Privacy Policy
Effective date: 2026-04-15 · Last updated: 2026-04-15
1. Who we are
SayTide is a native iOS application that helps surfers capture, structure, and reflect on their sessions. The service is operated by Sei Dake (see section 15 for full legal identification).
This Privacy Policy explains what personal data we process, why, who we share it with, and how you can exercise your rights. It applies to the SayTide iOS app and any related service we provide.
Contact for privacy questions: hello@saytide.com.
2. Scope
This policy covers the SayTide iOS app distributed through the Apple App Store. Third-party services linked from the app are governed by their own privacy policies.
3. Data we process
We only collect what we need to operate the service.
3.1 Account data
Email address received through Sign in with Apple. If you use Apple's private relay, we only receive the relay address.
3.2 Session content
When you record a surf session, we process a temporary voice recording (see section 8), the transcript produced from it, and structured session data generated by AI — such as date, spot, conditions, board used, personal notes, and coaching reflections.
3.3 Surfboard collection
Descriptive metadata for each board you add, such as name, type, dimensions, and visual preferences.
3.4 AI insights
AI-generated insights linked to your session history.
3.5 Usage counters
Aggregate counts of processing calls and reset timestamps, used to enforce service limits.
3.6 Subscription state
If you subscribe to SayTide Pro: entitlement status, product identifier, expiry date, and subscription events received from Apple. We do not receive or store payment cards, billing addresses, or any financial instrument. Billing is handled entirely by Apple.
3.7 Analytics
We use TelemetryDeck for privacy-first analytics. Your identifier is hashed with a per-app salt before transmission, so events cannot be linked back to your account. We collect pseudonymous usage events — such as feature adoption and error rates — to improve the product. We do not collect IP addresses, device identifiers, advertising identifiers, or precise location through analytics.
3.8 Device permissions
The app requests microphone access (to record your voice note) and speech recognition (used on-device by Apple's speech framework). You can revoke either permission at any time from iOS Settings → Privacy & Security.
4. Why we process your data
Under Article 6 of the GDPR:
| Purpose | Legal basis |
|---|---|
| Authenticate you and provide the core journaling features | Performance of a contract, Art. 6(1)(b) |
| Transcribe audio and generate structured session data and insights | Performance of a contract, Art. 6(1)(b) |
| Manage your subscription and entitlements | Performance of a contract, Art. 6(1)(b) |
| Enforce usage limits and protect the service from abuse | Legitimate interest, Art. 6(1)(f) |
| Understand aggregate product usage through pseudonymous analytics | Legitimate interest, Art. 6(1)(f) |
| Respond to support requests and legal claims | Legitimate interest, Art. 6(1)(f) |
Where a legitimate interest is invoked, we have carried out a balancing test. You can object to processing based on legitimate interest at any time (see section 11).
We do not use your personal data for automated decisions with legal or similarly significant effects. We do not sell your personal data.
5. Sub-processors
SayTide relies on a small set of providers. Each processes your data strictly on our instructions, under a data processing agreement.
| Sub-processor | Role | Location |
|---|---|---|
| Apple Inc. | Authentication, in-app purchases, App Store delivery | United States |
| Supabase Inc. | Database hosting, authentication, server-side functions | United States |
| OpenAI, L.L.C. | Speech-to-text transcription | United States |
| Anthropic PBC | AI content processing | United States |
| RevenueCat, Inc. | Subscription management | United States |
| TelemetryDeck GmbH | Pseudonymous product analytics | European Union |
We do not send your data to AI providers for model training. Both OpenAI and Anthropic operate their paid APIs under terms that prohibit the use of customer content for training.
6. International data transfers
Several sub-processors are established outside the European Economic Area, primarily in the United States. Transfers rely on the European Commission's Standard Contractual Clauses (2021/914) together with supplementary measures such as encryption in transit and at rest, strict access controls, and contractual commitments from providers.
You can request a copy of the safeguards by writing to hello@saytide.com.
7. How long we keep your data
- Account, sessions, boards, insights, usage counters, subscription state: kept for as long as your account is active.
- Audio recordings: not retained. Audio is discarded as soon as processing completes (see section 8).
- Database backups: encrypted backups are rotated on a rolling window of approximately 30 days.
- Analytics events:pseudonymous events are retained per TelemetryDeck's own policy; no personal identifier is stored there.
- Support correspondence: up to 24 months after the last message, or longer if needed to defend a legal claim.
When you delete your account (section 10), operational data is removed within 30 days. Backups containing residual copies are overwritten within their rotation window.
8. Audio retention
Audio is transmitted over HTTPS to our servers for automated transcription and structuring. The audio is not written to permanent storage — once processing completes, it is discarded. Only the resulting transcript and structured session data are kept as part of your journal.
If we ever change this behavior, we will update this policy and notify you inside the app before the change takes effect.
9. Security
We apply measures proportionate to the risk:
- Encryption in transit (TLS 1.2+) and at rest.
- Row-level security so that each user can only access their own data.
- Short-lived authentication tokens bound to Sign in with Apple.
- API keys held server-side, never shipped to the client.
- Least-privilege access to production systems.
No online service is perfectly secure. If you believe your account has been compromised, write to hello@saytide.com immediately.
10. Account deletion
You can delete your account at any time from inside the app (Settings → Delete account) or by emailing hello@saytide.com from the address associated with the account. Deletion removes your sessions, boards, insights, usage counters, subscription record, and authentication data within 30 days.
Deleting your account in SayTide does not cancel your Apple subscription. You must cancel auto-renewal separately in your Apple ID settings.
11. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate or incomplete data (Art. 16).
- Erase your data, subject to legal retention obligations (Art. 17).
- Restrict processing in specific circumstances (Art. 18).
- Data portability in a structured, commonly used format (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent at any time, where consent is the legal basis.
To exercise any right, write to hello@saytide.com from the address associated with your account. We reply within 30 days and may request additional verification.
You also have the right to lodge a complaint with a supervisory authority. In Spain: Agencia Española de Protección de Datos (AEPD), www.aepd.es. If you reside in another EEA country you may contact your local authority.
12. Children
SayTide is not directed at children under 14. Under Spanish law (Article 7, LOPDGDD) a minor must be at least 14 to consent to data processing; below that age, only a holder of parental responsibility can give consent.
The “4+” age rating on the App Store reflects content suitability as classified by Apple. It does not authorize children under 14 to create an account or have their data processed by SayTide.
If you believe a child under 14 has created an account without parental consent, write to hello@saytide.com and we will delete the account and its data.
13. Changes to this policy
We may update this policy to reflect changes in the service, sub-processors, or applicable law. Material changes will be notified inside the app, by email, or both, before taking effect. The “Last updated” date at the top always reflects the current version.
14. Contact
For any privacy question or to exercise a right: hello@saytide.com.
15. Legal information
Sei Dake is a trade name of Bernardo Ortega, a sole trader (autónomo) established in Spain.
NIF: [pending].
Postal address: [pending].
Data protection contact: hello@saytide.com.
Supervisory authority: Agencia Española de Protección de Datos (www.aepd.es).