Privacy Policy
Effective date: 2026-04-23 · Last updated: 2026-04-23
1. Who we are
SayTide is a native iOS application that helps surfers capture, structure, and reflect on their sessions. The service is operated by Sei Dake (see section 15 for full legal identification).
This Privacy Policy explains what personal data we process, why, who we share it with, and how you can exercise your rights. It applies to the SayTide iOS app and any related service we provide.
Contact for privacy questions: hello@saytide.com.
2. Scope
This policy covers the SayTide iOS app distributed through the Apple App Store. Use of the app is also governed by Apple's Standard End User License Agreement, available at https://www.apple.com/legal/internet-services/itunes/dev/stdeula/. Third-party services linked from the app are governed by their own privacy policies.
3. Data we process
We only collect what we need to operate the service.
3.1 Account data
Email address received through Sign in with Apple. If you use Apple's private relay, we only receive the relay address.
3.2 Session content
When you record a surf session, we process a temporary voice recording (see section 8), the transcript produced from it, and structured session data generated by AI — such as date, spot, conditions, board used, personal notes, and coaching reflections. The transcript is sent to our AI content provider (see section 5) to generate the structured session card and the coaching insights derived from your history.
3.3 Surfboard collection
Descriptive metadata for each board you add, such as name, type, dimensions, and visual preferences.
3.4 AI insights
AI-generated insights linked to your session history. To produce pattern insights, a summary of your past sessions is sent to our AI content provider periodically (see section 5).
3.5 Usage counters
Aggregate counts of processing calls and reset timestamps, used to enforce service limits.
3.6 Subscription state
If you subscribe to SayTide Pro: entitlement status, product identifier, expiry date, and subscription events received from Apple. We do not receive or store payment cards, billing addresses, or any financial instrument. Billing is handled entirely by Apple.
3.7 Analytics
We use TelemetryDeck for privacy-first analytics. Your identifier is hashed with a per-app salt before transmission, so events cannot be linked back to your account. We collect pseudonymous usage events — such as feature adoption and error rates — to improve the product. We do not collect IP addresses, device identifiers, advertising identifiers, or precise location through analytics.
3.8 Device permissions
The app requests microphone access to record your voice notes. Audio is transmitted to our speech-to-text provider for transcription, as described in sections 5 and 8. You can revoke microphone access at any time from iOS Settings → Privacy & Security.
3.9 AI Features consent
Before SayTide processes your recordings through AI providers, we ask for your explicit consent. You can grant this consent during onboarding or at any time from Settings → AI Features.
You can withdraw this consent at any time from the same setting. When AI Features are disabled, new recordings and insight generation pause. Past sessions and the structured data already generated for them remain available in the app. Turning AI Features back on resumes processing for new recordings.
Disabling AI Features does not delete your past sessions or stop you from recording new voice notes locally. It only pauses the transmission of new recordings to our AI providers.
4. Why we process your data
Under Article 6 of the GDPR:
| Purpose | Legal basis |
|---|---|
| Authenticate you and provide the core journaling features | Performance of a contract, Art. 6(1)(b) |
| Transcribe audio and generate structured session data and insights | Consent, Art. 6(1)(a) — granted through AI Features (see section 3.9) |
| Manage your subscription and entitlements | Performance of a contract, Art. 6(1)(b) |
| Enforce usage limits and protect the service from abuse | Legitimate interest, Art. 6(1)(f) |
| Understand aggregate product usage through pseudonymous analytics | Legitimate interest, Art. 6(1)(f) |
| Respond to support requests and legal claims | Legitimate interest, Art. 6(1)(f) |
Where a legitimate interest is invoked, we have carried out a balancing test. You can object to processing based on legitimate interest at any time (see section 11). Where consent is the legal basis, you can withdraw it at any time without affecting the lawfulness of prior processing.
We do not use your personal data for automated decisions with legal or similarly significant effects. We do not sell your personal data.
5. Sub-processors
SayTide relies on a small set of providers. Each processes your data strictly on our instructions, under a data processing agreement.
| Sub-processor | Role | Data received | Location |
|---|---|---|---|
| Apple Inc. | Authentication, in-app purchases, App Store delivery | Sign in with Apple identifier, subscription events | United States |
| Supabase Inc. | Database hosting, authentication, server-side functions | All account and session data | Germany (EU — Frankfurt) |
| OpenAI, L.L.C. | Speech-to-text transcription | Temporary voice recording from a single session (not retained after transcription — see section 8) | United States |
| Anthropic PBC | AI content processing | The transcript of a single session, and periodically a summary of your past session history to generate pattern insights | United States |
| RevenueCat, Inc. | Subscription management | Subscription events and entitlement status | United States |
| TelemetryDeck GmbH | Pseudonymous product analytics | Hashed pseudonymous identifier and usage events only — no session content | European Union |
We do not send your data to AI providers for model training. Both OpenAI and Anthropic operate their paid APIs under terms that prohibit the use of customer content for training.
6. International data transfers
Your account and session data are stored in the European Union (Supabase, Frankfurt). Some sub-processors are established outside the European Economic Area, in the United States (Apple, OpenAI, Anthropic, RevenueCat). Transfers to those providers rely on the European Commission's Standard Contractual Clauses (2021/914) together with supplementary measures such as encryption in transit and at rest, strict access controls, and contractual commitments from providers.
You can request a copy of the safeguards by writing to hello@saytide.com.
7. How long we keep your data
- Account, sessions, boards, insights, usage counters, subscription state: kept for as long as your account is active.
- Audio recordings: not retained. Audio is discarded as soon as processing completes (see section 8).
- Database backups: encrypted backups are rotated on a rolling window of approximately 30 days.
- Analytics events:pseudonymous events are retained per TelemetryDeck's own policy; no personal identifier is stored there.
- Support correspondence: up to 24 months after the last message, or longer if needed to defend a legal claim.
When you delete your account (section 10), operational data is removed within 30 days. Backups containing residual copies are overwritten within their rotation window.
8. Audio retention
Audio is transmitted over HTTPS to our speech-to-text provider for automated transcription. The audio is not written to permanent storage on our systems or on the provider's systems — once processing completes, it is discarded. Only the resulting transcript and structured session data are kept as part of your journal.
If we ever change this behavior, we will update this policy and notify you inside the app before the change takes effect.
9. Security
We apply measures proportionate to the risk:
- Encryption in transit (TLS 1.2+) and at rest.
- Row-level security so that each user can only access their own data.
- Short-lived authentication tokens bound to Sign in with Apple.
- API keys held server-side, never shipped to the client.
- Least-privilege access to production systems.
No online service is perfectly secure. If you believe your account has been compromised, write to hello@saytide.com immediately.
10. Account deletion
You can delete your account and all associated data at any time directly from inside the app, at Settings → Delete account. You can also request deletion by emailing hello@saytide.com from the address associated with the account.
Deletion removes your sessions, boards, insights, usage counters, subscription record, and authentication data within 30 days. Residual copies in encrypted backups are overwritten within their rotation window.
Deleting your account in SayTide does not cancel your Apple subscription. You must cancel auto-renewal separately in your Apple ID settings.
11. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate or incomplete data (Art. 16).
- Erase your data, subject to legal retention obligations (Art. 17). You can exercise this right directly from the app at Settings → Delete account.
- Restrict processing in specific circumstances (Art. 18).
- Data portability in a structured, commonly used format (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent at any time, where consent is the legal basis. For AI Features consent specifically, you can withdraw it from Settings → AI Features (see section 3.9).
To exercise any right that is not available directly in the app, write to hello@saytide.com from the address associated with your account. We reply within 30 days and may request additional verification.
You also have the right to lodge a complaint with a supervisory authority. In Spain: Agencia Española de Protección de Datos (AEPD), www.aepd.es. If you reside in another EEA country you may contact your local authority.
12. Children
SayTide is not directed at children under 14. Under Spanish law (Article 7, LOPDGDD) a minor must be at least 14 to consent to data processing; below that age, only a holder of parental responsibility can give consent.
The “4+” age rating on the App Store reflects content suitability as classified by Apple. It does not authorize children under 14 to create an account or have their data processed by SayTide.
If you believe a child under 14 has created an account without parental consent, write to hello@saytide.com and we will delete the account and its data.
13. Changes to this policy
We may update this policy to reflect changes in the service, sub-processors, or applicable law. Material changes will be notified inside the app, by email, or both, before taking effect. The “Last updated” date at the top always reflects the current version.
14. Contact
For any privacy question or to exercise a right: hello@saytide.com.
15. Legal information
Sei Dake is a trade name of Bernardo Ortega, a sole trader (autónomo) established in Spain.
NIF: 50462476Q.
Postal address: Calle Bergantín 9, 3D, 28220 Majadahonda, Madrid, Spain.
Data protection contact: hello@saytide.com.
Supervisory authority: Agencia Española de Protección de Datos (www.aepd.es).