Privacy Policy
1. Data Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) for the data processing on this website is:
Dr. Ingo Glaser
Krumbacherstraße 8
80798 Munich
Germany
Email: info@stript.io
Note on local processing: Stript is a local-first application. Your documents are processed exclusively on your own device (see Section 2.6). Processing for which we are the controller therefore essentially concerns only this website (waitlist) and purchase/licensing.
2. What Data We Collect
2.1 Waitlist
When you sign up for our waitlist, we collect:
- Email address (required)
- Professional role (optional, e.g., DPO, Legal, IT)
This data is used exclusively to notify you about the launch of Stript. We store waitlist data until the product launches or until you unsubscribe/withdraw consent, after which it is deleted.
2.2 Purchase and Licensing
When you purchase Stript Professional, the following data arises:
- Email address (for delivery of the license key and purchase confirmation)
- Payment data (e.g., credit card, PayPal)
The purchase contract is concluded with Lemon Squeezy as Merchant of Record (the seller). All payment processing, invoicing, and VAT remittance is carried out by Lemon Squeezy. We do not store any payment data ourselves. We receive from Lemon Squeezy only the order data required to create and deliver the license (in particular your email address). Lemon Squeezy processes your data in accordance with its own privacy policy as the controller responsible for the payment and sale transaction.
Legal basis: Art. 6(1)(b) GDPR (contract performance / licensing).
Order and license data arising on our side is retained for the duration of the contractual relationship and within statutory retention periods (tax and commercial-law retention obligations, cf. § 147 AO; the retention period for accounting vouchers was shortened to 8 years in 2025). The commercial records (invoices) for the sale transaction are maintained by Lemon Squeezy as Merchant of Record.
2.3 Server Log Data / Hosting
This website is served via Cloudflare Pages. When you access it, Cloudflare, as hosting/CDN provider, automatically processes technical connection data (including IP address, date and time, the resource requested, browser type, and operating system) in order to deliver the website and ensure its stability and security. The waitlist sign-up function additionally uses your IP address only transiently to limit duplicate/spam submissions (rate limiting) and does not store it. Cloudflare’s privacy policy applies to the retention of hosting logs.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technically secure provision of the website).
2.4 Web Analytics
We use Cloudflare Web Analytics to understand how our website is used. Cloudflare Web Analytics collects aggregated, non-identifying data (pages visited, referrer, country derived from the IP without storing it, device/browser/OS type). It uses no cookies, stores or reads no information on your device, and does not track individual visitors. Consent under § 25 TDDDG is therefore not required.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding website usage to improve our service).
2.5 Cookies and Device Storage
This website uses no cookies and stores or reads no information on your device. No tracking, analytics, or marketing cookies are used. Consent under § 25 TDDDG (German Telecommunications Digital Services Data Protection Act) is therefore not required. The fonts used are served locally (self-hosted); there is no integration of Google Fonts or comparable third-party CDNs with data transfer.
2.6 Desktop Application (local-first)
The Stript desktop application processes all documents exclusively on your local machine. No document content, no personal data contained in your documents, and no usage telemetry is transmitted to us or any third party. Optional crash reports (off by default) are transmitted only with your explicit consent (see below). The only network requests made by the desktop application are:
- a one-time download of the AI models during initial setup (the models are fetched from our distribution host downloads.stript.io (served via Cloudflare R2) and from public model repositories such as Hugging Face (Hugging Face, Inc., USA); as with any web request, the respective provider sees your IP address; no account, usage, or document data is transmitted),
- license key validation (at most every 30 days; the license key and a generic device label, e.g. “Stript (macOS)”, are transmitted; never the machine hostname and no document data). This request is routed through a function we operate on stript.io (served via Cloudflare, Section 4.2), which relays the license key and device label to Lemon Squeezy and returns a short-lived signed confirmation token to the application; we store none of this data on our servers, and
- an update check on application launch (fetching a small static version file from stript.io and/or downloads.stript.io to point out a newer version; an ordinary web request carrying no personal data beyond what is technically necessary, e.g. the IP address processed by our hosting provider), and
- an update download, only at your initiative: if a newer version is available and you choose to install it, the application downloads the update package from downloads.stript.io and verifies its cryptographic signature before installing. Like the update check, this transmits no personal data beyond what any web request necessarily includes. No update is downloaded or installed without your action.
