PERSONAL HUB

Privacy Policy

Effective date: February 24, 2026

Our core promise

Your data belongs to you. Personal Hub exists to organize and protect your personal data, not to monetize it. Your data is encrypted on your device before it reaches our servers. We do not hold the keys. We cannot read your data, which means we cannot sell it, share it, or use it for advertising. This is not a policy decision that could change in the future. It is how the system is built. You can export or delete everything at any time.

Who we are

Personal Hub is a product of Personal. Contact: hi@personalhub.io.

What data we collect and why

Account data

We collect your email address and a hashed password for authentication only.

Purchase data

Your purchase data is encrypted on your device before it reaches our servers. We store unencrypted merchant names and amounts to enable search and display in the app. Full purchase details are encrypted.

Gmail data (when connected)

  • Scope: gmail.readonly, read-only access.
  • We search for receipt-related emails only.
  • We extract merchant name, items, amounts, dates, and order numbers.
  • We store only extracted structured data, encrypted.
  • We never store raw email content.
  • Email content is sent to the Anthropic Claude API for parsing via a server-side function. No content is retained.
  • You can disconnect Gmail at any time from within the app. We encourage disconnection after import.
  • You can also revoke access from your Google Account permissions page.

Google API Services Limited Use Disclosure

Our core promise

Personal Hub's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We limit our use of Google user data to providing and improving the receipt import feature. We do not use Google data for advertising, and we do not allow humans to read your data unless you explicitly request support, it is necessary for security purposes, or it is required by law.

How your Personal Vault is encrypted

All data in your Personal Vault is encrypted on your device before it reaches our servers.

  1. When you create an account, a unique encryption key is derived from your password using PBKDF2 with 100,000 iterations of SHA-256.
  2. Every piece of data you save is encrypted in your browser using XSalsa20-Poly1305 (the same algorithm used by Signal and 1Password) with a fresh random nonce.
  3. Only the encrypted result is sent to our servers. We store the ciphertext and the nonce. We never see your password, your encryption key, or your plaintext data.
  4. When you open your hub, your browser derives the key from your password again and decrypts the data locally.

If you forget your password, your 12-word recovery phrase is the only way to regain access. We cannot recover your data for you.

The encryption code is open source and available for independent audit at github.com/mariusokland/personal-encryption.

How Personal MCP sharing is encrypted

When you connect an AI service through Personal MCP, a separate encryption layer protects your shared data.

  1. You select which fields to share. Nothing is shared by default.
  2. Your browser decrypts the selected data from your vault, then generates a new encryption key specifically for this connection.
  3. Your browser re-encrypts the selected data with this new key and uploads the ciphertext to our servers. We cannot read it.
  4. For manual connections: The new key is embedded in your connection URL. We never store this key. We store only a SHA-256 hash for revocation purposes.
  5. For directory connections (OAuth): The new key is stored on our server, encrypted with a server-side key-encryption-key. The share key is decrypted only during active requests from your AI service.
  6. When your AI service reads your data, it sends the key (via URL or Bearer token). Our server decrypts the data in memory, serves it, and discards the key immediately. The data is in server memory for approximately 50 milliseconds.
  7. If your AI suggests saving something to your hub, the suggestion is encrypted with the connection's key and queued. You review and approve suggestions in your browser before anything enters your vault.
  8. You can revoke a connection at any time. Revoking deletes all shared data for that connection and invalidates it permanently. Other connections are not affected.

Each AI connection has its own encryption key. Revoking one connection has no effect on any other.

Where your data is readable

Your browser: Readable by you during your session.

Personal Vault (our servers): Encrypted. We cannot read it. No one can without your password.

Personal MCP shared layer (our servers): Encrypted with a separate key. We cannot read it at rest.

Our server during an MCP request: Briefly readable in server memory for approximately 50 milliseconds while processing a request from your AI service. The key is discarded immediately after.

Your AI service: Readable during your conversation. Subject to the AI service's own privacy policy.

Suggestion queue (our servers): Encrypted with the connection's key. We cannot read it.

Technical data

We collect standard server logs and high-level usage analytics. We do not use tracking or profiling cookies, and we do not use third-party behavioral advertising tools.

We use Cloudflare Web Analytics to understand which pages are visited and how the site performs. This analytics is privacy-focused: it does not set cookies, does not track you across other sites, and does not see the encrypted personal data you store in Personal Hub. We respect your browser's Do Not Track setting and disable analytics when it is enabled.

How we protect your data

We use client-side encryption (NaCl/TweetNaCl secretbox), row-level security, minimal data collection, and no third-party data sharing to protect your information.

Your rights, always

  • Export all data: one click, any time. Always free.
  • Delete your account: permanent and irreversible.
  • Revoke AI sharing: instantly disconnect any AI service and delete all shared data for that connection.
  • Preview shared data: see exactly what each AI connection can access before and after setup.
  • Disconnect services: immediate revocation.
  • Access your data: always visible in the app.
  • Data portability: standard export formats.
  • EEA users: GDPR rights apply. Contact hi@personalhub.io.

Data retention

We retain your data while your account is active. When you delete your account, your data is deleted within 30 days, including backups.

Third-party services

We rely on a small number of infrastructure providers:

  • Supabase (database and infrastructure, EU region).
  • Google Gmail API (when connected, read-only access for receipt import).
  • Anthropic Claude API (receipt parsing, server-side only, no data retained).

What we collect from MCP requests

When your AI service reads your data through Personal MCP, we record:

  • The timestamp of the request (for rate limiting)
  • Which connection was used (by token hash, not by identity or content)

We do not collect:

  • The content of your shared data
  • The queries your AI sends
  • The responses your AI generates
  • Any conversation data

For questions about data sharing with AI services, contact mcp@personalhub.io.

Children's privacy

Personal Hub is not intended for use by individuals under 16 years old. If we discover that a child under 16 is using the service, we will delete their account and associated data.

Changes

If we make material changes to this policy, we will notify you by email at least 30 days in advance.

Contact

If you have questions about this policy or your data, contact us at hi@personalhub.io.