PALIMPS

Privacy Policy

Last updated: May 10, 2026 · Version 2.1

In short: PALIMPS keeps your reading data for you and your books. We don't sell it, we don't use it for ads, we don't share it with third parties. You can delete your data at any time.

Türkçe sürüm

0. Data Controller

The data controller responsible for the processing of your personal data under this policy is:

  • Controller: PALIMPS (iOS application)
  • Capacity: A mobile app operated by an independent individual developer
  • Location: Istanbul, Türkiye
  • Contact: hello@palimps.app
  • Full identity and postal address: provided via email upon formal written request under KVKK Art. 13 / GDPR Art. 15.

1. Data we collect

PALIMPS only collects data required to run the app:

  • Email address: shared by Apple when you sign in (you may choose a Hide My Email private relay address).
  • Name: if you choose to share it during Apple Sign In.
  • User ID: an anonymous identifier generated by Apple, tied to your account.
  • Photos: book page or cover photos you take or pick from your library. Stored encrypted on Cloudflare R2, tied to your account, kept until you delete your account.
  • User content: notes, quotes, book titles, author names and similar text you enter; plus printed text automatically extracted by AI text recognition (OCR), highlighted/underlined passages, and transcriptions of handwritten marginal notes from photos you capture.
  • Subscription status: if you become a PALIMPS Pro subscriber, the minimum information required to validate your subscription. Card numbers and billing addresses remain with Apple.
  • Technical data: for crash and error reports: device model, OS version, app version, IP address, anonymized user identifier, and stack traces. No ad tracking.
  • Cookies and local storage: a session cookie (for auth), iOS Keychain (token + user profile summary), and in-app AsyncStorage (language preference, onboarding state, notification settings).

2. How we use it

We use the data only to:

  • Open and secure your account,
  • Sync your books and notes across devices,
  • Power core features (page photo analysis: OCR, highlight detection, transcription of handwritten margin notes, search, backup),
  • Understand technical issues and crashes (anonymized crash reports),
  • Manage your PALIMPS Pro subscription and grant access to Pro features.

We never use your data for advertising or marketing; we do not sell data.

Legal basis (GDPR Art. 6 / KVKK Art. 5): Account creation, subscription management, and core feature operation rely on contract performance; security and error diagnostics on legitimate interest; cross-border data transfer and AI-based photo analysis on your explicit consent (you accept this policy by signing in with Apple).

3. Tracking

PALIMPS does not share data with any ad network, analytics service or data broker. There are no ads in the app. We do nothing that falls under "tracking" in Apple's App Tracking Transparency framework.

4. Where data is stored

  • Text data (notes, quotes, book metadata, OCR outputs, highlight and margin-note transcriptions): stored encrypted at rest on Railway infrastructure within the European Union. In transit via TLS 1.2+.
  • Photos: stored encrypted on Cloudflare R2; only your account can access them.
  • Local cache: your device's iOS Keychain (session token) and AsyncStorage (preferences) may keep a local copy for speed.
  • Crash & error data: stored on Sentry on European Union servers.
  • Temporary cross-border transfer for processing: Page photos and the text they contain are sent to Google's Gemini API (USA) for photo analysis (OCR, highlight and margin-note detection) and Pro AI features. Your data is not used by Google for model training.
  • Subscription metadata: the minimum information required to validate your subscription is transferred via RevenueCat (USA).

5. Third-party services (Data Processors)

PALIMPS uses the following infrastructure services. A Data Processing Agreement under KVKK Art. 9 and GDPR Art. 28 is in place with each.

  • Apple (Apple Inc., USA): Sign in with Apple: authentication. App Store In-App Purchase: processes PALIMPS Pro subscription payments. Card numbers and billing addresses remain with Apple.
  • Railway (Railway Corp.; servers within the EU): application server and database infrastructure. Your text data is stored encrypted here.
  • Cloudflare R2 (Cloudflare, Inc.): photo storage.
  • Sentry (Functional Software, Inc.; data on EU servers): crash and error reports. Sharing for product improvement is disabled.
  • RevenueCat (RevenueCat, Inc.): subscription management and validation. No financial data is transferred.
  • Google Gemini (Google LLC, USA): used for page photo analysis (OCR, highlight and handwritten margin-note detection), automatic summary/tag generation, and Pro chat features. The content of your photos and notes is sent to the Gemini API for processing. Your data is not used for model training.

6. Retention periods

DataDurationLegal basis
Account (user row)Until account deletionContract performance
Books, moments, text contentUntil account deletion; individual items may be deletedExplicit consent + contract
Photos (R2)Deleted immediately upon account deletionContract performance
Subscription history12 months pseudonymized after account deletionLegal obligation (accounting)
Sentry error logs90 daysLegitimate interest (error detection)
Gemini API requestsShort retention period set by GoogleLegitimate interest
Session token (Keychain)Until sign-outContract performance

7. Children's privacy

PALIMPS is not directed to and does not knowingly collect data from users under 13. If you believe your child has shared data with us, contact us and we will delete it promptly.

8. Your rights

Under KVKK Art. 11 and GDPR Art. 15-22, every user has the right to:

  • Know whether their personal data is being processed,
  • Request information about that processing,
  • Learn the purpose of processing and whether data is used accordingly,
  • Know the third parties to which data is transferred domestically or internationally (see Section 5),
  • Request correction if data is incomplete or inaccurate,
  • Request deletion or destruction of personal data: available directly in the app (Settings → Delete Account),
  • Request a copy of their data via email,
  • Object to decisions made solely by automated processing that affect them adversely,
  • Seek damages for losses arising from unlawful processing.

Legal maximum for deletion is 30 days; our internal target is 7 days. For requests: hello@palimps.app.

9. Data breach notification

In the event of a personal data breach, we commit to notify the relevant authorities within 72 hours, and affected users where there is a high risk to their rights and freedoms, pursuant to KVKK Art. 12 and GDPR Art. 33.

10. Changes

When we update this policy, the "Last updated" date above will change. For significant changes we'll notify you within the app.

11. Contact