-only share links
  • Enabling semantic search across your transcript and caption content

3.2 Billing and Account Management

  • Processing subscription payments and renewals via Stripe
  • Managing trial periods and plan upgrades or downgrades
  • Sending transactional emails (receipts, payment failures, trial expiration notices)
  • Enforcing usage limits per your subscription plan

3.3 Product Improvement and Analytics

  • Understanding how users interact with features to guide product development decisions
  • Diagnosing and resolving bugs and pipeline failures
  • Measuring enrichment pipeline performance and cost
  • Improving AI model selection and processing quality

3.4 Security and Fraud Prevention

  • Detecting and preventing unauthorized access to accounts
  • Rate-limiting and abuse prevention on the capture API
  • Monitoring for anomalous usage patterns indicative of misuse
  • Enforcing our Terms of Service and Acceptable Use Policy

3.5 Communications

  • Sending magic-link authentication emails
  • Notifying you of material changes to our Terms or this Privacy Policy
  • Responding to support requests and privacy inquiries
  • Sending workspace invitation emails on your behalf

3.6 Legal Obligations

We may process your data where required to comply with applicable law, legal process, or enforceable governmental requests, or to protect the rights, property, or safety of Gabriel, our users, or the public.

We do not use your personal information for targeted advertising, and we do not sell your personal information to any third party.

4. How We Share Your Information

We do not sell your personal information. We share information only in the following limited circumstances:

4.1 With Your Team Members

Within a shared workspace, certain information is visible to other workspace members according to your role. Specifically:

  • Your display name and avatar are visible to workspace members.
  • Content you save (videos, notes, tags, board placements) is visible to all members of the same workspace.
  • Your email address is visible to workspace owners and admins for member management purposes.

4.2 Via Read-Only Share Links

If you generate a read-only share link for a board, anyone with that link can view the board's content without an account. You control whether share links are created and may revoke them at any time.

4.3 Service Providers

We share data with third-party service providers strictly to operate the Service. These providers are contractually required to protect your data and may not use it for their own independent purposes. See Section 5 for the full list.

4.4 Business Transfers

If Gabriel is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction. We will provide notice via email or a prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

4.5 Legal Requirements

We may disclose your information if we believe in good faith that disclosure is required to: (a) comply with applicable law or legal process; (b) respond to claims of violations of third-party rights; (c) protect the safety of any person from death or serious bodily injury; or (d) prevent fraud or abuse of Gabriel or our users.

4.6 With Your Consent

We may share your information for any other purpose with your explicit prior consent.

5. Third-Party Service Providers

We use the following third-party services to operate Stash. Each provider receives only the data necessary for their specific function and is subject to contractual data protection obligations.

ProviderPurposeData Received
Supabase, Inc.Database, authentication, real-time subscriptionsAll user, workspace, reel, and enrichment data stored in our database; authentication credentials
Cloudflare, Inc. (R2)Video, audio, and image file storageVideo files, audio extracts, thumbnail images, sampled frames, hook clips — stored in workspace-scoped private buckets
OpenAI, LLCAI transcription (Whisper), OCR and classification (GPT-4o-mini), semantic embeddings (text-embedding-3-small)Audio files extracted from saved videos; sampled video frames; transcript text for embedding generation
Stripe, Inc.Payment processing, subscription managementEmail address, subscription details, payment method (collected directly by Stripe)
Inngest, Inc.Background job orchestration and enrichment pipelineWorkspace ID, reel ID, source URL, platform type — used only to coordinate processing tasks
Fly.io, Inc.Media processing infrastructure (video download, audio extraction, frame sampling)Workspace ID, reel ID, video URLs — received over encrypted HTTPS connections for processing
Apple, Inc.Sign in with Apple authenticationApple-issued user identifier; optionally your name and email if you share them during Apple Sign-In
TikTok, Inc. / ByteDanceVideo metadata retrieval via oEmbed APIPublic video URLs submitted by users
Meta Platforms, Inc. (Instagram)Video metadata retrieval via oEmbed APIPublic video URLs submitted by users
Vercel, Inc.Web application hosting and CDNHTTP request data including IP address (subject to Vercel's data processing terms)

6. Artificial Intelligence Processing

Stash uses artificial intelligence to automatically enrich the content you save. This is a core feature of the Service. Specifically:

  • OpenAI Whisper is used to transcribe audio extracted from saved videos. The audio file is transmitted to OpenAI's API over an encrypted connection for processing.
  • OpenAI GPT-4o-mini (with vision) is used to extract text visible in video frames (OCR) and to classify video format and detect calls-to-action.
  • OpenAI text-embedding-3-small is used to generate semantic vector representations of transcripts and captions to power search.

