Privacy Policy

Shelfsort is a personal ebook-organization service. It is operated by an individual (referred to throughout as “we” or “the operator”) and accessible at shelfsort.com. We are the “data controller” under the GDPR and the UK GDPR for the purposes of the information on this page.

Contact: hello@shelfsort.com

Three categories, that’s it:

• Account data — email address, hashed password (bcrypt; we never see the plaintext), display name, and four optional onboarding answers (where you heard about us, your favorite fandom, what kind of reader you are, and a one-time 13+ confirmation). If you sign in with Google, we receive your Google email + name + Google’s opaque user ID, nothing else.
• Library content you upload — the EPUB / PDF / MOBI files themselves (stored on Cloudflare R2; see §3), plus the metadata we extract from each file (title, author, series, language, page count, etc.) and the AI’s categorization (fandom, tags, confidence score). If you ask Shelfsort to generate a cover, the AI prompt + the resulting image are stored against the book.
• Operational logs — a session cookie token (HTTP-only, secure flag set), the device type you select when filing a bug report (iPhone, Linux, etc.), email-send status rows so we can tell you why a welcome email bounced, and non-identifying call counts for the AI provider (token counts + cost estimates per call — no prompt content stored in the telemetry collection).

We do not collect: your IP address beyond the request that’s actively being served (it’s not persisted), any analytics or marketing pixel data, browser fingerprints, third-party advertising identifiers, or behavioral tracking of any kind. There are no third-party trackers on this site.

• Account data — so you can log in, receive password-reset emails, and so we can stop you from creating multiple accounts on the same email.
• Library content — so the AI can read the file’s metadata to categorize it, so we can render it back to you in the reader, so we can build smart shelves, and so we can generate covers if you ask.
• Onboarding answers — only used to personalize the welcome email (which fandom callout to show, which CTA to make primary). Never sold, never shared.
• Email-send logs — so the operator can see if a transactional email bounced and retry it.
• AI call telemetry — so the operator can forecast budget runway. Never tied to your account; it’s aggregate counts only.

Five services, each with a narrow purpose:

• Cloudflare R2 — stores your uploaded ebook files. Cloudflare cannot decrypt files in transit and does not get access to your account metadata.
• Resend — sends transactional emails (welcome, password reset, weekly summary if you opt in). Resend receives your email address + the message we’re sending, nothing else.
• Emergent (Universal LLM Key) — routes the AI calls for fandom classification and cover generation. The provider on the other end is either Anthropic (Claude Sonnet 4.6) for text classification or Google (Gemini Nano-Banana) for image generation. We send them the metadata of the book being processed and the cover prompt; we do not send your email, your password, or the full text of any book.
• Google OAuth — only if you choose Google sign-in. Google receives the fact that you’re signing in to Shelfsort; Shelfsort receives your name + email + Google user ID.
• ClamAV + Calibre — run inside our own infrastructure, not third-party services. ClamAV scans every upload for malware; Calibre converts PDF/MOBI to EPUB when needed. No data leaves our environment for these.

We do not use Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, Mixpanel, Segment, or any similar tool. The site has zero ad networks and zero tracking pixels.

One cookie. One.

• session_token — set after you log in, HTTP-only, Secure flag set, SameSite=Lax. Lets the backend identify you on subsequent requests. Cleared when you log out or after 30 days of inactivity.

We do not use any analytics, marketing, or tracking cookies. We do not show a cookie consent banner because under the e-Privacy Directive, banners are only required when non-essential cookies are set — we don’t set any.

Under GDPR / UK GDPR / CCPA you can ask us to do any of the following. Where the action is self-serve, we’ve made it a button instead of an email thread:

• Access your data — Account settings shows your stored fields. Library export is on the same page.
• Correct your data — edit metadata in-place on each book’s detail page; edit your name and email in Account settings.
• Delete your account — one button in Account settings (“Delete account”). Hard-deletes your books, uploaded files, library, and account row within 30 days; cover artwork is removed from the public archive at the same time.
• Export your library — same Account page, “Export everything” button. You get a ZIP with your EPUBs + a JSON of all metadata.
• Restrict / object / portability — email hello@shelfsort.com; we’ll respond within 30 days.
• Complain to a supervisor — you can also complain to your local data-protection authority (ICO in the UK, CNIL in France, your state AG in the US, etc.).

• Account + library data — until you delete the account. We don’t auto-prune dormant accounts.
• Email-send logs — 90 days, then auto-pruned by a cron job.
• AI call telemetry — capped at 50,000 rows (about 5 years at current volume); oldest rows are trimmed when the cap is exceeded.
• Backups — Cloudflare R2 retains deleted objects for up to 7 days before final purge, per Cloudflare’s own policy.

• HTTPS everywhere (HSTS enabled on the public domain).
• Passwords hashed with bcrypt; we never see plaintext.
• Session cookies are HTTP-only + Secure; client-side JS cannot read the token.
• Every upload is virus-scanned by ClamAV before it’s accessible to anyone, including you.
• Admin actions (approvals, deletions) are audit-logged with actor + target + timestamp.

No system is perfectly secure. If you discover a vulnerability, please email hello@shelfsort.com before disclosing it publicly — we’ll respond and credit you in the changelog if you want.

Shelfsort is for users 13 years of age or older. We ask you to confirm your age at sign-up; if we learn that an account belongs to a child under 13, we’ll delete it.

Servers and database are hosted in the United States. Cloudflare R2 stores object data in regional buckets; for new accounts the default region is North America. If you’re in the EU/UK and need EU-hosted storage, email hello@shelfsort.com and we’ll migrate your bucket. Standard contractual clauses are in place with Cloudflare and Resend for any data transfers out of the EEA.

When this page changes, we’ll bump the “Last updated” date at the top and, for any material change, send a one-time notice to your account email. The full revision history lives in our public CHANGELOG.

hello@shelfsort.com

A real human reads every reply. Usually within 48 hours.