PEGS

PEGS/Privacy

Privacy Policy

Last updated: April 17, 2026

This policy describes how PEGS (operated by FORMSET) collects, uses, and protects information across the web app at pegs.online, the PEGS API, and the Save to PEGS Chrome extension. Questions? Email aj@formset.co.

Information we collect

When you use PEGS, we collect:

  • Account data — name, email address, and a hashed password (never stored in plain text). Managed by Supabase Auth.
  • Workspace and board content — the images, videos, PDFs, 3D models, URLs, and text cards you upload or paste to your boards, plus the layout data (positions, z-order, groupings) you create.
  • Billing information — processed entirely by Stripe. We receive a customer ID and subscription status; we never see or store your card details.
  • Technical metadata — session cookies for authentication, standard server request logs (IP address, timestamp, user agent) retained for up to 30 days for debugging and abuse prevention.

Save to PEGS Chrome extension

The extension is scoped to the smallest permissions required to save media to your boards. Specifically:

  • Authentication tokens (Supabase access and refresh tokens) are stored locally in chrome.storage.local. They never leave your device except to authenticate requests to the PEGS API.
  • Media URLs you explicitly choose to save — when you right-click an image, video, or link and select “Save to PEGS”, the extension sends that URL and your selected board ID to the PEGS API. The server fetches the media and stores it in your board.
  • Locally cached data — your list of boards, last-used board, and recent saves are cached in chrome.storage.local for convenience. This data stays on your device.

The extension does not track your browsing history, does not run on pages unless you explicitly invoke it, and does not transmit any data except when you click “Save to PEGS”. It does not use analytics, ad networks, or third-party trackers.

How we use your information

We use the information we collect to:

  • Provide and operate the PEGS service (host your boards, sync with collaborators, generate thumbnails and URL previews).
  • Authenticate you and keep your account secure.
  • Bill your subscription through Stripe if you have a paid plan.
  • Debug errors, prevent abuse, and improve reliability.
  • Respond to your support requests.

What we don't do

  • We do not sell your personal information.
  • We do not use your board content to train AI models or for any purpose other than delivering the service to you.
  • We do not run third-party advertising or tracking pixels.
  • We do not share your content with anyone outside your workspace (collaborators you've invited).

Sub-processors

We use the following vendors to operate PEGS. Each processes only what's needed for their role:

  • Supabase — database, authentication, file storage, and realtime sync.
  • Vercel — application hosting and request routing.
  • Stripe — subscription billing. Handles all payment details; we never receive card numbers.

Security

All traffic is encrypted in transit via HTTPS. Passwords are hashed at rest by Supabase Auth. File storage and database access are protected by Row Level Security policies that scope data to the owning user or workspace. We enforce rate limits on authenticated endpoints to mitigate abuse.

No system is perfectly secure. If you discover a vulnerability, please report it responsibly by emailing the address above.

Data retention

Your account and board content are retained for as long as your account is active. When you delete a board, its items and files are removed from storage immediately. When you delete your account (by emailing us), all personal data and content are removed within 30 days, except where retention is required by law (e.g., tax records tied to billing).

Your controls and rights

  • Export — use the PNG and PDF export options in any board to download your content.
  • Delete — delete individual items, boards, or workspaces at any time from within the app.
  • Account deletion — email the address above to request full account deletion.
  • Access and correction — residents of the EU, UK, or California may request a copy of their personal data or correction of inaccuracies by emailing us.

Cookies

PEGS uses first-party cookies strictly required for authentication and session management. We do not use advertising or analytics cookies.

Children's privacy

PEGS is not directed to children under 13 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us and we will remove it.

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be announced in-app or by email.

Contact

FORMSET, operator of PEGS. Email aj@formset.co for any privacy-related questions or requests.