By using Stash's save feature, you consent to your saved video content (audio and frame data extracted from publicly accessible URLs you provide) being transmitted to OpenAI for processing. You should not use Stash to save videos containing sensitive personal information.

Gabriel does not use your saved content to train AI models. OpenAI's data usage for API calls is governed by the OpenAI Privacy Policy and its API data usage policies, which by default do not use API inputs to train OpenAI models.

7. Data Retention

We retain your personal information for as long as your account is active and as needed to provide the Service. Specific retention periods:

  • Account data (email, display name, avatar): Retained until you delete your account.
  • Workspace and reel data: Retained until you delete your account or, for workspace owners, until the workspace is deleted. Workspace members who leave a workspace lose access to that workspace's data but their account data is unaffected.
  • Video and media files: Stored in Cloudflare R2 and retained until account deletion. Upon account deletion, a cleanup process is initiated to remove associated media files; however, due to the distributed nature of cloud storage, complete removal may take up to 30 days.
  • AI-generated enrichment data (transcripts, embeddings, classifications): Retained alongside reel data and deleted when the reel or account is deleted.
  • Billing data: Payment records and subscription history may be retained for up to 7 years as required by financial regulations, even after account deletion.
  • Capture job logs and audit records: Retained for up to 90 days for debugging and reliability purposes, then deleted.
  • Share link tokens: Expire per the configured expiration date or upon account deletion, whichever comes first.
  • IP addresses and request logs: Retained for up to 30 days at the infrastructure level for security and abuse prevention.

We may retain anonymized, aggregated data (e.g., aggregate usage statistics that cannot identify individuals) indefinitely for product analytics.

8. Your Privacy Rights

Depending on your location, you may have various rights with respect to your personal information. We respect these rights regardless of where you are located.

8.1 Rights Available to All Users

  • Access — Request a copy of the personal information we hold about you.
  • Correction — Request correction of inaccurate personal information (e.g., update your display name).
  • Deletion — Request deletion of your account and associated personal data. See Section 9 for details.
  • Data portability — Request an export of your personal data in a machine-readable format.
  • Withdrawal of consent — Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

8.2 How to Exercise Your Rights

To exercise any of these rights, please contact us at gabriel@creator-stash.com with the subject line "Privacy Rights Request." Please include your email address and a description of your request. We will respond within 30 days (or within the timeframe required by applicable law). We may request additional information to verify your identity before processing your request.

Many rights can also be exercised directly within the Service:

  • Update your display name: Settings → Profile
  • Delete your account: Settings → Account → Delete Account
  • Cancel your subscription: Settings → Billing
  • Remove workspace members: Settings → Members
  • Revoke share links: Settings → Sharing

9. Account Deletion

You may delete your Stash account at any time from within the app: Settings → Account → Delete Account. You may also submit a deletion request by emailing gabriel@creator-stash.com.

When you delete your account:

  • Your account record, display name, avatar, and authentication credentials are permanently deleted from our primary database within 7 business days.
  • All workspace data, reel records, boards, tags, enrichment data, and share links associated with workspaces you own are permanently deleted on the same timeline.
  • Media files (videos, thumbnails, clips) stored in Cloudflare R2 are queued for deletion and will be fully removed within 30 days.
  • If you have an active paid subscription, it will be cancelled through Stripe at the time of account deletion. Any active subscription period will not be refunded, but you will not be charged again. You may cancel your subscription before deleting your account via Settings → Billing to manage your billing cycle.
  • Billing records required by financial regulations may be retained for up to 7 years in accordance with legal obligations, but will be de-identified where feasible.
  • If you are a member (not owner) of workspaces, your workspace membership is removed, but the workspace's content created by other members remains intact for those members.

Deletion is irreversible. We cannot recover deleted accounts or their associated content.

10. Children's Privacy

Stash is not directed to children under the age of 13 (or under 16 for users in the European Economic Area), and we do not knowingly collect personal information from children. The Service is intended for use by marketing professionals, content creators, and business teams.

If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information as quickly as possible. If you believe we may have inadvertently collected information from a child, please contact us immediately at gabriel@creator-stash.com.

11. Tracking and App Tracking Transparency

Stash does not use your data to track you across third-party apps and websites for advertising purposes. We do not use your Apple Advertising Identifier (IDFA) or engage in cross-app behavioral tracking.

If a future version of the app introduces features that require tracking under Apple's App Tracking Transparency (ATT) framework, we will request your explicit permission before doing so via the iOS ATT prompt. You may change your tracking preference at any time in iOS Settings → Privacy & Security → Tracking.

