Privacy Policy

We collect only what is necessary to operate the service.

Account data

• —

  Your email address, used to send you a magic link to sign in. Stored by Supabase Auth.

• —

  A session token managed via a secure HTTP-only cookie. No passwords are stored — ever.

Content you save

• —

  URLs of X/Twitter threads you save via the Chrome extension.

• —

  The text, author handle, author name, timestamps, and media URLs of individual posts within those threads, as parsed by the extension at the moment of saving.

• —

  Artifacts you generate (timelines, rabbit trails, articles) — including the AI-generated text and the source thread content used to produce it.

Extension data

• —

  An extension authentication token (prefixed lrt_) that you generate in your account settings. This token is stored locally in Chrome storage on your device. We store only a SHA-256 hash of it on our servers — the plaintext token is never stored server-side.

Usage data

• —

  Standard server logs (IP address, user agent, request path, timestamp) retained by our hosting provider Vercel for up to 30 days for security and debugging purposes. We do not use these for analytics or marketing.

• —

  We do not use advertising trackers or third-party analytics (no Google Analytics, no Meta Pixel).

• —

  We do not read your browser history or any tabs other than the X/Twitter tab you are actively saving.

• —

  We do not sell your data to anyone.

• —

  We do not collect payment information — LoreRabbit is currently free.

• —

  To authenticate you and maintain your session.

• —

  To store your saved threads and generated artifacts in your private vault.

• —

  To send your thread content to our AI provider (Moonshot AI) to generate timelines, rabbit trails, and articles. See section 4 for details on this.

• —

  To serve your vault and any public artifacts you choose to publish.

• —

  To respond to support requests you send us.

We use a small number of infrastructure providers. We do not share data with advertisers, data brokers, or analytics companies.

Supabase — supabase.com

Stores your account (email), vault items, thread posts, and artifacts. Data is hosted on AWS in us-east-1. Supabase is SOC 2 Type II certified. See their privacy policy at supabase.com/privacy.

Moonshot AI (Kimi K2) — moonshot.ai

When you click “Turn into Trail / Timeline / Article”, the text content of your saved thread is sent to Moonshot AI's API to generate the artifact. This means thread content leaves our servers and is processed by Moonshot AI. We send only the post text and author handles — no email, no account identifiers. Moonshot AI's data processing terms apply. We recommend not saving threads containing sensitive personal information you would not want processed by a third-party AI service.

Vercel — vercel.com

Hosts the lorerabbit.com web application. Standard request logs (IP, path, timestamp) are retained by Vercel per their data retention policy. See vercel.com/legal/privacy-policy.

Google Fonts — fonts.googleapis.com

Loads the Space Grotesk and Space Mono typefaces. Your browser makes a request to Google Fonts when loading the web app. Google may log this request. See fonts.google.com/about for details.

Artifacts are private by default. When you click “Publish to Public Archive”, the artifact and its content (the AI-generated text and source thread metadata) become publicly accessible at a shareable URL and listed on the /explore page.

You can only publish — there is currently no self-serve way to unpublish an artifact once it is public. If you need an artifact removed, email us at privacy@lorerabbit.com and we will remove it promptly.

We use one cookie: a secure HTTP-only session cookie issued by Supabase Auth when you sign in. It is used solely to keep you logged in. We do not use advertising cookies, tracking cookies, or persistent analytics cookies.

• —

  Account data: retained until you delete your account.

• —

  Vault items and posts: retained until you permanently delete them or delete your account.

• —

  Artifacts: retained until deleted or your account is closed.

• —

  Extension tokens: the hashed token is retained until you revoke it from Settings → Extension or delete your account.

• —

  Server logs: retained by Vercel for up to 30 days.

If you are in the European Economic Area, UK, or California, you have the following rights. We honour these for all users regardless of location.

• —

  Access: request a copy of the data we hold about you.

• —

  Correction: ask us to fix inaccurate data.

• —

  Deletion: ask us to delete your account and all associated data.

• —

  Portability: request your data in a machine-readable format.

• —

  Objection: object to processing where we rely on legitimate interests.

• —

  Withdrawal of consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@lorerabbit.com. We will respond within 30 days.

LoreRabbit is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it immediately.

If we make material changes to this policy, we will update the effective date at the top and, where practical, notify users by email. Continued use of LoreRabbit after changes are posted constitutes acceptance of the updated policy.

Questions, requests, or concerns about this policy: