Pillo

Privacy Policy

Last updated: April 2026. This is an English translation provided for convenience. The legally authoritative version is the German Datenschutzerklärung.

1. Controller

The data controller under the GDPR is:

Jonny Caspari
Ostpreußendamm 165A
12207 Berlin, Germany
Email: j.caspari@mail.de

2. Scope

This policy covers the website at pilloai.app and the macOS app Pillo. The app processes voice, text and on-screen context entirely on your Mac. No transmission to Pillo, any external server, or any third party occurs in standard operation. The narrow opt-in exceptions are described in section 4.2.

3. Website processing

3.1 Server log files

When you access the site, our hosting provider records technical data in server log files (IP address, timestamp, requested URL, referrer, user agent). Legal basis: Art. 6(1)(f) GDPR; legitimate interest in providing and securing the website. Logs are retained briefly for abuse defence and then automatically deleted.

3.2 Hosting via Vercel

The website is hosted by Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA, represented in the EU by Vercel Germany GmbH(Frankfurt). A GDPR Art. 28 Data Processing Addendum is in place. Any transmission to the US is covered by the EU-US Data Privacy Framework (Vercel Inc. is DPF-certified).

3.3 Audience analytics via Vercel Analytics

We use Vercel Analytics, a cookieless web analytics service. No cookies are set and no cross-device profiles are built. A short-lived 24-hour-rotating one-way hash of IP, user agent, and path is used to deduplicate visits within a single session. The IP address itself is never stored or shared.

Legal basis: Art. 6(1)(f) GDPR; legitimate interest in privacy-friendly audience measurement. As no persistent personal data is collected, we treat Vercel Analytics as not requiring consent. If you would still like to opt out, browse in private mode or with tracking protection enabled.

4. App processing

4.1 Local processing (default)

Pillo is built as an on-device application. Voice recordings, transcripts, AI style rewrites, on-screen context (OCR), and all usage / correction history are processed and stored exclusively on your Mac. There is no transmission to Pillo, any external server, or any third party in standard operation.

4.2 Optional, consent-based diagnostics

With your explicit consent (during onboarding and/or in Settings → Privacy), the app may send anonymous diagnostics to the processors named in 5.2 and 5.3. Consent can be withdrawn at any time, with effect for the future. Legal basis: Art. 6(1)(a) GDPR (consent).

What is sent:

  • a randomly generated anonymous device ID (UUID v4), with no link to your name, email, or any hardware identifier,
  • the app version and build number,
  • your macOS version and architecture (arm64/x86_64),
  • event names and counts from a fixed allowlist (e.g. "dictation.completed"),
  • latency and duration measurements as numbers,
  • on errors: stack trace and error class, with file paths under /Users/<name>/ client-side normalised to ~/.

What is never sent:

  • your transcripts, recordings, or any spoken content,
  • clipboard content,
  • bundle IDs or names of the apps you type into,
  • file paths, file contents, or screen contents,
  • your name, email address, or IP address (Sentry IP capture is disabled).

4.3 User-initiated bug reports

Clicking "Report a Bug" opens a form. With diagnostics consent active, the description is sent via Sentry to Pillo's maintainer; the optional email field is processed only if you'd like a reply. Without consent, the system mail client opens with diagnostic info pre-filled — you can review the message before sending.

5. Processors and recipients

5.1 Vercel (hosting & web analytics)

Controller of record: Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA; EU representation by Vercel Germany GmbH (Frankfurt). GDPR Art. 28 DPA in place; EU-US Data Privacy Framework certification covers any US transfer. Privacy: vercel.com/legal/privacy-policy.

5.2 TelemetryDeck (anonymous app analytics)

With diagnostics consent active, we use the privacy-friendly analytics service TelemetryDeck (provider: TelemetryDeck GmbH, Von-der-Tann-Str. 54, 86159 Augsburg, Germany; HRB 37541, VAT DE353418916). Legal basis: Art. 6(1)(a) GDPR (consent). Consent can be withdrawn at any time, with effect for the future. Servers and data location: Germany. A GDPR Art. 28 Data Processing Addendum is in place.

What is sent? The data processed by TelemetryDeck is fully anonymized and cannot be linked back to any individual:

  • an anonymized, non-traceable user ID (a UUID v4 per app installation),
  • publisher-defined actions (e.g. dictation.completed, onboarding.step_completed),
  • a coarsened timestamp (rounded to the hour),
  • device metadata (system version, app version, device type),
  • publisher-defined additional metadata (e.g. language code, latency values, feature flags).

What is explicitly never stored?

  • no IP addresses (neither in logs nor in the database),
  • no cookies or tracking technologies,
  • no persistent identifiers traceable to individuals.

The TelemetryDeck SDK source is fully open and inspectable on GitHub: github.com/TelemetryDeck. Provider privacy policy: telemetrydeck.com/privacy.

5.3 Sentry (app error & crash reporting)

With diagnostics consent active, we use Sentry for capturing program errors and crashes. Contracting party: Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. Legal basis: Art. 6(1)(a) GDPR (consent). Consent can be withdrawn at any time, with effect for the future. Data is hosted exclusively in the EU region (Frankfurt am Main, Germany). Any transfer to the US parent is covered by the EU-US Data Privacy Framework (Sentry is DPF-certified) and a GDPR Art. 28 DPA with Standard Contractual Clauses.

What is sent?

  • the anonymous device ID (UUID v4) — same as the TelemetryDeck ID so reports can be correlated,
  • on errors: stack trace and error class,
  • app version and build number, macOS version, architecture (arm64 / x86_64),
  • pre-defined breadcrumbs from a fixed allowlist (e.g. app-lifecycle events) — never free-form log messages,
  • for user-initiated bug reports: the free-text description and optionally the email address you typed in.

What is explicitly never stored?

  • no IP addresses (Sentry's sendDefaultPii option is disabled),
  • no device hostnames, timezones, or device-fingerprint hashes,
  • no file paths under /Users/<name>/ (client-side normalised to ~/),
  • no transcripts, recordings, screen contents, clipboard, or bundle IDs of the apps you type into,
  • no performance or tracing data (disabled in app config).

Provider privacy policy: sentry.io/privacy/.

6. Retention

  • Server logs: short-term (typically a few days), then auto-deleted.
  • Vercel Analytics: aggregated audience statistics; no persistent personal data.
  • TelemetryDeck signals: aggregated usage statistics; revoking consent stops future collection.
  • Sentry error reports: up to 90 days in the Sentry EU region; revoking consent stops future reports.
  • Anonymous device ID (UUID): stored locally on your Mac; cleared by "Reset Diagnostic ID" or by uninstalling.

7. Your rights

Under GDPR you have, among others, the right to:

  • access your stored data (Art. 15 GDPR),
  • correct inaccurate data (Art. 16 GDPR),
  • erasure / "right to be forgotten" (Art. 17 GDPR),
  • restrict processing (Art. 18 GDPR),
  • data portability (Art. 20 GDPR),
  • object to processing (Art. 21 GDPR),
  • withdraw consent at any time, with effect for the future (Art. 7(3) GDPR),
  • lodge a complaint with a supervisory authority (Art. 77 GDPR).

Because diagnostic data is collected only under an anonymous UUID, exercising your rights requires that UUID. You can find it in the app under Settings → Privacy or use the "Request Data Deletion" button there to compose an email with the UUID pre-filled.

8. Supervisory authority

Based on the controller's location, the competent authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Alt-Moabit 59–61, 10555 Berlin, Germany; datenschutz-berlin.de.

9. International transfers

Personal data is transferred outside the EU/EEA only in the cases listed above (Vercel, Sentry), subject to appropriate safeguards: the EU-US Data Privacy Framework and Standard Contractual Clauses pursuant to Art. 46 GDPR.

10. Changes to this policy

This policy is updated as legal or functional circumstances evolve. The current version is always available at pilloai.app/privacy.

11. Privacy contact

Privacy enquiries: j.caspari@mail.de.