Legal
Privacy Policy
Last updated: 1 July 2026
Weavu is a research tool that lets you capture highlights, comments, and notes from the pages and documents you read, and consolidates them into source-grounded "capsules." This policy explains exactly what data the Weavu browser extension collects, where it goes, and the choices you have. We designed Weavu to send us as little as possible — the extension does not track your general browsing, and we never sell your data.
Who we are
Weavu is operated by Ciprian Talmacel (sole trader) ("Weavu", "we", "us"). For any privacy question or to exercise your rights, contact [email protected].
Data we collect and why
1. Account & identity
You can sign in with Google or create an account with an email address and password. Through Google OAuth we receive your email address, name, and profile picture (scopes: openid, email, profile). We do not receive your Google password and we request no access to your Gmail, Drive, or other Google data. If you use an email-and-password account instead, your password is stored on our servers as a salted hash — we never store or can read your plaintext password.
2. Content you capture
When you save a highlight, comment, tag, link, or page, the extension uploads the selected text and the associated page or document content to Weavu's backend so we can store it in your project, connect it in your graph, and generate capsules. Files you upload (for example PDFs) are stored in Amazon Web Services (AWS) S3, and PDFs are processed by Datalab, our document-parsing subprocessor, to extract their text and layout for OCR. This content is only captured when you explicitly trigger a save — Weavu does not read or collect pages you merely visit.
3. AI processing
To generate summaries, explanations, and capsules, the content you capture is sent to third-party large-language-model providers — currently Google (Gemini) as the primary provider and OpenAI as a fallback — via our backend. These providers process the content to return a result to you. This processing happens under each provider's API terms of service, which state that content submitted through their APIs is not used to train their models. For quality assurance and debugging, some prompts and AI outputs — which can include your captured content — are also logged through Langfuse, our AI-run tracing subprocessor.
4. Product analytics
We use PostHog (hosted in the EU) to understand how Weavu is used so we can improve it. Our analytics are deliberately minimal and privacy-preserving:
- We do not record your screen or use session replay.
- We do not capture page URLs, domains, page titles, the text you highlight, or your search queries.
- We only send coarse, predefined event types (for example "a highlight was saved", "a tag was added", "sign-in failed") plus non-identifying context such as a coarse surface name, app version, and your project id.
- Events are associated with your Weavu user id, never your email or name.
- Before you sign in, a small number of events (app install, and sign-in attempt/failure) are recorded against a random anonymous identifier generated on your device, since we don't yet know who you are. When you sign in, that identifier is merged into your account so we don't double-count you — it is never linked to your name or email.
- As with any web request, PostHog receives the IP address of each analytics request as part of normal HTTP processing, and uses it to derive an approximate (city/country-level) location for aggregate reporting. We do not use precise, GPS-level location.
5. Realtime updates
We use Ably to stream status updates (for example when a capsule finishes generating) to the extension in real time. These payloads carry only task and status identifiers — a task id, its status, task type, and the associated project id — and never your content, highlighted text, or page URLs.
6. Local storage
The extension stores preferences and session data locally in your browser (via the browser's extension storage) — for example your theme and sign-in session. This stays on your device except where syncing your account requires it.
What we do NOT collect
Your general browsing history, the pages you visit without saving, your Google or Weavu password in plaintext, and your highlighted text, page URLs, or search queries in analytics. Weavu is not an ad product; we do not sell, rent, or trade your personal data, and we do not use it for advertising.
Where your data is processed
Your account and captured content are stored on our backend and in AWS S3, in the EU (Frankfurt, eu-central-1) region. Analytics are processed by PostHog in the EU. AI processing is performed by Google and OpenAI under their respective API terms.
Retention & deletion
We keep your account and captured content for as long as your account is active. You can delete individual captures or entire projects at any time inside Weavu — this removes them from your workspace immediately. Residual copies may persist for a limited period in internal systems and backups before they are fully purged.
We don't yet have a self-serve option to delete your whole account. To request full account deletion, email [email protected] and we will complete it within 30 days.
Your rights
Depending on where you live (including under the GDPR and CCPA), you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise any of these, contact [email protected].
Third-party services we rely on
- Google OAuth — authentication (identity).
- Amazon Web Services (S3) — file storage.
- Google (Gemini) & OpenAI — AI processing of captured content.
- Datalab — document and OCR processing of uploaded PDFs.
- Langfuse — AI-run tracing; receives prompts and AI outputs, which can include your captured content, for quality and debugging purposes.
- Pydantic Logfire — backend performance and observability telemetry.
- PostHog (EU) — privacy-preserving product analytics.
- Ably — realtime status updates.
Children
Weavu is not directed to children under 16 and we do not knowingly collect their data.
Changes to this policy
We will update this page when our practices change and revise the "last updated" date above.
Contact
Questions? [email protected]. See also our Terms of Service.