Privacy Policy

Plain-English summary

Pastio is a clipboard sync utility. Anything you paste through Pastio is stored temporarily so we can deliver it to your other devices, then deleted automatically. We don't sell your data, run ad-tech, or share content with third parties beyond the infrastructure providers we strictly need to operate. Pastio is the Data Fiduciary under India's Digital Personal Data Protection Act, 2023 (DPDP Act).

What we collect

• Clip content — the text, code, URLs, images, or files you paste through Pastio. Stored in our database (text/code/URL/metadata) or object storage (images/files).
• Account data — your email address (only if you sign in via Google or magic link) and an optional display name.
• Device data — an opaque session identifier from your auth token, a generic device label like "Chrome on macOS" derived from your User-Agent, and a last-seen timestamp. Used to power the device-slot feature.
• Usage analytics — anonymous, aggregate event data via Plausible Analytics. No cookies, no cross-site tracking, no fingerprinting. Counts pageviews, event names, country, and referrer source. Never includes clip content, user IDs, or email addresses.
• Feedback — if you submit feedback via the in-product form, we store the message text plus your email if you provided one.

How long we keep it

• Anonymous rooms and their clips: deleted 1 hour after creation.
• Free Personal Sync clips: deleted 24 hours after creation.
• Pro Personal Sync clips: deleted 7 days after creation.
• Image and file uploads: deleted on the same schedule as the clip that referenced them.
• Account record (email, profile, devices): kept until you delete your account. Email support@pastio.app to request deletion.
• Analytics events (Plausible): aggregated, no personal identifier retained.
• Feedback submissions: kept for 12 months, then permanently deleted.

Third-party processors

To run Pastio, your data passes through these providers:

• Supabase — database, authentication, file storage, real-time sync. Hosts the substance of your clips. Located in their Singapore region.
• Vercel — web hosting and edge functions. Sees request metadata (IP, User-Agent) but not clip content beyond what's in HTTP requests.
• Plausible Analytics — aggregate, cookieless analytics.
• Dodo Payments — handles Pro subscription billing as Merchant of Record. Sees customer billing info you enter (name, email, payment method, country). Pastio receives a customer ID and subscription status; we never see your payment-method details.
• Google / email magic-link providers — only if you choose those sign-in methods.

We don't sell, rent, or trade your data with anyone outside this list.

Cross-border data transfers

Pastio's primary database is hosted in Singapore (Supabase ap-southeast-1). Vercel's edge runtime serves requests from the region nearest to you. By using Pastio from outside India, you consent to your data being processed in India, Singapore, and the United States (Vercel/Plausible). We rely on standard contractual clauses and the providers' own GDPR / DPDP-aligned terms for international transfers.

Your rights

Under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and equivalent regimes (GDPR for EU residents, CCPA for California), you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data and account
• Export your data in a portable format
• Withdraw consent for processing at any time
• Lodge a complaint with the Data Protection Board of India or your local DPA

To exercise any of these, email support@pastio.app. We respond within 30 days.

Marketing and automated decisions

Pastio doesn't send marketing emails. The only emails you'll receive from us are transactional (sign-in magic links, billing receipts via Dodo, replies to your support requests). We don't run automated decision-making or profiling that has legal effect on you.

Cookies and local storage

Pastio uses the browser's localStorage and sessionStorage to remember your active session, room state, and UI preferences. We do not use third-party tracking cookies, advertising cookies, or social-media pixels. Plausible Analytics is configured cookieless.

Children

Pastio is not intended for users under 13. If we learn we've collected data from a child under 13, we delete it. If you're a parent or guardian and believe we have your child's data, contact support@pastio.app.

Security

We use HTTPS everywhere, RLS-protected database access, and JWT-based session authentication. Password-protected rooms use SHA-256 hashing. We can't fully guarantee security against every possible threat — no service can — but we follow standard practices. If you discover a vulnerability, please email support@pastio.app and we'll respond promptly.

Changes to this policy

If we materially change this policy, we'll update the effective date at the top and notify signed-in users in-product. Continued use after changes means acceptance.

Contact

Questions, requests, complaints: support@pastio.app.