Privacy Policy

Your data is yours. We store what you give us so your second brain works. We don’t sell your data. We don’t train on your data. You can export everything and delete your account at any time.

Fülkit knows how you think. Not what you think.

• No selling. We don’t sell your data. Not to advertisers, not to brokers, not to anyone.
• No training. We don’t use your conversations or notes to train AI models. Not ours, not anyone else’s.
• No third-party sharing. Your content stays inside Fülkit unless you explicitly connect an integration you chose.
• Delete works. Click delete, it’s gone. Atomic cascade. We wrote the SQL.
• Export works. Take your notes with you in plain markdown any time. We never lock the door behind you.

Fülkit’s job is to remember the shape of your life so the AI can be useful in conversation. That means we hold the structure of how you work — habits, patterns, the cadence of your week, the integrations you’ve connected — so the assistant can show up prepared instead of asking you to re-explain yourself every time.

The content of your private notes doesn’t need to live with us forever for the brain to work. When the AI helps you, it reads what’s relevant in the moment — like opening a notebook —and moves on.

Default mode: your vault lives with us in encrypted Supabase storage. The full AI brain works — search, suggestions, save-on-the-fly. This is the simplest and fastest experience and works on every device including mobile.

Local Vault mode: your notes live in a folder of plain markdown files on your own computer. Fülkit reads them at chat-time to help you, never stores them on our servers. Sync across devices with your own Dropbox, iCloud, or Google Drive — Fülkit just reads wherever the folder lives. Desktop only (Chrome, Edge, Arc, or Brave).

Either way: you always have a copy of your files in plain markdown. If you ever leave, every file comes with you.

On Default mode, we could read your notes. We choose not to. Here’s exactly why you should believe us:

• Our business model is your $9/month subscription, not your data. Selling it would torch the business.
• The architecture is documented — read the receipts. Every query is scoped by your user ID at the database level.
• If reading your notes was the product, we wouldn’t also offer Local Vault mode where we can’t.
• We’re a small team. Solo founder. No board pushing growth-at-all-costs. Reputation is the asset.

• Account info (name, email via Google sign-in)
• Notes and documents you upload or create
• AI conversation history
• Preferences you set (display, AI behavior, vault mode)
• A referral cookie if you arrived via a referral link (30-day expiry)
• Usage data (message counts, feature usage)

To make your second brain work. Your notes are embedded and stored so the AI can retrieve them. Your preferences are learned so the AI can talk to you the way you want. That's it.

Different data has different lifespans. Here is what stays, what rotates, and what disappears when you ask:

• Notes you delete: soft-deleted for 30 days, then permanently removed. During the 30-day window your deleted notes have zero influence on search, suggestions, or any AI behavior — they are excluded from every index.
• Notes you keep: retained for the life of your account.
• AI conversation history: retained while your account is active so context carries forward; deletable per-conversation or in bulk from Settings.
• Preferences and account profile: retained while your account is active; deleted on account closure.
• OAuth tokens (Google, Spotify, GitHub, etc.): stored encrypted while the integration is connected; deleted within 24 hours of disconnect.
• Referral cookie: 30-day expiry, set in your browser only; never written to our servers.
• Usage data (message counts, feature events): retained for billing and product analytics for 24 months, then aggregated/anonymized.
• Account closure: when you delete your account, all data above is purged within 30 days. Backup retention on Supabase infrastructure may extend up to 30 days beyond that, after which residual copies are unrecoverable.

• Anthropic (Claude API) — processes your messages, does not retain them
• Voyage AI — generates note embeddings for semantic search, does not store content
• Supabase — database and authentication hosting
• Vercel — application hosting and serverless functions
• Stripe — payment processing and referral payouts
• Upstash — distributed rate limiting (Redis)
• Google — OAuth sign-in and connected services (Calendar, Gmail, Drive) when enabled by you
• Spotify, GitHub, Square, Stripe, Shopify, Toast, Trello, Fitbit, QuickBooks, Notion, Dropbox, Slack, OneNote, Todoist, Readwise — only when connected by you, for the features you enable
• Invisible intelligence APIs (server-side, no user data shared): OpenWeatherMap (weather), WAQI (air quality), USDA & Open Food Facts (nutrition), Open Library (books), Frankfurter (currency), Free Dictionary API, Nominatim (geocoding), Wikipedia, NASA (APOD), Wolfram Alpha, Currents (news), Have I Been Pwned (breach check)

