Privacy Policy for Scinta
Effective date: 5 July 2026
This Privacy Policy explains what personal data Scinta ("the App," "we," "us") collects, why, the legal bases on which we process it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and Portuguese data-protection law. It is written to be accurate to how the App actually works — please read it alongside the Terms of Service.
1. Who we are (Data Controller)
Scinta is operated by Alex Ovdienko, an individual (sole trader) based in Portugal, European Union, acting as the data controller for the personal data described here.
- Controller: Alex Ovdienko
- Location: Portugal, EU
- Contact: scinta.support@gmail.com
We have not appointed a Data Protection Officer (DPO), as we are not required to under Article 37 GDPR. For any privacy question or to exercise your rights, email scinta.support@gmail.com. A postal contact address can be provided on request.
2. What Scinta does, in plain terms
Scinta is a voice-first note-taking app for iPhone. You record short voice notes; the App transcribes them to text, generates a short auto-title, and — over time — groups related notes into emerging "themes" with short synthesised summaries, and lets you ask questions across your own notes. Your audio recordings stay on your device. The text that comes out of transcription is what we store, encrypted, in our cloud database.
3. What data we process, and why
3.1 Account identity
When you create an account using Sign in with Apple or Sign in with Google, those providers send us, and we store:
- your email address,
- your display name / full name (only if the sign-in provider provides it), and
- a user ID (a unique identifier created by our authentication provider, Supabase Auth).
This account information originates from Apple or Google as part of the sign-in you choose. We never receive or store your Apple or Google password. With Sign in with Apple, if you choose Apple's "Hide My Email" relay, we only ever see the relay address.
Why: to create and secure your account, keep your notes private to you, and let you sign back in across devices. Legal basis: performance of our contract with you (Article 6(1)(b) GDPR). Providing this information is necessary to create an account; without it, the App cannot be used.
3.2 Voice recordings (audio)
Audio you record is captured via your device microphone (with your permission) and stored locally on your device only. We do not keep a copy of your audio on our servers, and audio is not included in any cloud backup or device-to-device sync in this version of the App.
To produce a transcript, the App sends the audio transiently to our transcription provider (OpenAI) for a single request. OpenAI processes the audio to return text; we do not retain the audio server-side, and our backend holds the audio bytes only for the duration of that one request before dropping them.
Why: to transcribe your spoken note into text. Legal basis: performance of our contract with you (Article 6(1)(b)) and your consent to microphone access (Article 6(1)(a)). If you decline or later withdraw microphone permission, you simply will not be able to record new voice notes; everything else continues to work.
Note on a possible future feature. A future version may offer an opt-in, off-by-default encrypted cloud backup of your recordings. We will update this Policy and ask for your explicit choice before any audio leaves your device for backup. Unless and until you turn such a feature on, audio remains local-only.
3.3 Transcripts and auto-titles
- The transcript is generated by OpenAI's speech-to-text service from your recording.
- The auto-title is generated by an OpenAI text model from your transcript.
The resulting transcript and title are stored encrypted at rest (AES-256-GCM) in our cloud database (Supabase, hosted in the United States, region us-west-1). They are decrypted only transiently by our backend to serve them back to you, to power features you trigger, or for the processing described below.
Why: to store, display, search and sync your notes. Legal basis: performance of the contract (Article 6(1)(b)).
3.4 Synthesis-derived data (themes, summaries, embeddings)
As a core feature, the App analyses your notes to surface recurring themes and generate short "wiki" summaries. This processing runs as background jobs (on Trigger.dev) and uses:
- Anthropic (Claude) to mine, cluster and write theme summaries, and to answer your "ask your notes" questions; and
- Voyage AI to create vector embeddings (numeric representations of your note text used for semantic search and clustering).
To do this, the relevant transcript text is sent to these providers for processing. The outputs — theme records, summaries, and embeddings — are stored encrypted at rest in our database and scoped to your account.
When you use the "ask your notes" feature, excerpts of your most relevant notes are sent to Anthropic (Claude) to compose an answer with citations back to your notes.
Why: to provide the synthesis and question-answering features that are central to the App. Legal basis: performance of the contract (Article 6(1)(b)).
No solely-automated decisions about you. These AI features produce notes, summaries and answers for your own use. We do not use them to make any decision that produces a legal or similarly significant effect on you within the meaning of Article 22 GDPR, and we do not use your content to build a profile of you (see Section 3.7).
3.5 Note metadata
We also store, alongside each note: tags you add, a processing status, the audio duration (a number, not the audio itself), and timestamps (created/updated/deleted). This metadata is stored in our database to organise and sync your notes.
Why: to provide and sync the note list. Legal basis: performance of the contract (Article 6(1)(b)).
3.6 On-device cost ledger
The App keeps a small local file recording the estimated cost of the AI calls made for your notes. This never leaves your device and is not sent to us.
3.7 What we do NOT do
- We do not show ads.
- We do not sell, rent, or trade your personal data.
- We do not include third-party advertising, analytics, attribution, or tracking SDKs in the App. We do not track you across other companies' apps or websites within the meaning of Apple's App Tracking Transparency framework.
- We do not profile you for marketing or build a behavioural profile of you.
(We do not currently collect crash reports or usage analytics. If we ever add diagnostics, we will update this Policy first and keep them privacy-preserving.)
