Savor Privacy Policy

Last updated: June 8, 2026

In short: Savor is built around your intentions — not ads, not data brokerage, and not surprise sharing.

Most of what you capture in the app stays on your device in a local database.
When you use AI-assisted capture, we send feature-specific content to our backend (and OpenAI when needed) — not your full database or account profile. See "When we use AI providers" for details.
We use aggregated, content-free analytics to improve the product — not task text, and not for advertising.
On this website, joining early access stores your email so we can send a welcome message and manage the waitlist.
We do not sell your personal information for money, and we do not broker or rent it. Limited website marketing measurement is described in "Sale, sharing, and marketing measurement."

What Savor Is

Savor is a calm capture app for intentions — things you want to remember, organize, revisit, or act on later. On the surface it feels simple; underneath it is designed as a privacy-preserving layer for user-owned intent.

This policy covers savorapp.ai (our website and early-access signup) and the Savor mobile app for iOS and Android. Where website and app practices differ, we say so plainly.

Information We Collect

Email / Early Access Signup (Website)

When you submit your email on savorapp.ai (hero or footer waitlist), we collect:

Your email address (normalized to lowercase)
Which CTA you used (hero or footer)
A one-time event identifier used to deduplicate signup events and emails
Standard request metadata our servers see: IP address and browser user agent
Meta browser cookies (_fbp, _fbc) when present and when our Meta Pixel is enabled

We store leads in Google Firebase Firestore and may send a transactional welcome email through Resend. We also report a hashed version of your email to Meta Conversions API for marketing measurement when that integration is configured — not the raw email. See "Sale, sharing, and marketing measurement" for how this fits California privacy law.

App Account Information (Optional)

Savor works without an account. If you choose Sign in with Apple or Google (for sharing, backup, or workspaces), we receive:

Email address and display name (as provided by Apple or Google)
Provider identifiers used to authenticate you (Apple/Google subject IDs)
A session token stored on your device (90-day TTL per our backend auth settings)

Account records are stored in Firestore on our Google Cloud Run backend when you sign in.

Intent / Capture Content You Submit (App)

When you capture something in Savor, you may provide:

Typed text, voice audio, photos of bills or documents, or email forwards
Structured task fields the app derives (titles, dates, categories, notes)
Shared workspace cards you explicitly sync (title, section, dates, notes — only when signed in and using sharing)

Personal captures are stored locally on your device (SQLite). Content sent for AI parsing or transcription travels to our API and, where applicable, to OpenAI. See "How user intent data works" below.

Product Usage Data (App)

We collect privacy-safe analytics through Mixpanel when analytics is enabled in your build:

Anonymous device ID (anon_id) — a random UUID created on first launch
Feature events such as task created, screen viewed, voice input started, panel switched
Aggregated metadata only (counts, categories, timing buckets) — never task titles, notes, or voice transcripts

Our logger enforces a whitelist of allowed keys and blocks content fields in production.

Device / App / Browser Data

App: platform (iOS/Android), OS version, app version, device model (for diagnostics and error reports), timezone
Website: browser user agent, IP address, page URL for analytics events when Meta Pixel is active
App (optional): Meta SDK activation events when you redeem an early-access invite code on iOS (after App Tracking Transparency, if granted)

Payment / Subscription Data

Savor does not currently process in-app purchases or subscriptions in the codebase we ship today. If we add paid features later, purchases would be handled by Apple App Store or Google Play; we would update this policy before launch.

What We Do Not Do

We do not sell your personal information for money. We do not broker, rent, or otherwise monetize your information to data brokers. This commitment covers personal information broadly — not only private Savor Content.
We do not sell or share private Savor Content for advertising. Your captures are for your productivity, not ad targeting or behavioral profiling. App capture content is not sent to Meta, Mixpanel, or other advertising partners for marketing purposes.
We do not use your private Savor Content to train general-purpose AI models. We do not currently offer an opt-in to do so.
We do not expose user intent to partners without your direction or consent. AI providers receive only the content needed for the capture you requested — not your full database or account profile. Shared workspace cards are visible only to members you invite.
We do not include capture content in product analytics. Our analytics use aggregated, content-free metadata (such as success rates, timing, and task counts) — not task titles, notes, transcripts, or photos.
We do not require an account to use core capture features offline on your device.

