Privacy Policy for the Qurai App

As of: March 2026

1. Data Controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR/DSGVO) is:

Özgür Ergül Österfeldstraße 22 70563 Stuttgart Germany

Email: erguel.neurometrik@gmail.com
Website: https://qurai.io

2. Overview of Data Processing

2.1 What data do we collect?

Qurai collects and processes the following categories of personal data:

During registration:

  • Email address
  • Password (stored in encrypted form)
  • Account creation timestamp

When using the app:

  • Notes, ideas, and scripts (content created by you)
  • Onboarding responses (target audience, expertise, tone of voice)
  • Voice recordings (for transcription and script generation)
  • Video recordings (stored locally on your device, not on our servers)
  • Usage data (which features are used, timestamps)
  • Device information (device type, operating system version, app version)

When purchasing a subscription:

  • Subscription status and type
  • Transaction ID (via Apple or Stripe)
  • Email address and payment information (for web checkout via Stripe — card details are processed directly by Stripe)

Crash reports (Crashlytics):

  • Time and cause of the crash
  • Device state at the time of the crash
  • Operating system and app version

When tracking is enabled (only with your consent):

  • Advertising ID (IDFA on iOS)
  • App install source
  • In-app events for advertising purposes

2.2 Purposes of data processing

We process your data for the following purposes:

| Purpose | Legal basis | |---------|------------| | Provision of app features | Art. 6 Abs. 1 lit. b DSGVO (Performance of contract) | | Synchronization of your content | Art. 6 Abs. 1 lit. b DSGVO (Performance of contract) | | Personalization of AI scripts | Art. 6 Abs. 1 lit. b DSGVO (Performance of contract) | | Processing of subscriptions | Art. 6 Abs. 1 lit. b DSGVO (Performance of contract) | | Bug fixing (Crashlytics) | Art. 6 Abs. 1 lit. f DSGVO (Legitimate interest) | | Analytics and advertising | Art. 6 Abs. 1 lit. a DSGVO (Consent) | | Affiliate tracking (Rewardful) | Art. 6 Abs. 1 lit. a DSGVO (Consent) |

3. Data Processing in Detail

3.1 Firebase Authentication

We use Firebase Authentication by Google for user registration and login.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Data collected:

  • Email address
  • Encrypted password
  • Login timestamps
  • IP address (temporary)

Legal basis: Art. 6 Abs. 1 lit. b DSGVO (Performance of contract)

Storage location: Firebase Authentication is processed exclusively in the USA. The data transfer is based on the EU-US Data Privacy Framework.

More information: https://firebase.google.com/support/privacy

3.2 Cloud Firestore (Database)

Your content (notes, scripts, onboarding data) is stored in Cloud Firestore.

Provider: Google Ireland Limited

Data collected:

  • All content created by you
  • Metadata (creation and modification timestamps)
  • User ID

Storage location: EU (europe-west) – Your data does not leave the European Union.

Legal basis: Art. 6 Abs. 1 lit. b DSGVO (Performance of contract)

Data Processing Agreement: A Data Processing Agreement (Data Processing Terms) has been concluded with Google.

3.3 AI Data Processing by Third Parties

For the AI-powered features of the app, we use several specialized services. Processing is coordinated through our own backend service on Google Cloud Run in the EU.

3.3.1 Anthropic Claude (Content Generation)

We use Anthropic's Claude language models for all AI-powered content generation.

Provider: Anthropic PBC, 548 Market Street, San Francisco, CA 94104, USA

Which AI features process data?

| Feature | Model | Description | |---------|-------|------------| | Script generation | Claude Sonnet | Creates video scripts from your notes | | Social post generation | Claude Sonnet | Creates social media posts (Twitter, LinkedIn, Carousel) | | Script/post revision | Claude Sonnet | Revises content based on your feedback | | Outline generator | Claude Haiku | Creates outlines for videos and social posts | | Idea generator | Claude Haiku | Generates topics, subtopics, and content ideas |

What data is sent to Anthropic Claude?

