Privacy Policy

Last updated: June 1, 2026

This Privacy Policy describes how Rewindior ("we", "us", or "our") collects, uses, and shares information about you when you use our services at rewindior.com and rewindior.app (together, the "Services").

1. Information we collect

Account information

When you register, we collect your email address. You may optionally provide your first and last name and a preferred language.

Capsule content

Rewindior captures memories in two ways: emails delivered to your capsule's inbound address, and files uploaded directly through the app. For inbound emails we store the sender's name and address, the subject line, the message body, and any attachments. For direct uploads we store the files you choose to add. This content — photos, documents, text, and other files — is your "Memories".

Custom address

On Shared Basic and Shared Plus plans you may set a custom address slug for your capsule (e.g., my-family@inbound.rewindior.app). We store this slug and associate it with your capsule.

Usage information

We collect standard web analytics data through Vercel Analytics, including pages visited, referring URLs, browser type, and approximate location derived from your IP address. This data is aggregated and not linked to your account.

Payment information

Payments are processed by Stripe. We do not store your card number or other payment credentials. We receive and store a Stripe customer ID and transaction records (plan, amount, date) for billing and support purposes.

Cookies

We set one HTTP-only authentication cookie (rewindior_refresh) to keep you signed in for up to 7 days. This cookie is not accessible to JavaScript and is not used for advertising or tracking.

2. How we use your information

  • To create and manage your account
  • To receive, process, and display emails and uploads delivered to your capsule
  • To enforce plan limits (attachment size, member count, etc.)
  • To send reminder notification emails on schedules you define, and to receive your replies as new capsule content
  • To process payments and manage your subscription or purchase
  • To send transactional emails (receipts, invitations, alerts)
  • To respond to support requests
  • To detect and prevent abuse
  • To monitor aggregate usage and improve the Services

3. Sub-processors and third parties

We do not sell your personal information. We share it only with the following service providers, solely to operate the Services:

  • Supabase — provides authentication and the database and file storage that holds your account data, capsule content, and attachments.
  • Stripe — processes payments and manages subscriptions. Subject to Stripe's Privacy Policy.
  • Postmark — receives inbound emails sent to your capsule address and forwards them to our servers for processing.
  • Google — if you connect Google Drive sync, we request limited OAuth access to your Drive in order to export your capsule content to it. We only write to your Drive; we do not read or store your Drive files. We do not store your Google credentials. You can revoke access at any time from your Google account settings.
  • Trigger.dev — runs background tasks such as processing incoming emails, generating image thumbnails, and sending reminder notifications.
  • Vercel — hosts the web application and collects aggregate analytics.

We may also disclose information if required by law or to protect the rights, property, or safety of Rewindior, our users, or others.

4. Data retention

We retain your data for as long as your account is active. Specific retention rules:

  • Account deletion — if you delete your account, we will remove your personal data within 30 days, except where retention is required by law.
  • Lapsed subscription — if your paid subscription ends and you do not hold a Lifetime Access purchase, your capsule enters a 90-day read-only period. After 90 days all capsule data is permanently deleted.
  • Raw email data — the raw email JSON received from Postmark is stored temporarily during processing and deleted once the message has been ingested.

5. Security

All data in transit is encrypted with TLS. Attachment files are stored in a private Supabase Storage bucket with access controlled via signed URLs. Authentication tokens are stored in HTTP-only cookies and never exposed to JavaScript. We apply reasonable technical and organizational measures to protect your data, though no method of transmission over the Internet is 100% secure.

6. Your rights

Depending on your location you may have rights including the right to:

  • Access and receive a copy of your personal data
  • Correct inaccurate information
  • Request deletion of your personal data
  • Object to or restrict processing
  • Data portability

To exercise any of these rights, contact us at privacy@rewindior.com.

7. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by posting the updated policy here and updating the date above. Continued use of the Services after changes take effect constitutes acceptance of the revised policy.

8. Contact

Questions about this Privacy Policy? Email us at privacy@rewindior.com.