4. Sub-processors (third parties that process your data)
We use the following service providers ("sub-processors") to operate the App. Each processes data only on our instructions and under a contract that includes data-protection obligations. Some are located in the United States; see "International transfers" below.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase | Authentication + encrypted database hosting | Account identity (email, name, user ID); encrypted transcripts, titles, themes, summaries, embeddings; note metadata | United States |
| OpenAI | Audio transcription + auto-titling | Audio (transiently, for one request, not retained by us); transcript text for titling | United States |
| Anthropic | Synthesis (theme mining, summaries) and answering "ask your notes" queries | Transcript text / excerpts | United States |
| Voyage AI | Vector embeddings for semantic search and clustering | Transcript text | United States |
| Trigger.dev | Running background synthesis jobs | Orchestrates the above on transcript text | United States |
| Vercel | Serverless API hosting (the backend your app talks to) | Data in transit through our API requests | United States |
Apple and Google act as independent controllers for the sign-in step itself; their handling of your Apple ID / Google account is governed by their own privacy policies.
We may change sub-processors as the App evolves. Material changes will be reflected in an updated version of this Policy.
5. International transfers
We are based in the EU (Portugal), but several sub-processors listed above are located in the United States, so your data is transferred outside the European Economic Area (EEA). Where we transfer personal data outside the EEA, we rely on appropriate safeguards under Chapter V GDPR — principally the European Commission's Standard Contractual Clauses (SCCs) incorporated into our agreements with those providers, and, where the provider is certified, its participation in the EU–U.S. Data Privacy Framework. You have the right to obtain a copy of, or more information about, these safeguards by emailing scinta.support@gmail.com.
6. Retention
- Account identity, transcripts, titles, themes, summaries, embeddings, and metadata: kept for as long as your account exists, so the App can show and sync your notes.
- Notes you delete individually: when you delete a single note, it is removed from your device and marked as deleted on our servers. Its encrypted record may be retained server-side (in encrypted form, no longer shown to you) for a limited period to keep your devices in sync and then purged; it is in any case permanently erased when you delete your account.
- Audio recordings: kept locally on your device for as long as you keep them there; you can delete any recording at any time from within the App. We never hold a server copy.
- Audio sent for transcription: held only transiently by OpenAI for the single transcription request; not retained by us.
- On-device cost ledger: stays on your device until you delete the App or its data.
- Security and background-job logs: our authentication provider keeps time-boxed sign-in/security audit logs, and our background-processing provider (Trigger.dev) keeps job run history keyed by your opaque user ID — both retained on their rolling schedules for security and reliability (our legitimate interests, Article 6(1)(f) GDPR). Encrypted database backups may also retain deleted records until they age out of the provider's backup window, after which they are purged.
When you delete your account (see Section 8), we delete all of the above server-side data and your stored identity.
7. Security
We take the security of your content seriously. Measures include:
- Encryption at rest: transcripts, titles and synthesis-derived content are encrypted with AES-256-GCM before being stored in our database.
- Encryption in transit: all communication between the App, our backend, and our providers uses TLS.
- Per-user access control: every request is authenticated with a per-user token (JWT); our backend scopes every database query to the authenticated user.
- Database isolation: Row-Level Security (RLS) is enabled on every data table with an owner-only policy, and direct anonymous database access is denied by default ("default-deny").
- Audio minimisation: audio is never persisted on our servers.
These measures encrypt your content at rest, but they are not end-to-end encryption: because our backend must decrypt content transiently to provide the App's features, we hold the encryption key. No system is perfectly secure, but these measures are designed to keep your notes private to you.
8. Your rights, and how to delete your account
Under the GDPR you have the right to:
- Access — get a copy of the personal data we hold about you;
- Rectification — correct inaccurate or incomplete data;
- Erasure ("right to be forgotten") — have your data deleted;
- Portability — receive your data in a portable format;
- Restriction — ask us to limit processing in certain circumstances;
- Object — object to certain processing;
- Withdraw consent — where processing is based on consent (e.g. microphone access), withdraw it at any time (this does not affect processing already carried out). You can revoke microphone permission in your iPhone Settings.
Deleting your account (in-app): You can delete your account and all associated server-side data directly in the App, under Settings → Account → Delete account. This:
- permanently deletes all of your data on our servers — notes (transcripts and titles), themes, summaries, embeddings, metadata — and your stored sign-in identity; and
- wipes your notes and audio recordings from your device.
This action is immediate and irreversible. Because your audio and notes are stored on your device, deleting the App also removes the local copies.
Portability / export: Your notes are stored on your device as plain Markdown files, which you can export and take with you at any time from within the App.
To exercise any other right, email scinta.support@gmail.com. We will respond within one month, as required by Article 12(3) GDPR. We do not charge a fee for reasonable requests.
Right to complain: If you believe we have not handled your data lawfully, you may lodge a complaint with the Portuguese supervisory authority:
Comissão Nacional de Proteção de Dados (CNPD) Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, Portugal Website: https://www.cnpd.pt
You may also complain to the supervisory authority in your EU country of residence.
9. Children
Scinta is not directed to children. You must be at least 16 years old (or the minimum digital-consent age in your country, which under GDPR may be as low as 13) to use the App. We do not knowingly collect personal data from children under that age. If you believe a child has provided us with personal data, contact scinta.support@gmail.com and we will delete it.
10. Changes to this Policy
We may update this Privacy Policy as the App evolves or as legal requirements change. When we make material changes, we will update the "Effective date" above and, where appropriate, notify you in the App. The current version is always available at https://scinta.vercel.app/privacy. Continued use of the App after an update means you accept the revised Policy.
11. Contact
For any privacy question, or to exercise your rights:
Alex Ovdienko — scinta.support@gmail.com Portugal, EU