  • Your notes and their content (text)
  • Your onboarding responses (target audience, expertise, tone of voice)
  • Your personal brand story (if provided)
  • Images uploaded by you (max. 10, as Base64 data for image analysis)
  • Linked notes (title and content)
  • Previously generated content (for revisions)

What data is NOT sent?

  • Your email address or login credentials
  • Your payment information
  • Your video recordings (these remain locally on your device)
  • Device or location data

Data routing: All requests to Anthropic Claude are routed through our backend service on Google Cloud Run (EU, Frankfurt). API communication is encrypted via TLS.

Retention period at Anthropic: Data is only transmitted for the duration of processing (request-response cycle). No permanent storage by Anthropic takes place.

No training with your data: Anthropic does not use data sent via the API to train its models. This is stipulated in the Anthropic API Terms of Service.

Legal basis: Art. 6 Abs. 1 lit. b DSGVO (Performance of contract)

More information: https://www.anthropic.com/policies/privacy

3.3.2 Google Cloud (Backend Infrastructure and Document Processing)

Our backend service runs on Google Cloud Run in the EU. Additionally, Google Vertex AI (Gemini) is used for text extraction from documents.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Features:

| Feature | Description | |---------|------------| | Backend service (Cloud Run) | Coordinates all AI requests, runs in EU (Frankfurt) | | Document text extraction | Extracts text from PDFs and images using Gemini |

What data is processed?

  • PDFs uploaded by you (max. 10, for text extraction)
  • Images uploaded by you (max. 10, for text extraction)

Storage location: EU (europe-west9, Frankfurt) – Your data is processed within the European Union.

Retention period: Data is only transmitted for the duration of processing. No permanent storage by Google Vertex AI takes place.

No training with your data: Google Vertex AI is subject to the Google Cloud privacy terms, which exclude training with customer data.

Data Processing Agreement: A Data Processing Agreement (Data Processing Terms) has been concluded with Google.

Legal basis: Art. 6 Abs. 1 lit. b DSGVO (Performance of contract)

More information: https://cloud.google.com/vertex-ai/docs/generative-ai/data-governance

3.3.3 Jina AI (Web Page Content Extraction)

When you link web URLs in your notes, we use Jina AI Reader to extract the text content from the linked web pages. This extracted text is then used as context for content generation.

Provider: Jina AI GmbH, Prinzessinnenstraße 19-20, 10969 Berlin, Germany

What data is sent?

  • The web URLs linked by you (max. 10 per request)

What data is NOT sent?

  • Your note content or personal data
  • Only the URL itself is transmitted, not your context

Purpose: Extraction of text content from linked web pages (JavaScript rendering, Markdown conversion), so the AI can use the content of the linked page as context.

Retention period: No permanent storage. Extraction takes place in real time.

Legal basis: Art. 6 Abs. 1 lit. b DSGVO (Performance of contract)

More information: https://jina.ai/privacy

3.3.4 YouTube Data API (YouTube Content Extraction)

When you link YouTube URLs in your notes, we use the YouTube Data API to extract video information (title, description).

Provider: Google Ireland Limited

What data is sent?

  • The YouTube URLs linked by you (max. 10 per request)

Purpose: Extraction of video metadata (title, description, channel info), so the AI can use the video content as context.

Legal basis: Art. 6 Abs. 1 lit. b DSGVO (Performance of contract)

More information: https://developers.google.com/youtube/terms/api-services-terms-of-service

3.3.5 xAI Grok (Trend Search)

For the Trend Finder, we use the Grok API by xAI to search for current news and trends on the web and X (Twitter).

Provider: xAI Corp., Nevada, USA

What data is sent?

  • Your brand profile (target audience, area of expertise) — for generating relevant search queries
  • The search terms generated by the AI

What data is NOT sent?

  • Your notes or personal content
  • Your email address or account data

Purpose: Search for current news and trends relevant to your target audience (web search and X/Twitter search).

Retention period: No permanent storage. The search takes place in real time.

No training with your data: xAI does not use data sent via the API to train its models. This is stipulated in the xAI API Terms.

Legal basis: Art. 6 Abs. 1 lit. b DSGVO (Performance of contract)

More information: https://x.ai/legal/privacy-policy

3.3.6 General Notes on AI Data Processing

Consent: When you use an AI feature for the first time, you will be informed about the data processing and must acknowledge it before the feature can be used.

Purpose of data processing: Exclusively for generating the content requested by you (scripts, ideas, outlines, transcriptions, social posts, trend analyses).

3.4 Firebase Crashlytics

We use Firebase Crashlytics to improve app stability.

Provider: Google Ireland Limited

Data collected in the event of a crash:

  • Time of the crash
  • State of the app at the time of the crash
  • Device type and operating system
  • App version
  • Crash stack trace
  • Installation UUID (anonymous device ID)

What we do NOT collect:

  • Your content (notes, scripts)
  • Your email address
  • Personally identifiable information

Legal basis: Art. 6 Abs. 1 lit. f DSGVO (Legitimate interest in a stable app)

Data transfer: Crashlytics data may be transferred to Google servers in the USA. The transfer is based on the EU-US Data Privacy Framework.

Opt-out: You can disable Crashlytics in the app settings.

More information: https://firebase.google.com/support/privacy

3.5 Firebase Cloud Messaging (Push Notifications)

We use Firebase Cloud Messaging (FCM) to send you daily push notifications about new trends in your niche on iOS devices.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

What data is processed?

  • FCM device token (an anonymous identifier for your device)
  • Your user ID (for associating the token)

What data is NOT sent?

  • The content of your notes or trends
  • Your email address or personal data

Purpose: Delivery of push notifications about new, relevant trends.

Retention period: The FCM token is stored in Firestore as long as your account exists. Upon account deletion, the token is deleted.

Opt-out: You can disable push notifications at any time in the iOS settings (Settings > Qurai > Notifications).

Legal basis: Art. 6 Abs. 1 lit. a DSGVO (Consent)

3.6 Google Analytics for Firebase

We use Google Analytics for Firebase to analyze app usage and optimize our service.

Provider: Google Ireland Limited

Data collected (only with your consent):

  • App instance ID (anonymous identifier)
  • Usage events (e.g., "Script generated", "Video exported")
  • Session duration
  • Device and operating system information
  • Approximate location (country/region, based on IP address)

Legal basis: Art. 6 Abs. 1 lit. a DSGVO (Consent)

Data transfer: Data may be transferred to Google servers in the USA.

Opt-out: You can disable Analytics in the app settings or via the consent dialog at first launch.

Retention period: Usage data is automatically deleted after 14 months.

3.7 Advertising Measurement and Conversion Tracking

3.7.1 Meta (Facebook) Pixel / SDK

We use the Meta SDK to measure the effectiveness of our advertising campaigns on Facebook and Instagram.

Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

Data collected (only with your consent):

  • Advertising ID (IDFA)
  • App install events
  • In-app purchases (aggregated, without personal data)
  • Custom events (e.g., "Trial started", "Subscription completed")

Purpose: Measurement of advertising effectiveness, creation of Custom Audiences, optimization of advertising campaigns

Legal basis: Art. 6 Abs. 1 lit. a DSGVO (Consent)

Data transfer: Data is transferred to Meta servers, which may also be located in the USA. The transfer is based on Standard Contractual Clauses.

Opt-out: You can decline Meta tracking:

  • At first app launch via the consent dialog
  • In the app settings under "Privacy"
  • Via the iOS settings under "Privacy & Security" > "Tracking"

More information: https://www.facebook.com/privacy/policy

3.7.2 Google Ads Conversion Tracking

We use Google Ads to measure the effectiveness of our Google advertising campaigns.

Provider: Google Ireland Limited

Data collected (only with your consent):

  • Advertising ID (IDFA)
  • App install events
  • Conversion events

Purpose: Measurement of advertising effectiveness, remarketing

Legal basis: Art. 6 Abs. 1 lit. a DSGVO (Consent)

Opt-out: Via the consent dialog or in the app settings

More information: https://policies.google.com/privacy

3.8 Apple App Tracking Transparency (ATT)

In accordance with Apple's policies, we ask for your permission before tracking. When you first launch the app, the Apple dialog "Allow App to Track" appears.

If you choose "Allow":

  • We can measure your activities for advertising purposes
  • You may receive more relevant advertising

If you choose "Ask App Not to Track":

  • No tracking for advertising purposes
  • Anonymous usage statistics are still possible (if separately consented to)

You can change your decision at any time under: iOS Settings > Privacy & Security > Tracking

3.9 Stripe (Web Payment Processing)

Subscriptions purchased through our website (qurai.io) are processed via Stripe.

Provider: Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA / Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland

Data processed:

  • Email address
  • Payment information (credit card, etc. — processed directly by Stripe; we do not receive full card details)
  • Subscription status, transaction ID, purchase date

Legal basis: Art. 6 Abs. 1 lit. b DSGVO (Performance of contract)

Data Processing Agreement: The Stripe DPA is automatically included in the Stripe Terms of Service (stripe.com/legal/dpa).

Data transfer: Stripe Payments Europe (Ireland) processes European payments. Stripe Inc. (USA) may act as a sub-processor. The transfer is based on the EU-US Data Privacy Framework and Standard Contractual Clauses.

More information: https://stripe.com/privacy

3.10 Rewardful (Affiliate Tracking)

For our partner program, we use Rewardful, an affiliate tracking service. Rewardful sets a cookie when a visitor arrives at our website via an affiliate link and attributes a subsequent conversion (subscription purchase) to the respective partner.

Provider: Rewardful Inc., USA

Data collected (only with your consent — marketing cookies):

  • Referral cookie (contains an anonymous affiliate reference ID)
  • Click timestamp of the affiliate link
  • Conversion data (whether a subscription was purchased)

What we do NOT collect via Rewardful:

  • Your email address or login credentials
  • Your payment information
  • Personally identifiable information

Cookie duration: 60 days

Legal basis: Art. 6 Abs. 1 lit. a DSGVO (Consent). The Rewardful script is only loaded when you accept marketing cookies in our cookie banner. Without your consent, no affiliate tracking takes place.

Opt-out: You can decline or revoke marketing cookies at any time via our cookie banner. Upon revocation, the Rewardful cookie is automatically deleted.

More information: https://www.rewardful.com/trust

3.11 Apple In-App Purchases

Subscriptions are processed through Apple's In-App Purchase system.

Provider: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland

Data processed:

  • Transaction ID
  • Subscription status (active/cancelled/expired)
  • Purchase date and expiration date

What we do NOT receive:

  • Payment information (credit card, etc.)
  • Apple ID

Legal basis: Art. 6 Abs. 1 lit. b DSGVO (Performance of contract)

More information: https://www.apple.com/legal/privacy/

4. Retention Period

| Data type | Retention period | |-----------|-----------------| | Account data | Until deletion of your account | | Content (notes, scripts) | Until deletion of your account | | Crashlytics data | 90 days | | Analytics data | 14 months | | Advertising tracking data | 180 days |

After deletion of your account, all your data will be irrevocably deleted within 30 days.

5. Your Rights

You have the following rights regarding your personal data:

5.1 Right of Access (Art. 15 DSGVO)

You can request information about the data we process.

5.2 Right to Rectification (Art. 16 DSGVO)

You can request the correction of inaccurate data.

5.3 Right to Erasure (Art. 17 DSGVO)

You can request the deletion of your data.

How to delete your account:

  1. Open the Qurai app
  2. Go to Settings > Account
  3. Tap "Delete Account"
  4. Confirm the deletion

All your data will be completely deleted within 30 days.

5.4 Right to Restriction of Processing (Art. 18 DSGVO)

You can request the restriction of processing.

5.5 Right to Data Portability (Art. 20 DSGVO)

You can receive your data in a structured format.

How to export your data:

  1. Open the Qurai app
  2. Go to Settings > Privacy > Export Data

5.6 Right to Object (Art. 21 DSGVO)

You can object to the processing of your data.

