Privacy Policy
Last updated: April 2026.
1. Controller
The data controller under the GDPR is:
Jonny Caspari
Ostpreußendamm 165A
12207 Berlin, Germany
Email: j.caspari@mail.de
2. Scope
This policy covers the website at pilloai.app and the macOS app Pillo. The app processes voice, text and on-screen context entirely on your Mac. No transmission to Pillo, any external server, or any third party occurs in standard operation. The narrow opt-in exceptions are described in section 4.2.
3. Website processing
3.1 Server log files
When you access the site, our hosting provider records technical data in server log files (IP address, timestamp, requested URL, referrer, user agent). Legal basis: Art. 6(1)(f) GDPR; legitimate interest in providing and securing the website. Logs are retained briefly for abuse defence and then automatically deleted.
3.2 Hosting via Vercel
The website is hosted by Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA, represented in the EU by Vercel Germany GmbH(Frankfurt). A GDPR Art. 28 Data Processing Addendum is in place. Any transmission to the US is covered by the EU-US Data Privacy Framework (Vercel Inc. is DPF-certified).
3.3 Audience analytics via Vercel Analytics
We use Vercel Analytics, a cookieless web analytics service. No cookies are set and no cross-device profiles are built. A short-lived 24-hour-rotating one-way hash of IP, user agent, and path is used to deduplicate visits within a single session. The IP address itself is never stored or shared.
Legal basis: Art. 6(1)(f) GDPR; legitimate interest in privacy-friendly audience measurement. As no persistent personal data is collected, we treat Vercel Analytics as not requiring consent. If you would still like to opt out, browse in private mode or with tracking protection enabled.
3.4 Email collection via Resend
If you voluntarily leave your email address — either to join the waitlist or, when downloading the app, so that we may reach out for feedback — we store that address and process it solely to contact you for those purposes. The download itself does not require an email; you can continue without leaving one. Emails are processed on our behalf by Resend (Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA), with whom a GDPR Art. 28 Data Processing Addendum is in place; any US transfer is covered by the EU-US Data Privacy Framework and standard contractual clauses.
Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time with effect for the future and request deletion by emailing j.caspari@mail.de. We keep the address only as long as needed for the stated purpose.
4. App processing
4.1 Local processing (default)
Pillo is built as an on-device application. Voice recordings, transcripts, AI style rewrites, on-screen context (OCR), and all usage / correction history are processed and stored exclusively on your Mac. There is no transmission to Pillo, any external server, or any third party in standard operation.
4.1.1 Edit verification (keystroke witness)
So that Pillo can reliably learn from manual edits to its dictation output, the app cross-references on-screen text changes against your actual keystrokes for approximately 10 seconds after pasting. Background: on-screen text recognition (OCR) occasionally misreads individual characters (e.g. an `n` may be read as an `h`); without this cross-check, incorrect correction suggestions would occasionally appear.
What happens technically: during the verification window, Pillo counts which letters you pressed plus the count of editing/navigation keys (backspace, delete, arrow keys). This information is held only in the app's working memory, never written to disk, never transmitted to any server (not Sentry, not TelemetryDeck, not Pillo's developer), and discarded the moment the window closes (after 10 seconds, on app switch, or when the next dictation starts). If a password field is detected (IsSecureEventInputEnabled), Pillo abandons verification immediately.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a low-error correction-learning function). You can disable this feature at any time via Pillo → Learnings → Edit verification. With it off, no keystrokes are observed at all; OCR phantoms may occasionally produce incorrect suggestions which you can dismiss with "Never".
4.2 Optional, consent-based diagnostics
With your explicit consent (during onboarding and/or in Settings → Privacy), the app may send anonymous diagnostics to the processors named in 5.2 and 5.3. Consent can be withdrawn at any time, with effect for the future. Legal basis: Art. 6(1)(a) GDPR (consent).
What is sent:
- a randomly generated anonymous device ID (UUID v4), with no link to your name, email, or any hardware identifier,
- the app version and build number,
- your macOS version and architecture (arm64/x86_64),
- event names and counts from a fixed allowlist (e.g. "dictation.completed"),
- latency and duration measurements as numbers,
- on errors: stack trace and error class, with file paths under
/Users/<name>/client-side normalised to~/.
What is never sent:
- your transcripts, recordings, or any spoken content,
- clipboard content,
- bundle IDs or names of the apps you type into,
- file paths, file contents, or screen contents,
- your name, email address, or IP address (Sentry IP capture is disabled).
4.3 User-initiated bug reports
Clicking "Report a Bug" opens a form. With diagnostics consent active, the description is sent via Sentry to Pillo's maintainer; the optional email field is processed only if you'd like a reply. Without consent, the system mail client opens with diagnostic info pre-filled — you can review the message before sending.
