Privacy Policy

stem.md ("Stem", "we", "us") is a tool for organizing and sharing what you're exploring online. It's operated by Amrith Shanbhag, based in the Netherlands. Questions? Email us at [email protected].

We collect only what's needed to run the service:

• Account info: your email address and chosen username. Optionally, a display name and short bio if you add them in settings.
• Content you create: stems (topics with titles and descriptions) and finds (URLs with optional notes) that you add.
• Usage data: Google Analytics collects anonymized data about how pages are used (page views, general location by country, device type). No personal identifiers are sent to Google Analytics.
• Sign-in tokens: when you request a magic link, we store a short-lived token (hashed) to verify your identity. It's deleted once used.
• Sessions: after you sign in, we store a session token in a cookie to keep you logged in for 30 days.

We do not collect passwords, payment information, or any data beyond what's listed above.

• To create and manage your account.
• To deliver sign-in emails via Resend.
• To display your stems and finds to you and, where public, to other users.
• To improve the product using anonymized analytics.

We do not use your data for advertising, sell it to anyone, or share it with third parties except as described below.

Because Stem is operated from the Netherlands, the General Data Protection Regulation (GDPR) applies. We process your personal data only where we have a lawful basis to do so:

• Contract performance (Article 6(1)(b)): processing your email address and username is necessary to provide the service — creating your account, sending sign-in links, and displaying your content.
• Legitimate interests (Article 6(1)(f)): we use anonymized analytics (Google Analytics) to understand how the product is used and improve it. This does not override your rights — the data is anonymized and you can opt out at any time.
• Consent (Article 6(1)(a)): if you choose to sign in with Google, you consent to us receiving your name and email from Google for account creation purposes.

We do not process your data for any purpose incompatible with the above. We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Some of our third-party providers (Cloudflare, Resend, Google) process data outside the European Economic Area. Where this occurs, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions to ensure your data receives equivalent protection. You can request details of the safeguards in place by emailing us.

Running Stem requires a small number of third-party services. Each receives only the minimum data necessary:

• Cloudflare (cloudflare.com) — hosts the app and database. All your data is stored on Cloudflare's infrastructure. Their privacy policy applies to infrastructure-level processing.
• Resend (resend.com) — sends sign-in emails. We share your email address with Resend solely to deliver these emails.
• Google Analytics — collects anonymized usage statistics. No personally identifiable information is sent. You can opt out using the Google Analytics opt-out browser add-on.
• Google Sign-In (if used) — if you choose to sign in with Google, we receive your name and email address from Google. We don't receive your Google password or any other account data.

Stems and finds you create are public by default — anyone can view them, including people who aren't signed in. This is intentional: Stem is built around open exploration.

Your email address is never shown publicly.

If you'd like your content to be private, you can mark individual stems as private from the stem page. Private stems are only visible to you.

We keep your data for as long as your account exists. If you delete your account, we delete your personal data (email, profile) and all content you created within 30 days. Anonymized analytics data may be retained longer.

You can:

• Access your data — email us and we'll send you an export.
• Delete your account — email [email protected] with the subject "Delete my account." We'll process it within 7 days.
• Correct your data — update your profile from the Settings page, or email us for anything you can't change yourself.

If you're in the EU or UK, you also have rights under GDPR/UK GDPR including the right to data portability and to lodge a complaint with a supervisory authority.

We use one first-party cookie: stem_session, which keeps you signed in for 30 days. It's set as HttpOnly and Secure — it cannot be accessed by JavaScript and is only sent over HTTPS.

Google Analytics sets its own cookies for usage tracking. See Google's cookie policy for details.

We take reasonable precautions: all data is transmitted over HTTPS, sign-in tokens are stored as hashes (not plaintext), and sessions are cryptographically random. No system is perfectly secure, but we take these threats seriously.

Stem is not directed at children under 13. We don't knowingly collect data from anyone under 13. If you believe a child has created an account, please email us and we'll remove it promptly.

If we make material changes, we'll update the date at the top of this page. For significant changes, we'll notify you by email. Continued use of Stem after changes means you accept the updated policy.

Questions or concerns about your privacy? Email [email protected]. We'll respond within 5 business days.