How We Use Information

Provide the service: capture, organize, resurface, notify, share (when you opt in), and parse your inputs
Early access & website marketing: confirm waitlist signup, send welcome email, and measure campaign effectiveness through Meta Pixel / Conversions API when configured
Improve reliability: anonymous analytics, optional user-sent error reports (redacted), server logs
Security & abuse prevention: invite-code validation, rate limits, operational monitoring
Legal & compliance: respond to lawful requests where required

Third-Party Services / Subprocessors

Service	Role	Data shared
Vercel	Hosts savorapp.ai and serverless API routes	Request logs, IP, user agent; deployment metadata. No app intent content.
Firebase / Firestore	Waitlist lead storage; app user & workspace data (backend)	Website: email, hashes, attribution cookies, IP, user agent. App (when signed in): account fields, shared cards.
Resend	Transactional welcome email after waitlist signup	Recipient email address, email content
Meta Pixel / Meta Conversions API	Website conversion measurement (when `VITE_META_PIXEL_ID` is configured)	Hashed email on Lead events; page events; fbp/fbc cookies; IP; user agent. May qualify as sharing under California law. No private Savor Content.
Google Cloud Run	Hosts the Savor API (voice, photo, auth, inbox, invites)	Request payloads needed to fulfill each feature; truncated operational logs
OpenAI	Speech-to-text and AI parsing when you use capture features	The audio, image, or text you submit for that request.
Mixpanel	Privacy-safe product analytics (app)	`anon_id` and whitelisted event metadata — no capture text
Apple App Store / Google Play	App distribution; store links on website	Standard store install analytics (controlled by Apple/Google). No capture content.
Sign in with Apple / Google Sign-In	Optional federated authentication	Email, name, provider tokens during sign-in
Meta SDK (app, iOS)	Attribution when early-access code is activated	Standard app activation / registration events; invite metadata — only after ATT on iOS 14+
Firebase App Distribution	Internal/beta build distribution (CI pipeline)	Tester email addresses provided for beta access

How User Intent Data Works

Savor's intention layer is straightforward: you capture something in the moment, the app holds it outside your head, and brings it back when it is time to act — across Now, Next, Later, and Someday buckets, with gentle nudges if you enable notifications.

What Stays on Your Device

Your task/intent database (SQLite) — titles, notes, dates, categories, and settings
Your anonymous analytics ID (anon_id) and local error-report buffer (up to 50 recent errors)
Notification schedules created by the app locally

What Is Processed Externally (Only When You Use the Feature)

Voice: audio is sent to our API for transcription and parsing, which may call OpenAI — then deleted.
Photos / scans: images go to our API for text extraction and parsing, which may call OpenAI.
Typed capture: text you submit may be sent to our API for AI-assisted parsing.
Email-to-inbox: emails forwarded to your personal inbox address are stored temporarily on backend infrastructure, fetched into your device, then removed from server storage per our retention configuration.
Shared workspaces: only cards you sync while signed in are stored in Firestore for other workspace members you invite.

What Is Not Shared Externally

We do not post your intents to social networks
We do not include task text in Mixpanel analytics events
We do not give advertisers access to your capture history

When We Use AI Providers

When Savor uses an AI provider, the provider may receive the specific text, image, or audio you asked Savor to process. We design these requests so they do not include your full Savor database and, where possible, do not include direct identity information such as your name, email address, waitlist record, analytics ID (anon_id), or full account profile.

Savor uses third-party AI services — today, primarily OpenAI — only when you use a feature that needs them: voice transcription, photo parsing, or typed intent parsing.

What May Be Sent

Photo / bill scan: the image you choose is sent to our API, which may call OpenAI vision-capable models to read text and structure reminders.
Typed capture: the text you submit is sent to our API, which may call OpenAI chat models to parse intent into structured cards.

These are feature-specific payloads — the capture content for that action, not your entire task history.

Voice Captures

Voice is central to Savor. When you record a voice input, we convert it to text so we can understand your intention and help you capture it as structured reminders. Here is what happens:

Your device records a temporary audio file and sends it to our API over an encrypted connection.
Our API sends that audio to a third-party transcription service (today, OpenAI Whisper) to produce text.
The resulting transcript is sent through our parsing service to extract tasks, dates, and related fields.
Structured results are returned to your device and stored locally in your app database. The audio file is deleted on your device and on our servers after transcription completes.

We use voice recordings to operate the voice-capture feature — transcription and parsing for that request — not to retain audio for later model training or to build advertising profiles. Product analytics may record content-free metadata such as recording duration and word count; we do not include audio or transcript text in analytics events.

Biometrics: We do not create voiceprints or other biometric identifiers from your recordings, and we do not use your voice to identify you. Voice processing is speech-to-text for capture — not speaker recognition. If we ever introduced voiceprint or biometric voice identification, we would require appropriate notice and consent first.

Identity Separation and Data Minimization

Ordinary AI parsing requests are not sent with your account profile. We avoid attaching unnecessary identity information where the feature does not require it, including:

Your name or email address
Waitlist or early-access signup records
Your analytics ID (anon_id)
Your full local database or unrelated captures

This is deliberate data minimization — not a claim that every request is anonymous. Content you submit may still contain personal details if you include them in what you say, type, or photograph.

How It Is Transmitted

Data moves between your device, our servers (Google Cloud Run), and the AI provider over encrypted connections (HTTPS/TLS). OpenAI API keys are kept on our backend; production app builds are configured not to embed those keys in the client.