5. Processors and recipients
5.1 Vercel (hosting & web analytics)
Controller of record: Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA; EU representation by Vercel Germany GmbH (Frankfurt). GDPR Art. 28 DPA in place; EU-US Data Privacy Framework certification covers any US transfer. Privacy: vercel.com/legal/privacy-policy.
5.2 TelemetryDeck (anonymous app analytics)
With diagnostics consent active, we use the privacy-friendly analytics service TelemetryDeck (provider: TelemetryDeck GmbH, Von-der-Tann-Str. 54, 86159 Augsburg, Germany; HRB 37541, VAT DE353418916). Legal basis: Art. 6(1)(a) GDPR (consent). Consent can be withdrawn at any time, with effect for the future. Servers and data location: Germany. A GDPR Art. 28 Data Processing Addendum is in place.
What is sent? The data processed by TelemetryDeck is fully anonymized and cannot be linked back to any individual:
- an anonymized, non-traceable user ID (a UUID v4 per app installation),
- publisher-defined actions (e.g.
dictation.completed,onboarding.step_completed), - a coarsened timestamp (rounded to the hour),
- device metadata (system version, app version, device type),
- publisher-defined additional metadata (e.g. language code, latency values, feature flags).
What is explicitly never stored?
- no IP addresses (neither in logs nor in the database),
- no cookies or tracking technologies,
- no persistent identifiers traceable to individuals.
The TelemetryDeck SDK source is fully open and inspectable on GitHub: github.com/TelemetryDeck. Provider privacy policy: telemetrydeck.com/privacy.
5.3 Sentry (app error & crash reporting)
With diagnostics consent active, we use Sentry for capturing program errors and crashes. Contracting party: Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. Legal basis: Art. 6(1)(a) GDPR (consent). Consent can be withdrawn at any time, with effect for the future. Data is hosted exclusively in the EU region (Frankfurt am Main, Germany). Any transfer to the US parent is covered by the EU-US Data Privacy Framework (Sentry is DPF-certified) and a GDPR Art. 28 DPA with Standard Contractual Clauses.
What is sent?
- the anonymous device ID (UUID v4) — same as the TelemetryDeck ID so reports can be correlated,
- on errors: stack trace and error class,
- app version and build number, macOS version, architecture (arm64 / x86_64),
- pre-defined breadcrumbs from a fixed allowlist (e.g. app-lifecycle events) — never free-form log messages,
- for user-initiated bug reports: the free-text description and optionally the email address you typed in.
What is explicitly never stored?
- no IP addresses (Sentry's
sendDefaultPiioption is disabled), - no device hostnames, timezones, or device-fingerprint hashes,
- no file paths under
/Users/<name>/(client-side normalised to~/), - no transcripts, recordings, screen contents, clipboard, or bundle IDs of the apps you type into,
- no performance or tracing data (disabled in app config).
Provider privacy policy: sentry.io/privacy/.
6. Retention
- Server logs: short-term (typically a few days), then auto-deleted.
- Vercel Analytics: aggregated audience statistics; no persistent personal data.
- TelemetryDeck signals: aggregated usage statistics; revoking consent stops future collection.
- Sentry error reports: up to 90 days in the Sentry EU region; revoking consent stops future reports.
- Anonymous device ID (UUID): stored locally on your Mac; cleared by "Reset Diagnostic ID" or by uninstalling.
7. Your rights
Under GDPR you have, among others, the right to:
- access your stored data (Art. 15 GDPR),
- correct inaccurate data (Art. 16 GDPR),
- erasure / "right to be forgotten" (Art. 17 GDPR),
- restrict processing (Art. 18 GDPR),
- data portability (Art. 20 GDPR),
- object to processing (Art. 21 GDPR),
- withdraw consent at any time, with effect for the future (Art. 7(3) GDPR),
- lodge a complaint with a supervisory authority (Art. 77 GDPR).
Because diagnostic data is collected only under an anonymous UUID, exercising your rights requires that UUID. You can find it in the app under Settings → Privacy or use the "Request Data Deletion" button there to compose an email with the UUID pre-filled.
8. Supervisory authority
Based on the controller's location, the competent authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Alt-Moabit 59–61, 10555 Berlin, Germany; datenschutz-berlin.de.
9. International transfers
Personal data is transferred outside the EU/EEA only in the cases listed above (Vercel, Sentry), subject to appropriate safeguards: the EU-US Data Privacy Framework and Standard Contractual Clauses pursuant to Art. 46 GDPR.
10. Changes to this policy
This policy is updated as legal or functional circumstances evolve. The current version is always available at pilloai.app/privacy.
11. Privacy contact
Privacy enquiries: j.caspari@mail.de.