Skip to content

Privacy

Privacy policy

Last updated:

Introduction

This is the privacy policy for Tuck, a read-later app made by Tuck B.V. in the Netherlands. It describes what data we collect when you use Tuck, why we collect it, who we share it with, and the rights you have over it under the GDPR.

We try to write this in plain language. If anything is unclear, email privacy@thetuck.appand we’ll explain.

What we collect

We collect the minimum data required to run a read-later service. That includes:

  • Your email address, used to identify your account and to send transactional emails (sign-up confirmation, password resets, install links). Optionally your display name.
  • The URLs you save to your library, plus the parsed article text, title, author, and any tags, highlights, or notes you attach. This is the actual product content.
  • Reading progress per article (scroll position, last-read timestamp, completion state) so the same article picks up where you left off across devices.
  • Limited device info sufficient to run sync (device name and platform, push-notification token if you opt in). No advertising identifier is collected.
  • Basic usage analytics via Plausible: anonymized page views and outbound link clicks. No cookies, no fingerprinting, no personal identifiers, no IP retention, no content of saved articles.

How we use it

We use your data to operate Tuck and nothing else. Specifically: to render your library, sync it across devices, generate AI summaries when you request them, send transactional emails, process subscription billing, and understand which features people actually use so we ship better ones.

We do not sell your data. We do not share it with advertising networks. We do not train AI models on it. There’s no “data partnership” tier we’ll move to under pressure later.

Third parties and what they see

Running a modern app means a small number of vendors handle specific parts of the workload. Here’s exactly who, what they see, and why.

  • Supabasehosts your library and handles authentication. Your email, articles, highlights, and account metadata live in a Postgres database in the EU (Frankfurt region). Supabase is our infrastructure provider; they don’t use your data for anything beyond hosting it.
  • Resendsends transactional and newsletter emails. They see the email address we’re sending to and the message content (which you initiated).
  • OpenAI & Anthropicprocess article text when you tap “Summarize” or ask a question about a saved article. They receive only the article text, not your email or any identifier. We use providers’ no-training-by-default tier so your prompts and saved content are never used to train models.
  • RevenueCat handles subscription receipt validation between your App Store / Google Play subscription and our backend. They see your subscription state (active / cancelled / expired) and an opaque account ID; never your payment details (those stay with Apple, Google, or Stripe directly).
  • Vercelhosts the website you’re reading. They see standard request logs (IP, user-agent, URL) for the thetuck.app domain only; they don’t see the contents of your Tuck library.
  • Plausible collects anonymous, cookie-less usage analytics from the website (page views, outbound link clicks). No fingerprinting, no IP retention, no personal identifiers, no cross-site tracking. The script is GDPR-compliant by design, which is why there is no opt-out toggle: there is nothing personal to opt out of.

Data location

Your library lives in Supabase’s EU region (Frankfurt, Germany). Backups are taken every six hours and retained for 30 days, also within the EU. Email infrastructure (Resend) is also EU-routable, and Plausible is GDPR-compliant by design (no personal data collected at all). No personal data leaves the EEA in the normal course of operation.

The only exception is when you explicitly invoke an AI feature: the article text you’re summarizing or asking a question about is sent to OpenAI or Anthropic, both of whom have US infrastructure. We require providers to have Standard Contractual Clauses on file for that transfer.

Your GDPR rights

You have, free of charge and at any time:

  • Right of access: you can request a copy of every piece of personal data we hold on you. Email privacy@thetuck.app and we respond within 30 days, usually within a week.
  • Right of portability: your library exports in one click from Settings → Account → Export. Markdown, HTML, or JSON, your choice. Available on every plan, including after you cancel.
  • Right to rectification: change incorrect data from your account settings, or email us if it’s a field you can’t edit yourself.
  • Right to erasure: Settings → Account → Delete account. We mark the account inactive immediately and permanently delete all personal data within 30 days (the window lets you recover from a misclick). Backups roll out within the next backup-rotation cycle.
  • Right to restrict or object to processing: email privacy@thetuck.app. Withdrawing consent for analytics is a one-click toggle in Settings → Privacy.
  • Right to lodge a complaintwith your local data protection authority (in the Netherlands, the Autoriteit Persoonsgegevens). We’d rather you talk to us first.

Cookies and tracking

On the website, we use only the minimum cookies required for the site to function, primarily a session cookie that remembers if you closed the mobile install banner. Analytics are handled by Plausible, which uses no cookies and no localStorage identifier of any kind. Pageviews are reported anonymously without any per-visitor state.

We do not run advertising trackers, retargeting pixels, or third-party social-media trackers. There’s no Facebook pixel, no LinkedIn Insight tag, no Google Analytics on this site.

In the app, the only network calls go to Tuck (Supabase) for sync, the AI provider (when you tap Summarize), and Apple/Google for App Store / Play Store subscription validation. No advertising SDKs are bundled.

Children’s privacy

Tuck is not directed at children under 16, and we don’t knowingly collect data from anyone under 16. If you’re a parent and you believe your child has signed up, email privacy@thetuck.appand we’ll delete the account immediately.

Changes to this policy

If we materially change how we handle your data, we’ll email everyone with an active account at least 30 days before the change takes effect. Cosmetic changes (typo fixes, restructuring without changing meaning) we publish without advance notice. The “Last updated” date at the top of this page always reflects the most recent meaningful edit.

Contact

Privacy questions: privacy@thetuck.app
Anything else: hello@thetuck.app
Postal: Tuck B.V., the Netherlands. Email us first for the postal address.

We don’t sell your data. We don’t run ads. You’re not the product. Your subscription is what pays for Tuck.

See also: Terms of service · Security

Get Tuck Free