Legal

Privacy Policy

Last updated: 17 May 2026

1. Who we are

Banora is operated by:

We are the data controller for the personal data described in this policy, under Article 4(7) of the EU General Data Protection Regulation (GDPR).

For any privacy question or to exercise your rights, email hi@banora.dev. We respond within 30 days.

2. What this policy covers

This policy explains what personal data Banora collects when you use the Banora mobile app, how we use it, who we share it with, where it goes, and what rights you have.

Banora is designed so most of your content stays on your device, with as little as possible going to our servers — and only one of our processors is outside the EU/UK.

3. Data we collect

Account data

Your email address, used to sign in via one-time code. We don't store passwords.

Content you create

• Voice recordings. Captured on your device and transcribed locally using Apple's on-device speech recognition. The audio file is deleted from your device within seconds of transcription and is never uploaded to our servers.
• Transcripts of your thoughts.
• Categories you create and how you organize thoughts into them.
• Corrections you make when the AI's categorization is wrong (used to improve future categorization for you).

Subscription data

If you subscribe to Banora Pro: your subscription state, purchase history, and entitlement. Processed via RevenueCat (see section 5).

Technical data

Minimal technical signals needed to operate the app: a user ID we generate, sync state, timestamps. Listed in our App Store privacy declaration (`PrivacyInfo.xcprivacy`).

We do not use analytics SDKs, advertising identifiers, or third-party trackers in the app.

4. How we use your data and on what legal basis

We process your data only for the purposes listed here, under the following GDPR Article 6 bases.

To provide the service — Art. 6(1)(b), contract performance

• Authenticate you and let you sign in.
• Store and sync your thoughts and categories.
• Run AI categorization, embedding, and suggestion features.
• Process subscriptions.
• Send service emails (login codes, account notices).

The AI processing is part of the core service — Banora's main function is to organize thoughts using AI — so this falls under contract performance, not consent. If you want to opt out of AI features specifically, contact us at hi@banora.dev.

To protect the service and you — Art. 6(1)(f), legitimate interest

• Detect and prevent abuse, fraud, and security incidents.
• Diagnose bugs and operate the service reliably.

Our legitimate interests are: keeping the service running, protecting users, and meeting our operational duties. You can object to this processing by emailing hi@banora.dev — we'll review on the merits.

To meet legal obligations — Art. 6(1)(c)

• Respond to lawful requests from public authorities.
• Keep records required by tax, accounting, or commercial law.

We do not use your data for advertising, building profiles for third parties, or selling to anyone. We don't use your content to train AI models, and we've configured our infrastructure to prevent that (see section 5).

5. Where your data goes — our processors

Below is the complete list of services that process Banora user data on our behalf. Each is a "processor" under GDPR Art. 28, contractually bound to use your data only on our instructions.

Supabase — database, authentication, storage

Banora is hosted on Supabase in the United Kingdom, covered by the EU adequacy decision for the UK. Supabase processes data as our processor under a signed Data Processing Agreement.

• What goes there: your account record, transcripts, categories, corrections, sync metadata.
• Location: London, UK.
• Transfer basis: UK adequacy decision (no Standard Contractual Clauses required for EU→UK transfer).
• DPA: signed. Public terms: https://supabase.com/legal/dpa

OpenAI — AI processing

We have configured our OpenAI account to disable API call logging and to opt out of all data sharing for OpenAI's model training. OpenAI may retain API request data for up to 30 days for abuse monitoring, after which it is deleted.

• What goes there: transcript text and minimal contextual information the AI needs to embed and categorize your thought. We do not send your email address or other directly identifying personal information.
• Location: United States.
• Transfer basis: EU Standard Contractual Clauses, incorporated via OpenAI's Business Terms.
• DPA: incorporated by reference into OpenAI's Business Terms (https://openai.com/policies/data-processing-addendum/).
• Model training: disabled for our account.
• Logging: disabled for our account.

RevenueCat — subscription management

RevenueCat handles subscription management on our behalf. International transfers from the EU/UK to the US are covered by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

• What goes there: a pseudonymous user identifier, your subscription state, and purchase events (start, renew, cancel, refund). We do not send transcripts, categories, or other content to RevenueCat.
• Location: United States.
• Transfer basis: EU SCCs + UK International Data Transfer Addendum.
• DPA: signed via RevenueCat Customer Agreement. Public terms: https://www.revenuecat.com/dpa/
• RevenueCat sub-processors (all US): AWS, Elastic, Sentry, Honeycomb, Snowflake, Cloudflare. Listed in RevenueCat's published sub-processor list, updated periodically.

Resend — authentication emails

We use Resend (resend.com, Ireland) to deliver authentication emails. Resend processes your email address solely for the purpose of delivering these messages, under their Data Processing Addendum.

• What goes there: your email address and the one-time code or notification content.
• Location: Ireland (EU).
• Transfer basis: no third-country transfer — processed in the EU.
• DPA: standard, in force by default. Public terms: https://resend.com/legal/dpa

Apple — App Store and in-app purchases

Apple is a separate controller for your App Store account and your subscription purchase contract — not our processor. When you subscribe to Banora Pro, Apple processes your payment under Apple's own privacy policy. We receive only the entitlement status (subscribed or not), not your Apple ID details, payment information, or App Store activity.

