Pastpond — Privacy Policy
Last updated: 2026-06-10. Provisional v0.3.
This describes what personal data Pastpond collects, why, where it lives, and what your rights are.
Data we collect
You give us:
- Your email address (for sign-in and notifications).
- Your encryption passphrase (only at the moment of derivation in your browser; we never receive or store it).
- File contents you upload (encrypted on your device before upload).
- Names and email addresses of beneficiaries you designate, and the conditions you configure for them.
We collect automatically:
- IP address (used only for security logs and abuse prevention).
- Browser/device user-agent string.
- Server logs (retained 30 days).
- Aggregate, non-identifying analytics.
We do not collect the plaintext of any file you upload, with one transient exception: photo bytes pass through our server in memory on their way to Anthropic for description (see AI processing below) and are discarded immediately. Nothing is written to disk in plaintext. We never receive your passphrase or any key derived from it.
How we use it
- To run the service: storing your encrypted capsule, charging you, sending transactional emails.
- For security: detecting abuse, fraud, and unauthorized access.
- For product improvement: aggregate, non-identifying metrics.
- For legal compliance: responding to lawful requests.
We do not sell or share personal data with third parties for advertising.
AI processing — Anthropic Claude for photos, your device for voice
Photos. When your capsule organizes itself, each photo is decrypted on your device and sent, via our server (held in memory only, never written to disk), to Anthropic's Claude, which returns a description and tags. Anthropic is our only AI sub-processor: API data is retained by Anthropic for at most 7 days, is never used to train models, and is covered by our data processing agreement. The returned description is encrypted on your device with the same per-item key that protects the photo itself before it is stored — we cannot read your descriptions afterwards.
Voice and video. Transcription runs inside your browser, on your device (an open-source model downloaded to your browser and cached). Recordings are never sent to us or to any AI provider for transcription. Transcripts are encrypted on your device with the per-item key before being stored.
Beneficiaries you grant access to can read descriptions and transcripts, because their release code unlocks the same per-item keys.
The encrypted-at-rest copy of your file in storage is never decrypted on our infrastructure.
Cross-connections — optional, off by default
Settings has a "Let Pastpond's AI find connections" switch. It is off by default. When you turn it on, you authorize Pastpond's AI to use facts extracted from your capsule (names, places, dates from descriptions and transcripts) to suggest possible family or professional connections to you. No suggested connection is ever revealed to another person without your explicit confirmation of that specific connection. Turning the switch off withdraws the authorization going forward. While it is off, nothing in your capsule is used for matching.
Where your data lives
- Encrypted file contents: Cloudflare R2.
- Database metadata: Supabase.
- Backups and cold archive: a second cloud and a cold-tier archive in a second jurisdiction.
Sub-processors
Cloudflare, Supabase, Stripe, Postmark, Vercel, Anthropic (photo description only — ≤7-day retention, no training on your data).
Your rights
You may have rights to access, correct, delete, export, object to or limit processing of your data, and to file a complaint with your local data protection authority. To exercise any of these, email hello@pastpond.com.
Because we are encrypted client-side, our ability to honor some requests depends on the passphrase you still control. We cannot decrypt and produce plaintext of your files on demand. We can confirm what we hold and we can delete it.
Retention
- Active capsule: as long as your storage plan is active.
- Server logs: 30 days.
- Backups: 90 days after capsule deletion.
- Anonymized analytics: indefinite.
Children
Pastpond is not for users under 18. We do not knowingly collect data from minors.
International transfers
Your data may be stored or processed outside your country of residence. We rely on standard contractual clauses and equivalent mechanisms where required.
Changes
We will email you at least 30 days before material changes take effect.