Privacy Policy

Last updated: 26 May 2026

MyFaves is operated by Stacksy ("we", "us"). This policy describes what data we collect, why, and what choices you have.

What we collect

• Account — your email, a bcrypt hash of your password, and your chosen subdomain.
• Your favourites — the URLs, titles, descriptions, and categories you add.
• Settings — UI toggles, share-link configuration, and quick-app preferences.
• Session data — a session cookie (random token) plus a record of your IP and user-agent for each session, used for sign-in and abuse prevention.
• Share-link access logs — when someone with a share URL views your page, we increment a view counter and timestamp it. We don't collect their IP or identity.
• Audit log — meaningful writes you make (creating favourites, regenerating share links, etc.) are logged for security and support.

Why we collect it

Only to provide the service: serving your tile page, syncing your data, sending verification and password-reset emails, and protecting your account.

What we don't do

• We don't sell or share your data with anyone.
• We don't run third-party ad trackers or analytics.
• We don't use your favourites for any purpose other than displaying them on your page.

Third parties

To run the service we use:

• Cloudflare — DNS resolution for myfaves.io.
• Sendgrid — sending transactional emails (verification, password reset).
• Google — your browser fetches favicons and (if you submit) search queries via Google services directly.
• Open-Meteo — if the weather chip is enabled, your browser sends approximate coordinates to api.open-meteo.com.
• Hostinger — our hosting provider; servers are located in Europe.

We never share your account data with these providers beyond what's strictly required to deliver email or proxy traffic.

Cookies

We use a single HttpOnly session cookie (myfsess) when you're signed in. No advertising cookies, no third-party trackers.

Browser extension

Our optional browser extension ("MyFaves — save to your start page", available for Chrome, Edge, Brave and Firefox) is governed by this same policy. Specifically:

• What it stores locally — your MyFaves API token, an optional "new-tab override" preference (on/off), and the URL of your tile page (so the new-tab page can redirect synchronously). These live in chrome.storage.local on your device only. They never leave your browser except for API calls to myfaves.io when you save a tab.
• What it sends to us — when you click Save to MyFaves, the URL and title of the active tab plus your chosen category/description are sent to our API (the same API the web dashboard uses). When you connect for the first time, your API token is validated against our server. That's the entire network surface.
• What it doesn't do — no tab activity tracking, no browsing history, no analytics, no third-party telemetry. The extension cannot read tab content; it only reads the URL and title of the currently active tab when you click its toolbar icon.
• New-tab override — when you opt in (off by default), every new tab in your browser redirects to your MyFaves tile page (or your custom domain, if active). The redirect happens locally inside your browser using the cached URL; we don't see new-tab activity.
• Permissions explained — activeTab lets us read the current tab's URL+title only when you click the toolbar icon; storage persists the API token and preferences; chrome_url_overrides.newtab enables the optional override; host permission for https://myfaves.io/* scopes our API calls to our own domain.
• Removing it — clicking disconnect in the extension popup wipes all locally-stored keys; uninstalling the extension removes them entirely. We don't keep any record of which browsers an account has the extension installed in.

Your data, your control

• Export — email us and we'll send you a JSON of everything we have on you.
• Delete — email us and we'll permanently delete your tenant and all related data. (Self-service deletion is coming.)
• Correction — change your email or password from your dashboard at any time.

Data retention

We keep your data as long as your account is active. Deleted accounts are fully purged within 7 days (no soft-delete, no backups beyond the standard 7-day rolling window).

Security

Passwords are bcrypt-hashed with a cost of 12. Sessions are server-side, opaque tokens. Every connection is HTTPS with strong ciphers. The favicon resolver is SSRF-guarded.

Children

MyFaves isn't intended for children under 13. We don't knowingly collect data from anyone under 13.

Changes

If we change this policy in a material way, we'll email everyone with an account before the change takes effect.

Contact

Questions, deletion requests, or anything else: kristen@stacksy.com.au

← Back