How Shelf handles your data.

Controller

Shelf is operated by Lukas Walliser, Balatonstrasse 1, Berlin, Germany. For privacy questions, deletion help, or export requests, contact lukas.walliser@mim.esmt.org.

Data we process

• Account data: email address, authentication identifiers, session metadata, and profile details provided by Clerk or Google sign-in.
• Content data: episode links, titles, channel/show/author names, transcripts, generated briefs, embeddings, notes, search results, and ask/search interactions.
• Operational data: upload status, failed job reasons, activity entries, timestamps, preferences, and basic technical logs needed to run and secure the service.
• Support data: messages you send to us, including deletion help, export, or account-support requests.

Why we process data

• To create and secure your account.
• To save uploaded links, transcripts, summaries, notes, and search indexes.
• To process uploads and recover cleanly when an import fails.
• To answer questions and search across your saved content.
• To maintain reliability, prevent abuse, debug errors, and respond to support requests.

Legal bases

• Contract performance when we provide the Shelf product you requested.
• Legitimate interests when we secure the service, prevent abuse, debug failures, and keep the product reliable.
• Consent where required, for example if optional analytics, marketing cookies, or non-essential communications are added later.
• Legal obligation if we must retain or disclose limited information to comply with applicable law.

Processors and infrastructure

Shelf uses service providers to host the app, authenticate users, store data, process transcript imports, run background jobs, and generate AI-powered summaries, embeddings, search, and answers.

• Vercel: hosting, deployment, edge delivery, DNS, and runtime logs.
• Supabase: database storage for account-linked product data.
• Clerk: authentication, sessions, account security, and Google sign-in.
• Railway: background worker infrastructure for queued processing.
• Supadata: transcript extraction from supported external URLs.
• Alibaba Cloud DashScope/Qwen: AI model and embedding processing.
• Google: OAuth sign-in when you choose Continue with Google.
• Namecheap: domain registrar for getshelf.xyz.

International transfers

Some processors may process data outside Germany or the European Economic Area. Where required, transfers should rely on appropriate safeguards such as EU Standard Contractual Clauses, adequacy decisions, or equivalent contractual protections provided by the processor.

Retention

• Account data is kept until the account is deleted or longer if required for security or legal reasons.
• Saved episodes, transcripts, notes, and generated outputs are kept until you delete them or delete your account.
• Failed upload/activity entries should remain user-clearable and may be cleaned up automatically after they are no longer needed.
• Technical logs should be kept only as long as needed for security, debugging, and operational reliability.

Your rights

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account from Settings or request help deleting your account and saved content.
• Request export or portability of your data where applicable.
• Object to or restrict processing where applicable.
• Withdraw consent where processing is based on consent.
• Complain to a competent data protection authority.

Cookies and analytics

Shelf should use only essential cookies and local/session storage needed for authentication, security, preferences, and product operation unless a separate consent flow is added. Do not add marketing analytics or tracking pixels without updating this policy and adding any consent mechanism required by law.

Children

Shelf is not intended for children. If you believe a child has provided personal data, contact us and we will review and delete it where required.