6. International data transfers

Most of your data stays in the EU/UK:

• Supabase (UK): UK adequacy decision, no SCCs needed.
• Resend (Ireland, EU): no international transfer.

Two services involve transfer to the United States:

• OpenAI (US): under EU Standard Contractual Clauses.
• RevenueCat (US): under EU Standard Contractual Clauses + UK International Data Transfer Addendum.

You can request a copy of the SCCs in place by emailing hi@banora.dev.

7. How long we keep your data

• Audio recordings: deleted from your device within seconds of transcription. Never uploaded.
• Thoughts, categories, corrections, account data: kept as long as your account exists.
• When you delete an individual thought: the thought itself is fully deleted from our servers — the transcript, any rich text, and the vector embedding used by the AI for similarity search are all removed. Training signals derived from that thought — correction signals you provided about it, and classifier exemplars admitted from its content — are removed automatically in the same operation. Data previously sent to OpenAI for processing remains subject to OpenAI's 30-day abuse-monitoring retention described in section 5; after that window, OpenAI deletes it.
• When you delete your account: your personal data is deleted immediately, including all your thoughts, categories, corrections, and account record. Purchase event records (records of subscription start, renew, cancel, and refund events) are retained separately for 10 years to comply with German tax law (§ 147 Abgabenordnung), after which they are permanently deleted. These records contain a pseudonymous user identifier together with subscription event data; they do not contain your name, email address, or any content you created in Banora. Legal basis: Art. 6(1)(c) GDPR (compliance with a legal obligation).
• Backups: our hosting provider may retain encrypted backups for a limited operational period (per Supabase's default retention). These backups are inaccessible for general use and are overwritten on schedule.
• Legal/tax records: where law requires retention (e.g. for invoicing or tax purposes), we keep only what's required, for the period required.

8. Your rights under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15): ask what data we have about you.
• Right to rectification (Art. 16): correct inaccurate data.
• Right to erasure (Art. 17): delete your data.
• Right to restrict processing (Art. 18): limit what we do with it.
• Right to data portability (Art. 20): receive your data in a portable format.
• Right to object (Art. 21): object to processing based on legitimate interest.
• Rights related to automated decision-making (Art. 22): see section 9.

How to exercise your rights

• Access your data: email hi@banora.dev.
• Export your data: use the in-app function (Settings → Profile → Export Data). Produces a JSON file containing your thoughts and the categories you've organized them into.
• Delete your data: delete individual thoughts in the app, or delete your entire account from Settings → Profile → Delete Account.
• All other rights: email hi@banora.dev.

We respond within 30 days, free of charge.

Right to complain

You can complain to a data protection supervisory authority. The competent authority for Banora is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Alt-Moabit 59–61 10555 Berlin https://www.datenschutz-berlin.de/

You can also complain to the supervisory authority in the EU country where you live.

9. AI processing — what to know

Banora uses AI (OpenAI's foundation models) to:

• Suggest categories for your thoughts
• Surface related thoughts and patterns
• Generate suggestions and nudges

These features run on OpenAI's API with the configuration described in section 5 (no model training, logging disabled, SCCs in place).

Is this "automated decision-making" under GDPR Article 22? The categorization is automated, but it has no legal or similarly significant effect on you — it only organizes notes in your app, and you can override any suggestion. We do not consider it Article 22 decision-making, but you can object to AI processing at any time by emailing hi@banora.dev. If you object, we will discuss with you whether the app can still operate for your needs without AI features.

Accuracy: AI is fallible. Treat its output as a starting point, not a verdict. You can correct any categorization, and the app learns from your corrections to do better for you.

10. Security

We take reasonable technical and organizational measures to protect your data:

• Encryption in transit: all connections to our servers use HTTPS/TLS.
• Encryption at rest: our hosting provider encrypts stored data per Supabase platform defaults.
• Access controls: Row-Level Security (RLS) policies in the database mean each user can only access their own data, enforced at the database layer.
• Token storage: authentication tokens on your device are kept in iOS Keychain (the system's secure storage).
• Audio handling: voice recordings are processed and deleted on-device within seconds; never uploaded.
• Data minimization: we collect only what we need.

No security is perfect. If we ever experience a data breach that affects your personal data, we will notify you and the competent supervisory authority as required by GDPR Articles 33 and 34.

11. Children

Banora is for adults — you must be at least 18 to use it. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, email hi@banora.dev and we will delete the account.

12. Our website

The `banora.dev` website is a static site. It does not set cookies, run analytics, or load third-party trackers. If we ever add anything that collects personal data on the website, we will update this policy first.

13. Changes to this policy

We may update this policy when our services change or when law requires it. For material changes, we will notify you in the app or by email at least 30 days before they take effect. Smaller changes (clarifications, corrections) take effect when we post the updated policy.

You can always see when the policy was last updated at the top of this page.

14. Contact

For any privacy question or to exercise your rights: