privacy policy
What we know about you, and what we can't know.
Effective 17 July 2026 · Undefined Ventures OÜ
The short version
- The Magpie extension is local by default. Your boards, clips and notes live in your browser. We run no telemetry in it and cannot see what you collect.
- Data reaches our servers only if you create an account and turn on sync — then we store exactly what sync needs, to give it back to you on your other devices.
- Payments are handled by Stripe as merchant of record. We never see your card.
- Our website uses Google Analytics. The extension does not.
- You can export everything as files, and delete your account — and every byte we hold — yourself, any time.
The extension: local by default
Everything you capture — images, screenshots, text snippets, links, boards, tags, notes — is stored in your browser's local database (IndexedDB) on your machine. With no account, nothing is transmitted to us or anyone else. There is no usage tracking, no telemetry, and no analytics inside the extension. The optional "mirror to files" feature writes copies to your own disk, with no network involved.
These claims are checkable: open your browser's devtools and watch the network panel.
AI with your own key (optional)
If you enter your own OpenRouter API key in the extension, AI features (captioning, tagging, text recognition, search embeddings) send the item being processed — an image thumbnail or snippet text — directly from your browser to OpenRouter under your account, governed by OpenRouter's privacy policy. None of that traffic passes through our servers. No key, no AI traffic.
If you create an account and sync
Sync is opt-in and exists so your collection can follow you across devices and into the web app. To provide it (our legal basis: performing our contract with you), we store:
- Account: your email address; if you sign in with Google, the name and email Google provides.
- Your collection: boards and items — titles, tags, notes, source URLs, snippet text, recognized text — in our database (hosted with Supabase); image files and thumbnails in object storage (Cloudflare R2); search vectors derived from your items.
- Plan state: your subscription plan, its status and period, your Stripe customer and subscription IDs, storage usage, and coarse usage counters that enforce fair-use limits.
We don't browse, analyze, or monetize your collection. It is stored to be given back to you.
Search on the web app
When you search in the web app, your query text is sent to OpenRouter (under our key this time) to compute an embedding for ranking your own items. We don't store your queries.
Payments
Paid plans are sold through Stripe acting as merchant of record. Stripe collects and processes your payment details, billing address and applicable taxes under Stripe's privacy policy. Card numbers never touch our servers; we receive and keep only your plan, its status, and Stripe's reference IDs.
Sign-in and email
Signing in with an email code sends that one-time code through Resend, our transactional email provider. We send no marketing email. Signing in with Google uses Google's OAuth; we receive your email address and basic profile, nothing more.
Analytics & cookies (website only)
magpie.ee — the landing page and the web app — uses Google Analytics to understand aggregate usage (pages viewed, rough geography, how people find us). This sets Google cookies and shares usage signals with Google per Google's privacy policy. The web app also sets strictly-necessary session cookies to keep you signed in. The extension contains no analytics of any kind.
Retention and deletion
- While your account is active, synced data is kept so sync works.
- If your subscription lapses, your cloud copy goes read-only and is kept for 12 months, then deleted. Your local copy is never touched — it's a copy, not a cage.
- You can delete your account yourself (web app → account → delete): it wipes your database rows and every stored image, verifiably and immediately.
- Deleting an item removes its stored bytes; a small tombstone record remains briefly so deletions sync across devices.
Your rights
We're an Estonian company, so the GDPR applies in full. You have the right to access, correct, export, and erase your personal data, and to object to or restrict processing. Most of these are built in: "export everything" gives you your data as ordinary files; account deletion is self-service. For anything else, email hey@undefined.ee. If you're unhappy with us, you can complain to the Estonian Data Protection Inspectorate (aki.ee) or your local supervisory authority.
Who processes data for us
- Supabase — database & authentication
- Cloudflare — image storage (R2)
- Vercel — website hosting
- Stripe — payments, as merchant of record
- Resend — sign-in code emails
- Google — analytics (website), optional sign-in
- OpenRouter — web-app search embeddings; extension AI only under your own key
The small print
Magpie isn't directed at children under 16. If this policy changes in ways that matter, we'll say so on this page and, for account holders, by email. Questions: hey@undefined.ee.
Undefined Ventures OÜ (data controller)
Registry code: 17101544
Tallinna mnt 22/1-2, 80032 Pärnu linn, Pärnu maakond, Estonia
Email: hey@undefined.ee