Privacy Policy
Last updated: March 2026
Version 1.1
The protection of your personal data is important to us. This privacy policy informs you about the nature, scope, and purpose of the processing of personal data.
π’Data Controller
πOverview of Data Processing
We process the following categories of personal data:
- Authentication data (email, name via Google OAuth)
- Created book content, prompts, whiteboard conversations
- Payment data (via Lemon Squeezy)
- Technical data (IP address for contract conclusions)
Note: Please do not enter special categories of personal data (Art. 9 GDPR) such as health data, political opinions, or religious beliefs in your book content.
βοΈLegal Basis (Art. 6 GDPR)
- β’Art. 6 Para. 1 lit. b GDPR β Contract performance (book generation, credit system)
- β’Art. 6 Para. 1 lit. a GDPR β Consent (Google OAuth)
- β’Art. 6 Para. 1 lit. f GDPR β Legitimate interest (security, evidence preservation)
π€AI Processing (Google Vertex AI)
Your Privacy Advantage with Scribomate
To provide AI-powered book generation, we use Google Vertex AI as a data processor:
Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance)
πAuthentication (Google OAuth)
When signing in with Google, the following data is collected:
- Email address
- Name (display name)
- Google User ID
πBook Creation and Storage
Your created books and content are stored in two locations:
- Book content, sections, metadata β Supabase (EU-West-1, Ireland)
- Database location: EU (Ireland). Media: in the user's Google account
- Legal basis: Contract performance, DPA with Supabase and Google in place
Media files (images, audio, video, PDF/EPUB) are stored in your personal Google Drive. You are the data controller for these files. Scribomate processes this data solely on your behalf as part of the service delivery (Art. 28 GDPR). Consent for Google Drive usage is given through Google's OAuth consent screen during sign-in.
You can revoke Google Drive permissions at any time in your Google Account settings (myaccount.google.com/permissions). Please note that the service may not be fully usable afterward.
When you delete your account, your data on our servers is deleted. Your media files in the Google Drive folder "Scribomate" will be preserved and can be deleted by you at any time.
πWhiteboard Conversations
Temporary storage of your brainstorming sessions for continuation. Deletion possible by you at any time. Not used for AI training.
πText-to-Speech (Audio Generation)
For converting book sections into audio, we use Google services:
- Providers: Google Cloud TTS and Google Vertex AI (Gemini TTS)
- Server location: Google Cloud TTS in the EU. Gemini TTS model-dependent (EU or global). Always with enterprise DPA and zero retention.
- Audio exports are permanently stored in the user's Google Drive. There is no automatic expiration β you manage your files yourself.
- You can access your audio files at any time via your Google Drive
π¨Text-to-Image (Illustration)
For generating illustrations, we use Google Vertex AI:
- Provider: Google Vertex AI
- Server location: Primarily EU regions with automatic region rotation. Fallback to other Google Cloud regions under load. Always with enterprise DPA and zero training.
- Generated images are permanently stored in the user's Google Drive. There is no automatic expiration β you manage your files yourself.
- You can access your illustrations at any time via your Google Drive
πKeyword Market Research (SEO Recommendations)
Scribomate analyses publicly available keyword data from YouTube, Spotify, and Apple Books to generate data-driven recommendations for SEO titles, tags, and descriptions. Our server sends anonymous queries to the autocomplete APIs of these platforms β your browser is not involved and your IP address is never forwarded.
- Server requests: Our server (not your browser) sends anonymous keyword queries
- No personal data: Results are stored without any link to your account
- Recipients: Google LLC (YouTube, USA), Spotify AB (EU), Apple Inc. (iTunes, USA)
- Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in SEO recommendations)
π³Payment Processing (Lemon Squeezy)
For payment processing, we use Lemon Squeezy as Merchant of Record:
- Processed data: Payment data (credit card, etc.)
- Recipient: Lemon Squeezy (Lemonsqueezy, LLC, USA)
- Legal basis: DPF certification for USA data transfer
πͺCookies and Local Storage
We use only technically necessary cookies and local storage:
- Session cookies for authentication (Supabase Auth)
- Language settings (LocalStorage)
- Auto-save settings (LocalStorage)
π‘οΈAbuse Protection (Rate Limiting)
To protect our systems from abuse, we temporarily process:
- IP address (only for non-logged-in users)
- OR your User ID (only for logged-in users)
- Request counter
Important: IP address and User ID are NEVER stored together β association is not possible.
Storage: Only in working memory (RAM), no database. Maximum retention: 20 minutes. Immediate deletion on server restart.
Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in system security)
π€Data Processors
| Railway β Hosting (Web Server) β EU β DPA in place (via ToS) |
| Supabase β Database β EU (Ireland) β DPA in place |
| Google Ireland Ltd. β Media Storage (User's Google Drive, User is Data Controller) β EU (Ireland) β Consent via OAuth |
| Google Vertex AI β AI Generation (LLM) β EU / Global β DPA available |
| Google Cloud TTS β Text-to-Speech β EU β DPA available |
| Google Vertex AI β Image Generation (TTI) β EU / Global β DPA available |
| Google Vertex AI β Audio Generation (Gemini TTS) β US β DPA available |
| Google Vertex AI β Video Generation (TTV) β US β DPA available |
| Google LLC (YouTube) β Keyword market research (anonymous autocomplete queries) β USA β no personal data |
| Spotify AB β Keyword market research (anonymous autocomplete queries) β EU β no personal data |
| Apple Inc. (iTunes) β Keyword market research (anonymous autocomplete queries) β USA β no personal data |
πThird Country Transfers
The following services transfer data to the USA but are DPF-certified (Data Privacy Framework):
- Google OAuth β DPF certified
- Lemon Squeezy β DPF certified
AI processing via Google Vertex AI is partly in the EU, partly in other Google Cloud regions β always under Google's enterprise DPA with zero training and zero retention guarantees.
β±οΈData Retention
- Account data: Until account deletion
- Book content: As long as your account is active
- Whiteboard conversations: Until you delete them
- Media files (Google Drive): Permanently in your Google Drive β managed by you
- After account deletion: Personal data removed within 30 days
- Contract records (email snapshot, consent records): 8 years (Β§ 147 AO as of 2025)
πStorage of Contract Records
When accepting our Terms of Service and making purchases, we store for evidentiary purposes:
- Time of acceptance/purchase
- Version of accepted Terms
- Your email address at the time of the action
- Your IP address
- The exact wording of your consent statement
This data is retained even after deletion of your account, as it is required for the fulfillment of legal obligations and for the establishment or defense of legal claims.
Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance), Art. 6 Para. 1 lit. f GDPR (legitimate interest in evidence preservation), Art. 17 Para. 3 lit. b, e GDPR (exception from deletion obligation)
Retention period: 8 years from end of contract
Reasoning: Tax retention obligation under Β§ 147 AO (8 years as of 2025). IP addresses are deleted after 6 months.
πData Security
- Encryption: TLS for transmission, AES for storage
- Access control: Row Level Security (Supabase)
- No sharing with third parties except the named data processors
Your Rights (Art. 15-22 GDPR)
You have the following rights regarding your personal data:
β οΈRight to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority:
Competent supervisory authority:
πChanges to This Policy
The date of the last update is shown above. We will notify you in the app of any material changes.
End of Privacy Policy β’ Scribomate Trust Framework