IndexSprint logoIndexSprint

Legal

Privacy Policy

Effective date: April 5, 2026  ·  Last updated: April 5, 2026

IndexSprint (“we”, “us”, or “our”) operates the website indexsprint.com (the “Service”). This Privacy Policy explains what information we collect, how we use it, and your choices regarding your data.

By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information we collect

1.1 Information you provide

  • Account information: When you create an account, we collect your email address and display name. If you sign in with Google or GitHub, we receive your name, email, and profile picture from the respective provider.
  • Reading plans: When you save a reading plan to your account, we store the plan title, author, chapter structure, and your progress (completed items, dates).
  • Reflections: If you use the 3-2-1 reflection feature (Premium), we store the takeaways, questions, and applications you write.
  • Payment information: Payments are processed by Dodo Payments, our Merchant of Record. We do not store your credit card number, billing address, or other payment details. See Dodo Payments' privacy policy for details on their data handling.

1.2 Information collected automatically

  • Usage data: We collect anonymous usage metrics including pages visited, features used, and parse requests made. This data is not linked to your identity.
  • Device information: Browser type, operating system, and screen size for responsive design purposes.
  • Cookies: We use essential cookies for authentication (session tokens). We do not use advertising cookies or third-party tracking cookies.

1.3 Information we do NOT collect

  • OCR scans: Photos taken with the Scan feature are processed entirely in your browser using on-device OCR (Tesseract.js). Your images are never uploaded to our servers.
  • PDF files: PDF files uploaded for text extraction are processed in your browser using pdf.js. The files are never sent to our servers.
  • Pasted ToC text (free tier): If you use the free tier without saving, your pasted text is processed by our server for parsing but is not permanently stored. It is held in memory only during the parsing request and discarded immediately after.

2. How we use your information

  • To provide the Service: Parse your table of contents, generate reading plans, track your progress, and deliver premium features.
  • To generate AI-powered study prompts: If you use the reflection feature, your reflection text is sent to Anthropic's Claude API to generate retrieval prompts. Anthropic does not use this data for training. See Anthropic's privacy policy for details.
  • To send you notifications: Review reminders (if enabled), account updates, and important service announcements. You can opt out of review reminders at any time.
  • To improve the Service: Anonymous, aggregated usage data helps us understand which features are most useful and where to focus development.
  • To prevent abuse: Rate limiting and abuse detection use session identifiers (hashed IP + User-Agent) to protect the service from misuse. These identifiers are not linked to your account.

3. Data storage and security

Your data is stored in Supabase (PostgreSQL database) with Row Level Security (RLS) enabled, meaning each user can only access their own data. The database is hosted in Supabase's managed infrastructure. All data is encrypted in transit (TLS) and at rest.

Authentication tokens are stored in httpOnly, secure cookies that are not accessible to JavaScript.

4. Data sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. We share data only with the following service providers, solely to operate the Service:

  • Supabase: Database and authentication infrastructure.
  • Vercel: Website hosting and serverless function execution.
  • Anthropic (Claude API): AI-powered retrieval prompt generation. Only reflection text is sent; no personal identifiers are included in API calls.
  • Dodo Payments: Payment processing and subscription management (Merchant of Record).
  • Resend or SendGrid: Email delivery for review reminders and account notifications.
  • Google and GitHub OAuth: If you choose to sign in with Google or GitHub, your authentication is handled by their respective OAuth services. We receive only your name, email, and profile picture.

5. Data retention

  • Account data: Retained as long as your account is active. You can delete your account at any time (see Section 7).
  • Reading plans and reflections: Retained as long as your account is active or until you delete them individually.
  • Cached ToC data: Parsed table of contents may be cached in our database to improve performance for future users searching for the same book. This cache contains only the structural data (chapter titles and hierarchy), not the full book content.
  • Usage logs: Anonymous usage metrics are retained for up to 12 months, then automatically purged.

6. Your rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your account and all associated data.
  • Data portability: Export your reading plans as Markdown files at any time using the built-in export feature.
  • Opt-out: Disable email reminders in your account settings.

To exercise any of these rights, contact us at privacy@indexsprint.com.

7. Account deletion

You can delete your account at any time from your account settings. Upon deletion:

  • Your profile, reading plans, reflections, retrieval prompts, and Pomodoro session data are permanently deleted within 30 days.
  • Your subscription (if active) is cancelled immediately.
  • Cached ToC data that you contributed may remain in the cache as it is anonymized and not linked to your account.
  • Anonymous usage data is retained as it cannot be linked to you.

8. Children's privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@indexsprint.com.

9. International data transfers

Your data may be processed in countries outside your own, including the United States (where our hosting and AI providers operate). By using the Service, you consent to the transfer of your data to these jurisdictions.

10. DMCA and copyright

If you believe that content cached on IndexSprint infringes your copyright, please submit a DMCA takedown notice to copyright@indexsprint.com. Include: a description of the copyrighted work, the specific cached content you believe infringes your rights, your contact information, and a statement of good faith. We will respond to valid requests within 14 business days.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will notify registered users by email.

12. Contact us

If you have questions about this Privacy Policy, contact us at: