SteamyShelf
Search title, author, trope⌘KSign inSign up
Legal

Privacy policy

Last updated: 2026-05-20

Steamy Shelf is operated by 17816600 Canada Inc., a Canadian corporation (“Steamy Shelf,” “we,” “us,” “our”). This policy explains what we collect, how we use it, who we share it with, and what choices you have.

1. Who this applies to

Steamy Shelf is a romance book discovery and reading-tracking service for adults. You must be at least 18 years old to use it. This policy applies to the Steamy Shelf website and mobile apps. If you do not agree with this policy, do not use the service.

2. What we collect

Information you give us directly

  • Account information. Email address and authentication credentials when you sign up, managed by Supabase Auth.
  • Profile information. Username (required), display name, bio, and avatar URL (all optional except username).
  • Reading data you choose to record. Shelves (TBR, currently reading, read, did-not-finish), star ratings, heat-rating votes, content warning votes, content warning hard limits, written reviews, written DNF reasons, private notes, reread counts, favorite-scene tags.
  • Quiz answers. Reading preferences (favorite tropes, preferred heat level, subgenre signals) collected during onboarding.
  • Social content. Follow relationships, comments on reviews and lists, comment reports, book club memberships, club invites, club picks, comments on club picks.
  • Imports you choose to provide. Goodreads CSV exports if you use the import flow. We parse the CSV, match to our catalog, and write only the matched shelves and ratings to your account. Imported shelf rows default to private.

Information collected automatically

  • Operational metadata. IP address and user agent on each request, used for rate limiting and abuse prevention. Stored ephemerally; not persisted with your profile.
  • Auth session. A session cookie (web) or secure-stored token (mobile, via expo-secure-store) so you can stay signed in.
  • Anonymous usage telemetry. Aggregate counts of which features are used so we can prioritize work. Telemetry is not joined to your identity.

What we do not collect

  • Precise or coarse location.
  • Device contacts, calendar, photo library, microphone, or camera.
  • Health, fitness, or financial data.
  • Advertising identifiers (IDFA / GAID).
  • Biometric data. We use no facial recognition or fingerprinting beyond what your operating system applies to your stored authentication token.

3. How we use your information

  • To operate the service (display your shelves, compute match scores, run search).
  • To provide social features (publishing your reviews to public surfaces if not marked private, fanning out comments and notifications, surfacing follows-only signals).
  • To send transactional notifications inside the app (no email or push in this version).
  • To improve recommendations and the catalog.
  • To enforce our terms and prevent abuse (rate limiting, moderation, account suspension).
  • To respond to support requests and legal obligations.

We do not sell your personal information, do not share it with data brokers, and do not run third-party advertising networks against you.

4. Legal bases (EEA / UK / Canada)

If you are in the European Economic Area or the United Kingdom, our legal bases for processing are:

  • Contract. To operate the service you have signed up for.
  • Legitimate interests. To prevent abuse, improve the product, and run aggregate telemetry. We balance these interests against your rights.
  • Consent. Where required for optional features. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation. To comply with law, including responses to lawful requests.

If you are in Canada, we collect, use, and disclose personal information in accordance with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial privacy legislation including Quebec's Act respecting the protection of personal information in the private sector (Law 25). We rely on your consent (express or implied through your use of the service) and, where permitted, on legitimate business interests.

5. Sharing and disclosure

Things you choose to make public

These are visible to anyone with the link:

  • Your public profile (username, display name, avatar, bio).
  • Reviews you post without checking the private flag.
  • Public curated lists you create.
  • Public book club membership and the discussion under public club picks.
  • Comments on any of the above.
  • Aggregate trope votes, heat votes, and content warning votes.

Things you mark private (private shelves, private notes, content warning hard limits, invite-only club content) are not visible to other users.

Processors we use

  • Supabase, Inc. Database and authentication. United States. Supabase privacy policy.
  • Vercel, Inc. Web hosting and edge delivery for the web app. United States. Vercel privacy policy.
  • Expo, Inc. Build and over-the-air update delivery for the mobile app. United States. Expo privacy policy.
  • Apple Inc. and Google LLC. If you install the mobile app, your store account holder receives standard telemetry per their policies.
  • Anthropic, PBC. We use Claude to suggest taxonomy tags for books in our catalog. Catalog tagging operates on book titles, descriptions, and metadata only. We do not send user reviews, comments, ratings, or any other personal information to Anthropic.

These processors operate under contractual data-processing agreements. They are not permitted to use your information for their own purposes.

Independent controllers

When you click a retailer link (Amazon, Bookshop.org, Libro.fm, Apple Books, Kobo, Audible, and similar) you leave Steamy Shelf and are subject to that retailer's own privacy policy. Some of those links are affiliate links and we may earn a commission. We do not share your Steamy Shelf account information with the retailers; the only information they receive is whatever your browser or app sends them at the moment of the click.

Book catalog metadata comes from public sources, including Open Library. Their data and policies are governed by their operators.

Legal disclosures

We may disclose information when required by law, valid legal process, or to protect the rights, property, or safety of Steamy Shelf, our users, or others. We will challenge overbroad requests.

Business transfers

If Steamy Shelf is acquired, merged, or sold (in whole or in part), your information may transfer to the acquiring entity. We will notify you of any such change before your information becomes subject to a different policy.

6. Retention and deletion

We keep your information for as long as your account is active and as needed to operate the service. When you delete content, our soft-delete sweep removes it from public view immediately and purges the underlying record on a scheduled cleanup job. Backups containing your information are rotated and aged out within a reasonable backup retention window.

You can delete your account at any time from the profile screen. Account deletion removes your profile and the rows we host that are uniquely yours. Some content may persist in scrubbed form (e.g. a removed comment leaves a tombstone row so threading remains intact), without identifying you.

7. Your rights

Depending on where you live, you may have the right to:

  • Access and receive a copy of the information we hold about you.
  • Correct information that is inaccurate or incomplete.
  • Delete information (subject to our legitimate-interest exceptions).
  • Object to or restrict certain processing.
  • Withdraw consent where processing relies on consent.
  • Receive your information in a portable format.
  • Lodge a complaint with your local supervisory authority.

Most of these can be exercised directly from the profile screen. For requests that are not self-serve, contact us at the email below. We respond within 30 days.

California residents. Under the CCPA / CPRA, you may request information about and deletion of personal information we hold, and you may request that we not sell or share it. We do not sell or share personal information as defined in those laws.

Canadian residents. You have the right to access and correct the personal information we hold about you, to withdraw consent for our use of it, and to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial privacy regulator (including the Commission d'accès à l'information du Québec, if you live in Quebec).

8. Security

Information is encrypted in transit between your device and our servers. At the database layer, row-level security ensures that other users cannot read your private rows. Administrative access is limited to designated personnel and audited. No system is perfectly secure; we strongly recommend a unique password on your account.

9. International transfers

We are a Canadian corporation. Our infrastructure runs in the United States (Supabase, Vercel, Expo). If you are in Canada, the EEA, the UK, or another jurisdiction whose data protection laws differ from US law, your information will be transferred to and processed in the US under appropriate safeguards, including Standard Contractual Clauses with our processors where required.

10. Children

Steamy Shelf is for adults. We do not knowingly collect information from anyone under 18. If you believe we have collected information from a minor, contact us and we will delete it.

11. Changes to this policy

We may update this policy. We will post the new version here and update the “Last updated” date above. Material changes will be announced in-app or via email if you have one on file. Continued use after a change constitutes acceptance.

12. Contact us

For privacy questions, requests, or to exercise your rights, contact us at privacy@steamyshelf.com. Postal mail can be sent to:

17816600 Canada Inc.
3534 Bank Street
Gloucester, ON K1T 3W3
Canada