Privacy Policy

Last updated: March 2026

Version 1.1

The protection of your personal data is important to us. This privacy policy informs you about the nature, scope, and purpose of the processing of personal data.

🏢Data Controller

Scribomate - Martin LoreckGrote Raak 20622417 HamburgGermanyEmail: info@scribomate.ai

📊Overview of Data Processing

We process the following categories of personal data:

Authentication data (email, name via Google OAuth)
Created book content, prompts, whiteboard conversations
Payment data (via Lemon Squeezy)
Technical data (IP address for contract conclusions)

Note: Please do not enter special categories of personal data (Art. 9 GDPR) such as health data, political opinions, or religious beliefs in your book content.

⚖️Legal Basis (Art. 6 GDPR)

•Art. 6 Para. 1 lit. b GDPR – Contract performance (book generation, credit system)
•Art. 6 Para. 1 lit. a GDPR – Consent (Google OAuth)
•Art. 6 Para. 1 lit. f GDPR – Legitimate interest (security, evidence preservation)

🤖AI Processing (Google Vertex AI)

Your Privacy Advantage with Scribomate

To provide AI-powered book generation, we use Google Vertex AI as a data processor:

🌍Primary server location: EU. Some AI models processed in other Google Cloud regions under Vertex AI DPA

🚫Zero Training Policy: Your inputs are NOT used to train AI models

🔧Models: Gemini (Google) – processed via Google Vertex AI

Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance)

🔐Authentication (Google OAuth)

When signing in with Google, the following data is collected:

Email address
Name (display name)
Google User ID

📚Book Creation and Storage

Your created books and content are stored in two locations:

Book content, sections, metadata → Supabase (EU-West-1, Ireland)
Database location: EU (Ireland). Media: in the user's Google account
Legal basis: Contract performance, DPA with Supabase and Google in place

Media files (images, audio, video, PDF/EPUB) are stored in your personal Google Drive. You are the data controller for these files. Scribomate processes this data solely on your behalf as part of the service delivery (Art. 28 GDPR). Consent for Google Drive usage is given through Google's OAuth consent screen during sign-in.

You can revoke Google Drive permissions at any time in your Google Account settings (myaccount.google.com/permissions). Please note that the service may not be fully usable afterward.

When you delete your account, your data on our servers is deleted. Your media files in the Google Drive folder "Scribomate" will be preserved and can be deleted by you at any time.

📝Whiteboard Conversations

Temporary storage of your brainstorming sessions for continuation. Deletion possible by you at any time. Not used for AI training.

🔊Text-to-Speech (Audio Generation)

For converting book sections into audio, we use Google services:

Providers: Google Cloud TTS and Google Vertex AI (Gemini TTS)
Server location: Google Cloud TTS in the EU. Gemini TTS model-dependent (EU or global). Always with enterprise DPA and zero retention.
Audio exports are permanently stored in the user's Google Drive. There is no automatic expiration — you manage your files yourself.
You can access your audio files at any time via your Google Drive

🎨Text-to-Image (Illustration)

For generating illustrations, we use Google Vertex AI:

Provider: Google Vertex AI
Server location: Primarily EU regions with automatic region rotation. Fallback to other Google Cloud regions under load. Always with enterprise DPA and zero training.
Generated images are permanently stored in the user's Google Drive. There is no automatic expiration — you manage your files yourself.
You can access your illustrations at any time via your Google Drive

💳Payment Processing (Lemon Squeezy)

For payment processing, we use Lemon Squeezy as Merchant of Record:

Processed data: Payment data (credit card, etc.)
Recipient: Lemon Squeezy (Lemonsqueezy, LLC, USA)
Legal basis: DPF certification for USA data transfer

🍪Cookies and Local Storage

We use only technically necessary cookies and local storage:

Session cookies for authentication (Supabase Auth)
Language settings (LocalStorage)
Auto-save settings (LocalStorage)

🛡️Abuse Protection (Rate Limiting)

To protect our systems from abuse, we temporarily process:

IP address (only for non-logged-in users)
OR your User ID (only for logged-in users)
Request counter

Important: IP address and User ID are NEVER stored together – association is not possible.

Storage: Only in working memory (RAM), no database. Maximum retention: 20 minutes. Immediate deletion on server restart.

Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in system security)

🤝Data Processors

Railway – Hosting (Web Server) – EU – DPA in place (via ToS)

Supabase – Database – EU (Ireland) – DPA in place

Google Ireland Ltd. – Media Storage (User's Google Drive, User is Data Controller) – EU (Ireland) – Consent via OAuth

Google Vertex AI – AI Generation (LLM) – EU / Global – DPA available

Google Cloud TTS – Text-to-Speech – EU – DPA available

Google Vertex AI – Image Generation (TTI) – EU / Global – DPA available

Google Vertex AI – Audio Generation (Gemini TTS) – US – DPA available

Google Vertex AI – Video Generation (TTV) – US – DPA available

🌐Third Country Transfers

The following services transfer data to the USA but are DPF-certified (Data Privacy Framework):

Google OAuth – DPF certified
Lemon Squeezy – DPF certified

AI processing via Google Vertex AI is partly in the EU, partly in other Google Cloud regions — always under Google's enterprise DPA with zero training and zero retention guarantees.

⏱️Data Retention

Account data: Until account deletion
Book content: As long as your account is active
Whiteboard conversations: Until you delete them
Media files (Google Drive): Permanently in your Google Drive — managed by you
After account deletion: Personal data removed within 30 days
Contract records (email snapshot, consent records): 8 years (§ 147 AO as of 2025)

📋Storage of Contract Records

When accepting our Terms of Service and making purchases, we store for evidentiary purposes:

Time of acceptance/purchase
Version of accepted Terms
Your email address at the time of the action
Your IP address
The exact wording of your consent statement

This data is retained even after deletion of your account, as it is required for the fulfillment of legal obligations and for the establishment or defense of legal claims.

Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance), Art. 6 Para. 1 lit. f GDPR (legitimate interest in evidence preservation), Art. 17 Para. 3 lit. b, e GDPR (exception from deletion obligation)

Retention period: 8 years from end of contract

Reasoning: Tax retention obligation under § 147 AO (8 years as of 2025). IP addresses are deleted after 6 months.

🔒Data Security

Encryption: TLS for transmission, AES for storage
Access control: Row Level Security (Supabase)
No sharing with third parties except the named data processors

Your Rights (Art. 15-22 GDPR)

You have the following rights regarding your personal data:

Access (Art. 15) – Find out what data we store about you

Rectification (Art. 16) – Correct inaccurate data

Deletion (Art. 17) – Delete your data (via delete account)

Restriction (Art. 18) – Restrict processing

Data portability (Art. 20) – Receive your data in machine-readable format

Objection (Art. 21) – Object to processing

Withdrawal (Art. 7 Para. 3) – Withdraw your consent at any time

⚠️Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority:

Competent supervisory authority:

The Hamburg Commissioner for Data Protection and Freedom of InformationKurt-Schumacher-Allee 420097 Hamburghttps://datenschutz-hamburg.de

📝Changes to This Policy

The date of the last update is shown above. We will notify you in the app of any material changes.

End of Privacy Policy • Scribomate Trust Framework