The Bookish Shelf
Legal

Privacy Policy

Last updated: 5/14/2026

Note: this Privacy Policy is provided as a starting template and should be reviewed by a lawyer before launch.

1. Introduction

The Bookish Shelf is operated by Kelly Dunn ("we", "us", "our"), trading as The Bookish Shelf. We are the data controller for the personal data described in this notice. We care deeply about your privacy and have written this policy in plain English so you actually understand what we do with your data.

2. Information we collect

Account information: nickname, email, password hash, and theme preference.

Reading tracker data: book titles, authors, ratings, reviews, notes, journal entries, tropes, moods, spice/cry/comfort ratings, goals, TBR, wishlist, and shelves.

Usage and device data: basic logs (IP address, browser, timestamps) used for security and to keep the service running.

Payment and billing: handled entirely by Stripe, our Merchant of Record (see Section 5). We never see or store your card details. We receive only the limited transactional data Stripe returns to us (e.g. subscription status, plan, renewal date).

3. How we use your information and legal basis

  • Provide the service (account creation, saving your shelf, generating stats and recaps) โ€” legal basis: performance of our contract with you.
  • Process subscriptions via Stripe โ€” legal basis: performance of contract.
  • Security, fraud prevention and service integrity โ€” legal basis: legitimate interests.
  • Product improvement and aggregated analytics โ€” legal basis: legitimate interests.
  • Customer support โ€” legal basis: legitimate interests / contract.
  • Legal compliance (tax, accounting, responding to lawful requests) โ€” legal basis: legal obligation.

We do not sell or rent your data.

4. Where your data is stored

Account and shelf data is stored securely in our hosted database with encryption in transit and at rest. Some preference data may also be cached locally in your browser.

5. Third-party services and Merchant of Record

Stripe ("Stripe") acts as our reseller and Merchant of Record for all subscription sales. Stripe handles checkout, payment processing, billing, tax compliance, invoicing, refunds, and related customer service for transactions. Stripe's privacy notice is available at stripe.com/privacy.

Hosting and database: our cloud hosting and database providers act as data processors on our behalf.

Book covers and metadata: we fetch cover images and metadata from Open Library and Google Books.

Analytics or email tools: if added later, we will update this policy and clearly disclose them.

6. Cookies and similar technologies

We use minimal local storage and essential cookies to remember your shelf, preferences, and session. We do not use third-party advertising cookies. Stripe may set cookies during checkout in accordance with its own privacy notice.

7. How we protect your data

We use industry-standard security practices including HTTPS, encryption in transit and at rest, hashed passwords, and access controls. No system is 100% secure, but we work hard to protect your data.

8. Data retention

We keep personal data only as long as needed for the purposes described above:

  • Account and reading data: for as long as your account is active.
  • After account deletion: personal data is deleted or anonymised within 30 days, except where we must keep it to comply with legal obligations (e.g. Stripe keeps invoice/tax records for the period required by law, typically up to 10 years).
  • Security logs: retained for up to 12 months.

9. Data export

You can export your reading data at any time from your account settings.

10. Data deletion requests

You can request deletion of your account and all associated data by emailing hello@thebookishshelf.com.

11. Your rights

You have the right to access, correct, export, or delete your data, and to object to or restrict certain processing. EU/UK users have additional rights under the GDPR / UK GDPR, including data portability, withdrawal of consent, and the right to lodge a complaint with your local data protection authority. We aim to respond within one month.

12. International transfers

Your data may be processed outside your country (including in the United States and the UK/EEA). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

13. Children's privacy

The Bookish Shelf is not directed at children under 13. We do not knowingly collect data from children under 13.

14. Changes to this policy

We may update this policy from time to time. Significant changes will be communicated in the app or by email.

15. Contact information

Questions about your data? Email hello@thebookishshelf.com. The data controller is Kelly Dunn, trading as The Bookish Shelf.

See also: Terms and Conditions ยท Refund Policy.