Privacy Policy
Last updated: May 10, 2026 · Version 2.1
In short: PALIMPS keeps your reading data for you and your books. We don't sell it, we don't use it for ads, we don't share it with third parties. You can delete your data at any time.
0. Data Controller
The data controller responsible for the processing of your personal data under this policy is:
- Controller: PALIMPS (iOS application)
- Capacity: A mobile app operated by an independent individual developer
- Location: Istanbul, Türkiye
- Contact: hello@palimps.app
- Full identity and postal address: provided via email upon formal written request under KVKK Art. 13 / GDPR Art. 15.
1. Data we collect
PALIMPS only collects data required to run the app:
- Email address: shared by Apple when you sign in (you may choose a Hide My Email private relay address).
- Name: if you choose to share it during Apple Sign In.
- User ID: an anonymous identifier generated by Apple, tied to your account.
- Photos: book page or cover photos you take or pick from your library. Stored encrypted on Cloudflare R2, tied to your account, kept until you delete your account.
- User content: notes, quotes, book titles, author names and similar text you enter; plus printed text automatically extracted by AI text recognition (OCR), highlighted/underlined passages, and transcriptions of handwritten marginal notes from photos you capture.
- Subscription status: if you become a PALIMPS Pro subscriber, the minimum information required to validate your subscription. Card numbers and billing addresses remain with Apple.
- Technical data: for crash and error reports: device model, OS version, app version, IP address, anonymized user identifier, and stack traces. No ad tracking.
- Cookies and local storage: a session cookie (for auth), iOS Keychain (token + user profile summary), and in-app AsyncStorage (language preference, onboarding state, notification settings).
2. How we use it
We use the data only to:
- Open and secure your account,
- Sync your books and notes across devices,
- Power core features (page photo analysis: OCR, highlight detection, transcription of handwritten margin notes, search, backup),
- Understand technical issues and crashes (anonymized crash reports),
- Manage your PALIMPS Pro subscription and grant access to Pro features.
We never use your data for advertising or marketing; we do not sell data.
Legal basis (GDPR Art. 6 / KVKK Art. 5): Account creation, subscription management, and core feature operation rely on contract performance; security and error diagnostics on legitimate interest; cross-border data transfer and AI-based photo analysis on your explicit consent (you accept this policy by signing in with Apple).
3. Tracking
PALIMPS does not share data with any ad network, analytics service or data broker. There are no ads in the app. We do nothing that falls under "tracking" in Apple's App Tracking Transparency framework.
4. Where data is stored
- Text data (notes, quotes, book metadata, OCR outputs, highlight and margin-note transcriptions): stored encrypted at rest on Railway infrastructure within the European Union. In transit via TLS 1.2+.
- Photos: stored encrypted on Cloudflare R2; only your account can access them.
- Local cache: your device's iOS Keychain (session token) and AsyncStorage (preferences) may keep a local copy for speed.
- Crash & error data: stored on Sentry on European Union servers.
- Temporary cross-border transfer for processing: Page photos and the text they contain are sent to Google's Gemini API (USA) for photo analysis (OCR, highlight and margin-note detection) and Pro AI features. Your data is not used by Google for model training.
- Subscription metadata: the minimum information required to validate your subscription is transferred via RevenueCat (USA).
5. Third-party services (Data Processors)
PALIMPS uses the following infrastructure services. A Data Processing Agreement under KVKK Art. 9 and GDPR Art. 28 is in place with each.
- Apple (Apple Inc., USA):
- Sign in with Apple: authentication.
- App Store In-App Purchase: processes PALIMPS Pro subscription payments. Card numbers and billing addresses remain with Apple.
See Apple's privacy policy.
- Railway (Railway Corp.; servers within the EU): application server and database infrastructure. Your text data is stored encrypted here. See Railway's privacy policy.
- Cloudflare R2 (Cloudflare, Inc.): photo storage. See Cloudflare's privacy policy.
- Sentry (Functional Software, Inc.; data on EU servers): crash and error reports. Sharing for product improvement is disabled. See Sentry's privacy policy.
- RevenueCat (RevenueCat, Inc.): subscription management and validation. No financial data is transferred. See RevenueCat's privacy policy.
- Google Gemini (Google LLC, USA): used for page photo analysis (OCR, highlight and handwritten margin-note detection), automatic summary/tag generation, and Pro chat features. The content of your photos and notes is sent to the Gemini API for processing. Your data is not used for model training. See Google's privacy policy.
6. Retention periods
| Data | Duration | Legal basis |
|---|
| Account (user row) | Until account deletion | Contract performance |
| Books, moments, text content | Until account deletion; individual items may be deleted | Explicit consent + contract |
| Photos (R2) | Deleted immediately upon account deletion | Contract performance |
| Subscription history | 12 months pseudonymized after account deletion | Legal obligation (accounting) |
| Sentry error logs | 90 days | Legitimate interest (error detection) |
| Gemini API requests | Short retention period set by Google | Legitimate interest |
| Session token (Keychain) | Until sign-out | Contract performance |
7. Children's privacy
PALIMPS is not directed to and does not knowingly collect data from users under 13. If you believe your child has shared data with us, contact us and we will delete it promptly.
8. Your rights
Under KVKK Art. 11 and GDPR Art. 15-22, every user has the right to:
- Know whether their personal data is being processed,
- Request information about that processing,
- Learn the purpose of processing and whether data is used accordingly,
- Know the third parties to which data is transferred domestically or internationally (see §5),
- Request correction if data is incomplete or inaccurate,
- Request deletion or destruction of personal data: available directly in the app (Settings → Delete Account),
- Request a copy of their data via email,
- Object to decisions made solely by automated processing that affect them adversely,
- Seek damages for losses arising from unlawful processing.
Legal maximum for deletion is 30 days; our internal target is 7 days. For requests: hello@palimps.app.
9. Data breach notification
In the event of a personal data breach, we commit to notify the relevant authorities within 72 hours, and affected users where there is a high risk to their rights and freedoms, pursuant to KVKK Art. 12 and GDPR Art. 33.
10. Changes
When we update this policy, the "Last updated" date above will change. For significant changes we'll notify you within the app.
11. Contact
Questions? hello@palimps.app