When you connect Google services (Calendar, Gmail, Drive), Fülkit requests only the scopes needed for what you asked for:

• Calendar (“calendar.events”) — read upcoming events and availability for chat context, create events when you ask
• Gmail (“gmail.readonly”) — search and read email threads to answer your questions. Read-only. Fülkit never sends, deletes, or modifies email.
• Drive (“drive.readonly” and “drive.file”) — find and read documents you choose to import to your vault

Google user data is processed in-context to answer your immediate question and is not retained beyond that. It is never used to train AI models, never shared with third parties (including Anthropic), and never sold. OAuth tokens are stored encrypted and deleted when you disconnect the integration.

Fülkit’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Fülkit uses cookies and browser storage only for what makes the product work. No ad networks, no third-party analytics tracking, no cross-site tracking.

• Session cookies: set by Supabase to keep you signed in. Cleared on sign-out.
• Referral cookie: set if you arrived via a “Get Fülkit” referral link. 30-day expiry. Browser-only.
• localStorage preferences: your storage mode (Default vs Local Vault), compact-mode toggle, last-active tab. Browser-only; never sent to us.

You can clear these from your browser settings any time. Fülkit functions without them; you’ll just need to sign in again.

Fülkit uses AI to generate responses, suggest content, surface patterns, and produce daily digests. These are conversational and informational— Fülkit does not make consequential automated decisions about you (employment, credit, housing, insurance, eligibility for any legal benefit). You can override, edit, or ignore any AI output, and you can delete the history that informs it.

Fülkit is not directed at children under 13 and we don’t knowingly collect data from anyone under 13. If you believe a child under 13 has provided data to Fülkit, contact us at privacy@fulkit.app and we will delete it. Users between 13 and the age of majority in their state should have parent or guardian consent to use the service.

Fülkit is offered to US residents and complies with applicable US state privacy laws including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA). Regardless of which state you live in, you have these rights:

• Right to know. Request a copy of the personal data Fülkit holds about you.
• Right to delete. Request deletion of your personal data, subject to legal exceptions (e.g., billing records).
• Right to correct. Update inaccurate personal data.
• Right to opt out. Fülkit does not sell personal data and does not use it for cross-context behavioral advertising; there is nothing to opt out of, but you can confirm this in writing on request.
• Right to non-discrimination. Exercising your rights does not affect your access to Fülkit, your pricing, or your service quality.
• Authorized agent. California residents may designate an authorized agent to make requests on their behalf with written authorization.

To exercise any of these rights, email privacy@fulkit.app from the address associated with your account, or use the built-in export and delete tools in Settings. Fülkit responds within 45 days; an additional 45-day extension may apply where permitted by law.

Fülkit Plus One lets two consenting adults share one account. The account-holder is the primary controller of the account and its data. Both users’ activity contributes to the shared brain. Either user can export or delete shared data; account closure is initiated by the account-holder.

This Privacy Policy covers Fülkit only. Other Colsha LLC products (Numbrly, TrueGauge) and HB Beverage Co. (HBBEVCO LLC) operate under their own privacy policies on their respective sites. Connecting one of those products to Fülkit shares only what the integration specifies, on the same terms as any other connected source.

The third-party services listed above process data on Fülkit’s behalf. Fülkit may add or change subprocessors over time as the product evolves; the current list is always on this page. Material changes are reflected here with an updated "Last updated" date and, when the change affects how user data is processed, surfaced in-product.

Fülkit uses encryption at rest (Supabase database-level), HTTPS in transit, encrypted OAuth token storage, row-level security scoping every query to your user ID, and signed URLs for any file delivery. No system is perfectly secure; if Fülkit becomes aware of a personal-data breach affecting you, we will notify you without unreasonable delay and in compliance with applicable law.

Export all your data at any time from Settings. Delete specific memories, conversations, or your entire account. No lock-in, ever.

Questions about privacy? Email privacy@fulkit.app.