12. Cookies and Local Storage

12.1 Web Platform

The Stash web platform uses the following storage mechanisms:

  • Authentication cookies — Secure, HTTP-only cookies issued by Supabase to maintain your authenticated session. These are strictly necessary for the Service to function and cannot be disabled.
  • Browser local storage — Used for caching workspace preferences and UI state (e.g., last-selected workspace, quick-tag preferences) to improve performance.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies on the web platform.

12.2 iOS App

The iOS app uses:

  • AsyncStorage — Device-local key-value storage for caching session tokens, workspace preferences, and quick-tag data.
  • App Group container (UserDefaults) — Shared storage between the main Stash app and the iOS Share Extension, used to maintain authentication tokens so the Share Extension can capture videos without requiring a separate login.
  • Pending captures queue — A local file (pending_captures.json) stored in the App Group container to queue video saves when offline or when the capture pipeline is temporarily unavailable.

13. Security

We implement industry-standard technical and organizational measures to protect your personal information:

  • Encryption in transit — All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest — Data stored in our database and object storage is encrypted at rest.
  • Row-level security — Our database enforces row-level security policies that prevent any user from accessing data outside their authorized workspaces, regardless of application-layer errors.
  • Access controls — Internal access to production systems is restricted to authorized personnel on a need-to-know basis. Service-role database credentials used by backend workers are not exposed to end users.
  • Authentication security — We use magic-link authentication (no passwords to breach) and support Apple Sign-In with PKCE flow for enhanced security.
  • Private media storage — Video files and media assets are stored in private Cloudflare R2 buckets and served only via short-lived, signed URLs.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at gabriel@creator-stash.com.

14. International Data Transfers

Gabriel Pineda is based in the Philippines. When you use Stash, your data may be transferred to and processed in the Philippines and other countries where our service providers operate.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, such transfers are made pursuant to appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms. For questions about how we transfer your data internationally, contact us at gabriel@creator-stash.com.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights:

  • Right to Know — You may request disclosure of the categories and specific pieces of personal information we collect about you, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete — You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information we must retain for legal compliance).
  • Right to Correct — You may request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing — We do not sell or share your personal information as defined under CCPA/CPRA, and have not done so in the preceding 12 months. You therefore need not submit an opt-out request, but you may contact us to confirm.
  • Right to Limit Use of Sensitive Personal Information— We do not collect sensitive personal information as defined by CPRA (e.g., racial or ethnic origin, biometric data, health information) in connection with providing the Service.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your California privacy rights, contact us at gabriel@creator-stash.com with "California Privacy Rights Request" in the subject line. We will verify your identity before processing your request and respond within 45 days (extendable to 90 days with notice).

Categories of personal information collected in the last 12 months: Identifiers (email, user ID, device ID); Commercial information (subscription and billing data); Internet or other electronic network activity (usage data); Audio/visual information (video content you save, audio extracts, video frames); Inferences drawn from personal information (content classifications, transcript embeddings).

16. European Privacy Rights (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent local laws:

  • Right to be informed — This Privacy Policy fulfills our obligation to inform you about how we process your data.
  • Right of access — Request a copy of personal data we hold about you.
  • Right to rectification — Request correction of inaccurate data.
  • Right to erasure ("right to be forgotten") — Request deletion of your data where we no longer have a legal basis to retain it.
  • Right to restriction of processing — Request that we restrict processing of your data in certain circumstances.
  • Right to data portability — Receive your data in a structured, commonly used, machine-readable format.
  • Right to object — Object to processing based on legitimate interests.
  • Rights related to automated decision-making — We do not make solely automated decisions that produce legal or similarly significant effects about you.

Legal bases for processing:

  • Performance of a contract (Article 6(1)(b)) — Providing the Service you've subscribed to, including authentication, video enrichment, workspace collaboration, and billing.
  • Legitimate interests (Article 6(1)(f)) — Security, fraud prevention, product improvement, and internal analytics, where these interests are not overridden by your rights.
  • Consent (Article 6(1)(a)) — For AI processing of your saved content (as described in Section 6). You may withdraw consent by discontinuing use of the save feature or deleting your account.
  • Legal obligation (Article 6(1)(c)) — Retaining billing records as required by financial regulations.

To exercise your GDPR rights, contact us at gabriel@creator-stash.com. You also have the right to lodge a complaint with your local data protection authority.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify you via email to your registered address at least 30 days before material changes take effect.
  • Display a prominent notice within the Service for at least 14 days following the change.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated policy. If you do not agree to the revised policy, please delete your account before the effective date.

18. Contact Us

For privacy questions, rights requests, or concerns about this policy, please contact:

Gabriel Pineda

Attn: Privacy Team

Email: gabriel@creator-stash.com

We are committed to working with you to obtain a fair resolution of any privacy concern. We will respond to verified requests within 30 days.