5.7 Right to Withdraw Consent (Art. 7 Abs. 3 DSGVO)

You can withdraw any consent given (e.g., for tracking) at any time:

  • In the app under Settings > Privacy
  • Via the iOS settings under Tracking

The withdrawal does not affect the lawfulness of the processing carried out prior to the withdrawal.

5.8 Right to Lodge a Complaint (Art. 77 DSGVO)

You have the right to lodge a complaint with a data protection supervisory authority:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Postfach 10 29 32
70025 Stuttgart
https://www.baden-wuerttemberg.datenschutz.de

6. Consent and Consent Management

6.1 Consent Dialog at First Launch

At first launch of the app, we show you a consent dialog where you can decide:

Required data processing (always active):

  • Firebase Authentication (for login)
  • Cloud Firestore (for data storage)
  • Cloud Functions (for AI generation)

Optional data processing (your choice):

  • ☐ Crashlytics (crash reports)
  • ☐ Google Analytics (usage analysis)
  • ☐ Meta/Google Ads (advertising measurement)

6.2 AI Data Processing Notice

Before you use an AI feature for the first time (e.g., script generation, idea generator), the app displays a notice informing you:

  • Which data is sent to which services (Anthropic Claude, Google Cloud, Jina AI, AssemblyAI, xAI Grok)
  • That processing is coordinated through our backend in the EU (Frankfurt)
  • That your data is not used for AI training

This notice appears once and must be acknowledged before AI features can be used. If there are significant changes to the services used, the notice will be displayed again.

6.3 Changing Your Settings

You can change your settings at any time under: App > Settings > Privacy

7. Data Security

We implement the following technical and organizational measures to protect your data:

  • Encryption: All data transfers are made via TLS/SSL-encrypted connections
  • Password hashing: Passwords are stored using secure hashing algorithms
  • EU servers: Your content is stored exclusively on servers in the EU
  • Access control: Only authorized personnel have access to backend systems
  • Regular updates: We regularly update our security measures

8. Data Transfers to Third Countries

The following data may be transferred to the USA:

| Service | Data | Legal basis | |---------|------|------------| | Anthropic Claude | Notes, onboarding data, images (for content generation) | Art. 6 Abs. 1 lit. b DSGVO (Performance of contract) + Standard Contractual Clauses | | xAI Grok | Brand profile data (for trend search) | Art. 6 Abs. 1 lit. b DSGVO (Performance of contract) + Standard Contractual Clauses | | Firebase Auth | Login data | EU-US Data Privacy Framework | | Crashlytics | Crash reports | EU-US Data Privacy Framework | | Google Analytics | Usage data | EU-US Data Privacy Framework + Consent | | Meta SDK | Advertising data | Standard Contractual Clauses + Consent | | Stripe | Payment data | EU-US Data Privacy Framework + Performance of contract | | Rewardful | Referral cookie, conversion data | Consent (marketing cookies) |

Note on Stripe: European payments are processed through Stripe Payments Europe (Ireland). Stripe Inc. (USA) may act as a sub-processor.

Note on Jina AI: Jina AI is based in Berlin, Germany. No data transfer to third countries takes place when using Jina AI.

Note on Anthropic: Although Anthropic is based in the USA, all API requests are routed through our backend in the EU (Frankfurt). Anthropic does not use data sent via the API to train its models.

Google LLC is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection.

9. Minors

Qurai is intended for adults (coaches, consultants, entrepreneurs). The app is not intended for persons under 16 years of age. We do not knowingly collect data from minors under the age of 16.

10. Changes to This Privacy Policy

We reserve the right to update this privacy policy to adapt it to changed legal requirements or new features. The current version is always available at:

https://qurai.io/datenschutz

We will inform you of significant changes within the app.

11. Contact

If you have questions about data protection or wish to exercise your rights, please contact us:

Email: datenschutz@qurai.io

We will process your request as quickly as possible, no later than within 30 days.

© 2025–2026 Özgür Ergül – Qurai