- optional crash reports, only with your explicit consent (off by default): if you enable the feature in the settings, the application transmits a crash report to our own infrastructure (Cloudflare, Section 4.2) when a technical error occurs. A report contains only the app version, the operating system and processor architecture, and a scrubbed technical error description (error type and code locations; user paths, file names, and similar details are removed on your device before transmission; crash reports contain no document content, no detection results, and no user or device identifier). We do not store any IP address on receipt; because reports carry no identifiers, we cannot determine who a report came from. As with any web request, the hosting provider sees your IP address during transmission. Reports are deleted after at most 90 days and are used solely to diagnose and fix defects. The feature can be disabled again at any time (doing so deletes any reports still queued on your device), and the application shows you a sample of the exact report content beforehand.
3. Legal Bases
- Waitlist: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time with effect for the future.
- Crash reports (optional): Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time with effect for the future by disabling the feature in the settings; reports not yet transmitted are deleted from your device.
- Purchase/licensing: Art. 6(1)(b) GDPR (contract performance).
- Server log data / hosting: Art. 6(1)(f) GDPR (legitimate interest in provision and security).
- Web analytics: Art. 6(1)(f) GDPR (legitimate interest in understanding website usage).
4. Recipients / Data Processors
We use carefully selected service providers with whom, where required, data processing agreements under Art. 28 GDPR are in place.
4.1 Resend (USA)
We use Resend (Plus Five Five, Inc., USA) for sending emails and managing our waitlist. Resend processes your email address and role on our behalf. See Section 5 regarding the transfer of data to the USA.
More information: resend.com/legal/privacy-policy
4.2 Cloudflare, Inc. (USA)
This website is hosted via Cloudflare Pages; we also use Cloudflare Web Analytics (Section 2.4) and Cloudflare R2 to serve the software downloads and updates (downloads.stript.io) and, if you have enabled optional crash reports (Section 2.6), to receive and store them. Cloudflare processes technical access and, where applicable, analytics data on our behalf. See Section 5 regarding the transfer of data to the USA.
More information: cloudflare.com/privacypolicy
4.3 Lemon Squeezy (USA)
We use Lemon Squeezy as Merchant of Record for payment processing and license management. The provider is Sold through Link, LLC (formerly Lemon Squeezy LLC), 222 South Main Street, Suite 500, Salt Lake City, Utah 84101, USA. Lemon Squeezy processes purchase data (email, payment information). For the sale and payment transaction, Lemon Squeezy acts as an independent controller; where Lemon Squeezy additionally processes data on our behalf (license management), this is based on Lemon Squeezy’s data processing agreement (lemonsqueezy.com/dpa). See Section 5 regarding the transfer of data to the USA.
More information: lemonsqueezy.com/privacy
5. Transfers to Third Countries (USA)
The providers named in Section 4 are based in the USA; personal data may therefore be transferred to the USA. Where a provider is certified under the EU-US Data Privacy Framework (DPF), the transfer takes place on the basis of the European Commission’s adequacy decision of 10 July 2023 (Art. 45 GDPR). In addition, or in the event that a certification no longer exists, we base the transfer on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
- Cloudflare (Cloudflare, Inc.): certified under the EU-US DPF; Standard Contractual Clauses additionally available.
- Resend (Plus Five Five, Inc.): certified under the EU-US DPF; Standard Contractual Clauses additionally available.
- Lemon Squeezy (Sold through Link, LLC): not certified under the EU-US DPF; the transfer is based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR; cf. Lemon Squeezy’s data processing agreement).
6. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR) to processing based on Art. 6(1)(f) GDPR
- Right to withdraw consent (Art. 7(3) GDPR) with effect for the future
To exercise your rights, please contact: info@stript.io
7. Right to Complain
You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
Website: lda.bayern.de
8. No Automated Decision-Making
There is no solely automated decision-making, including profiling, within the meaning of Art. 22 GDPR. (The AI-assisted PII detection in the desktop application runs locally on your device and serves as a tool for you; it makes no legally significant decisions about you.)
9. Changes
We reserve the right to update this privacy policy to comply with current legal requirements or to implement changes to our services.
Last updated: 09.07.2026