Privacy Policy

Last updated: 2026-04-01

Controller

Anton - Johannes Rost

Rheinstraße 12, 55116 Mainz, Germany

Email: alpaca-labs.dev@proton.me

What we process

We process account data, authentication data, app usage counters, and note/group content required to provide Pocket Orbit features.

If you sign in with Google or Apple, we also process the identity data those providers return to us for account access, such as email address and provider account identifiers.

If you use AI summaries, your submitted note/group content is processed through our AI provider to generate summaries.

If you use OCR scan features, images you submit are processed to extract text and are handled transiently for conversion.

If you use the feedback board, we process public idea posts, votes, moderation reports, author-hide preferences, and private bug reports. Public ideas may be visible to other signed-in users, while private bug reports and moderation reports remain internal.

Analytics and abuse prevention

We use product analytics to understand feature usage, reliability, and high-level engagement patterns inside the app and landing experience.

We also process security and abuse-prevention data such as IP-based rate-limit signals and a hashed device fingerprint generated from device characteristics to help detect fraud, excessive multi-account creation, and misuse of free or trial limits.

OCR scan processing

OCR text extraction uses Google Cloud Vision as a processor.

Source images are processed for text extraction and are not stored as part of your account content unless you explicitly save extracted text as a note.

Waitlist

For the waitlist, we process your email address and anti-abuse verification data (reCAPTCHA token). Waitlist emails are kept until launch and then deleted after 2 months.

Legal bases

  • Account and core app features: contract performance.
  • Security, abuse prevention, and service reliability: legitimate interests.
  • Optional communications/marketing where applicable: consent.

Processors and hosting

Main backend hosting: Hetzner Online GmbH (Germany). Landing frontend hosting: Vercel.

Depending on feature use, processors may include OpenAI (AI summaries), PostHog (product analytics), Apple and Google (Sign-In), Google (reCAPTCHA, waitlist sheet, Google Cloud Vision OCR), and Proton (support email).

Retention

  • Refresh tokens: up to 7 days.
  • Server logs: up to 30 days.
  • Device/account abuse-prevention records: typically up to 30 days where the underlying control uses a rolling device or rate-limit window.
  • AI summary cache entries: up to 30 days before expiry.
  • Deleted accounts: immediate hard delete (including related user data cleanup).
  • Waitlist emails: until launch plus 2 months.
  • OCR scan images: transient processing for extraction only; no persistent image storage in app backend.
  • Feedback submissions and moderation records: retained only as long as needed to operate the feedback board, handle abuse, and support product triage.

Your rights

You can request access, correction, deletion, restriction, objection, and data portability under GDPR/DSGVO. Contact: alpaca-labs.dev@proton.me.