Bkmker

Privacy Policy

Last updated: March 2026

1. What Bkmker is

Bkmker is an encrypted bookmark manager. All bookmark content (URLs, titles, notes) is encrypted on your device before it reaches our servers using a Secret Key that only you hold. We have no technical ability to read your bookmarks.

2. Data we collect and why

Email address

Used solely to identify your account, send login links, and notify you of account-related changes (e.g. email confirmation, subscription status). We will never use your email address for marketing, promotional campaigns, newsletters, or any other commercial communication. No exceptions.

IP address & browser / device information

When you log in, we record your IP address and user-agent string (browser name and operating system) alongside the session token. This data is used exclusively for account security: it lets you review active sessions, spot logins you don't recognise, and revoke them. It is not used for profiling, advertising, or analytics.

Lawful basis: Legitimate interests (Article 6(1)(f) GDPR) and performance of contract (Article 6(1)(b) GDPR). We rely on Recital 49, which explicitly recognises that processing personal data to the extent strictly necessary for network and information security constitutes a legitimate interest of the controller. This tracking is a security feature of the service itself; without it session management could not be provided.

Encrypted bookmark data

We store the ciphertext your device produces. Because encryption happens on your device using your Secret Key, we cannot read, index, or process the plaintext content of your bookmarks.

Web server logs

Our web server records standard HTTP access logs (IP address, request path, response code, timestamp). These logs are not linked to registered user accounts and are retained for a short period for infrastructure and security purposes only.

3. No marketing — ever

We will never use your email address or any other personal data to market to you. There are no newsletters, promotional emails, re-engagement campaigns, or targeted advertisements. If you receive an email from Bkmker it is because it relates directly to your account (login link, billing receipt, or a change you initiated).

Any promotion of Bkmker as a product takes place solely through our public website. We do not purchase advertising audiences, share data with ad networks, or enrich your profile with third-party data for any purpose.

4. What we do not collect

  • The content of your bookmarks (end-to-end encrypted)
  • Browsing history outside of Bkmker
  • Analytics events, tracking pixels, or behavioural data
  • Data from third-party advertising networks

5. Browser extension

Bkmker offers a browser extension for Chrome, Edge, and Firefox. This section explains exactly what the extension can access, what it stores on your device, and what it sends to Bkmker's servers.

What it accesses in your browser

The extension requests the following permissions:

  • Active tab — reads the URL and title of the tab you are currently viewing, but only at the moment you open the extension popup. The extension does not monitor your browsing passively and has no access to tabs you are not actively saving from.
  • Scripting — runs a small script in the current tab when you open the popup to extract page metadata (description, preview image URL) so the bookmark can be saved with richer detail. This script runs only on demand, not in the background.
  • Storage — stores your authentication token, cached email address, and optionally an encrypted PIN on your device using the browser's local storage. Vault encryption keys are stored in session storage only and are automatically cleared when the browser closes.
  • Cookies (bkmker.com only) — used solely to complete the login handoff between the Bkmker website and the extension.

What it sends to Bkmker's servers

When you save a bookmark, the extension encrypts the URL, title, description, and preview image URL on your device before transmitting the ciphertext to Bkmker's API. We receive only encrypted data — we cannot read the content of bookmarks saved via the extension. The extension communicates exclusively with bkmker.com and sends nothing to any third party.

Refreshing bookmark metadata

The vault includes a Refresh metadata option on each bookmark. When you use it, the extension's background process fetches the original page directly from your browser to extract its title, description, and preview image. This request is made by your browser, not Bkmker's servers, so the original website will see your IP address and browser information — the same as if you visited the page yourself. The fetched metadata is encrypted on your device before being saved; Bkmker never sees the plaintext content or the URL being fetched. This feature is only triggered by your explicit action on a specific bookmark.

To support this, the extension requests permission to access https://*/* and http://*/* — broad URL permissions that allow the background process to read page content from any website. This permission is used exclusively for the on-demand metadata refresh described above and for nothing else.

What it does not do

  • It does not monitor your browsing history or track which sites you visit.
  • It does not have access to pages you are not actively saving from.
  • It does not transmit any data to third parties.
  • It does not read the content of pages beyond the metadata needed to create a bookmark.

The Firefox version of the extension explicitly declares data_collection_permissions: none in its manifest, in accordance with Mozilla's add-on store requirements.

6. Bookmark previews and external content

Bkmker can display a preview image for saved bookmarks (typically the thumbnail or cover image associated with the original page). When this preview is shown, your browser loads the image directly from the original website's server — not from Bkmker's servers.

Bkmker has no involvement in this request and does not see, log, or process any data from it. However, as a consequence of how the web works, the original content owner's server will receive a standard HTTP request from your browser. That request includes your IP address, browser and device information, and potentially a referrer header. If the original site uses analytics, tracking pixels, or advertising scripts, those may also fire when the image loads — entirely under the control of the original content owner and their own privacy policy, not ours.

This is equivalent to what happens any time your browser loads an image hosted on an external website. We disclose it here so you can make an informed choice: if you are privacy-conscious about a particular site being able to observe that you have visited or interacted with one of their pages, you should be aware that loading its preview image has that effect. Bkmker itself gains nothing from this — the bookmark content is end-to-end encrypted and we cannot see what you have saved.

If you would prefer that no external images are loaded at all, you can enable Privacy mode in your vault. When Privacy mode is on, all preview images and favicons are hidden and no requests are made to external servers for display purposes. The setting is persistent and can be toggled at any time from the vault header.

7. Data retention

  • Session tokens expire after 14 days of inactivity; associated IP and device data is removed with them.
  • Account data (email, encrypted bookmarks) is retained until you delete your account.
  • On account deletion, all personal data is permanently erased.

8. Third-party processors

We will never sell, rent, trade, or otherwise share your personal data with any third party for their own purposes. Your data is shared with two service providers only, and solely to the extent required for those services to function:

Sinch / Mailgun — transactional email delivery

All emails we send (login links, account notifications) are delivered through Mailgun, a product of Sinch AB — a company headquartered in Stockholm, Sweden and itself subject to GDPR. To deliver an email, your email address and the content of that email are transmitted to Mailgun's infrastructure. Mailgun acts as a data processor on our behalf — they process this data solely to deliver the message and are contractually prohibited from using it for any other purpose. No email tracking (open or click) is enabled; Mailgun does not receive any information about whether or how you interact with emails we send.

Stripe — payment processing

When you subscribe, Stripe receives your email address as a billing identifier and the payment details you enter directly into Stripe's interface. We receive back only a customer identifier and subscription status — we never see or store your raw card data. Stripe operates under its own privacy policy and is independently responsible for the payment data it holds.

Outside of these two delivery flows, your data does not leave Bkmker. We do not integrate analytics services, advertising networks, data brokers, CRM platforms, or any other tool that would receive your personal information.

9. International data transfers

Bkmker is operated from Portland, Oregon, USA. If you are located in the EEA or UK, your personal data is transferred to and processed in the United States when we send you an email (via Mailgun) or when you subscribe (via Stripe).

Sinch / Mailgun: Sinch AB is headquartered in the EU and is itself bound by GDPR. Mailgun's email delivery infrastructure may process data in the US; this transfer is covered by Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR, which Sinch makes available as part of its data processing terms.

Stripe: Stripe, Inc. is a US company certified under the EU–US Data Privacy Framework (DPF), providing an adequacy-equivalent transfer basis under Article 45 GDPR. Stripe also offers SCCs for jurisdictions not covered by the DPF adequacy decision.

No other international transfers of your personal data take place.

10. Your rights (EEA, UK, and equivalent jurisdictions)

If you are in the EEA, UK, or a jurisdiction with equivalent legislation, you have the following rights under GDPR (or the equivalent applicable law):

  • Access (Art. 15): request a copy of the personal data we hold about you.
  • Rectification (Art. 16): ask us to correct inaccurate or incomplete data.
  • Erasure (Art. 17): request deletion of your personal data. You can also do this directly by deleting your account in Settings.
  • Restriction (Art. 18): ask us to pause processing of your data in certain circumstances.
  • Portability (Art. 20): receive your data in a structured, machine-readable format.
  • Object (Art. 21): object to processing based on legitimate interests. Where we rely on legitimate interests for session security tracking, we may decline an objection where we have compelling grounds — specifically, the security of your account — as recognised by Recital 49 GDPR and stated in our Terms of Service.
  • Lodge a complaint: you have the right to lodge a complaint with your local supervisory authority (e.g. your national data protection authority within the EEA, or the ICO in the UK) if you believe we have not handled your data lawfully.

To exercise any of these rights, contact us through the details provided on our website. We will respond within 30 days; for complex or multiple requests we may extend this by a further two months and will notify you if we do so.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or by a notice on the site. Continued use of Bkmker after a change constitutes acceptance of the updated policy.

12. Contact

For privacy enquiries, please contact us through the details provided on our website.