What Savor Does After Processing

On our API, voice audio and photos are generally handled as request-time inputs for that capture — we do not intend to keep them as a standing content archive on our servers. Parsed results are returned to your device; the personal copy of your intents stays in your local database unless you use optional sharing features.

AI Model Training

On Savor's side: We do not use your private Savor Content to train general-purpose AI models, and we do not currently offer a setting to opt in to such training. We do not build training datasets from your captures, voice audio, transcripts, photos, or task text.

When you use AI-assisted capture: Third-party providers (today, primarily OpenAI) process the specific text, image, or audio you submit for that request — so Savor can transcribe or parse it for you. That is feature operation, not Savor training a model on your content. Provider training and retention rules are separate; see "Provider policies and retention controls" below.

How we improve reliability and product experience instead: We use aggregated, content-free usage data — for example, whether a capture succeeded, how long parsing took, how many tasks were created, which feature was used, and app version or platform. We do not include task titles, notes, voice transcripts, photos, or other capture content in analytics events.

Our servers also log operational metrics about AI requests (for example, model used, latency, transcript word count, and tasks produced) to monitor quality and cost. These logs are not intended to retain the text of your captures as a standing archive. If you choose to send an error report, we may receive redacted diagnostic information (such as error messages and stack traces).

Future opt-in: If we ever introduce an optional program to use Savor Content for model training, we will ask for your explicit consent first, describe what would be included, and explain how you can withdraw consent.

Provider Policies and Retention Controls

OpenAI's published API data usage policies state that API customer data is not used to train OpenAI's models unless the customer has opted in. We rely on that published policy; we do not independently audit provider systems.

Where the OpenAI API supports it, our backend sets request options that decline optional provider storage for model evaluation and distillation (for example, store: false on chat-completions calls). We may also use OpenAI account-level Zero Data Retention (ZDR) settings where enabled, to further reduce provider-side retention windows. These controls reduce certain optional retention paths, but they are not the same as zero data retention overall — providers may still process and retain data for limited periods under their own policies, security, and legal obligations.

To avoid sending capture content to AI providers, use manual entry features that do not trigger AI parsing, voice transcription, photo scanning, or summarization.

Data Retention

Data type	Typical retention
App intents / tasks (local)	Until you delete them or uninstall the app
Voice audio sent for transcription	Deleted on device and our API after transcription; provider-side handling governed by OpenAI policies
Photo / text sent for AI parsing	Handled as request-time input on our API; provider-side retention governed by OpenAI's policies
Email-to-inbox (server)	Raw email: ~7–30 days; parsed metadata: up to ~90 days
Waitlist leads (website)	Stored in Firestore until deleted upon request
Invite signup (name + email)	Stored with invite redemption in Firestore until deleted upon request
Auth session tokens	90 days (backend JWT TTL)
Mixpanel analytics	Per Mixpanel project retention settings (anonymous IDs only)
User-sent error reports	Up to 50 recent errors on device; server copies per operational logging practices

Deletion and Your Rights

In the App

Delete individual captures anytime in the app
Uninstalling removes local data from your device (no cloud backup unless you used optional sign-in / sharing)
Disable notifications, microphone, or camera in system Settings at any time

By Email

Email support@savorapp.ai to request:

Deletion of waitlist or invite signup information
Deletion of optional account and shared workspace data
Deletion of analytics tied to your anon_id (include the ID if known)
A copy of personal data we hold about you, where applicable
Opt out of sale/sharing for website marketing measurement (California residents — see below)

We will verify the request and respond within a reasonable timeframe. Some operational logs may be retained where required for security, fraud prevention, or legal obligations.

Sale, Sharing, and Marketing Measurement

Savor's commitment is simple: we do not sell your information in the ordinary sense — we do not exchange personal information for money, and we do not operate a data-brokerage business. This section explains how that commitment fits together with (a) private Savor Content and (b) limited website marketing measurement that some privacy laws treat as "sharing" or, in some cases, a "sale."

What We Mean by Personal Information

Personal information means information that identifies, relates to, or could reasonably be linked with you or your household — for example, email address, IP address, device identifiers, or account details.

Private Savor Content means the intentions you capture in the app — typed text, voice-derived text, photos, notes, and structured task fields — whether stored on your device or processed through our APIs. It is a subset of personal information, but the protections below apply to all personal information, not only capture content.

What We Do Not Sell or Share for Advertising

We do not sell private Savor Content — or any app capture content — to anyone for any purpose.
We do not share private Savor Content with Meta, Mixpanel, data brokers, or other parties for cross-context behavioral advertising.
We do not receive money or other valuable consideration for disclosing personal information to third parties.

Website Marketing Measurement (Pixels, SDKs, and Campaign Effectiveness)

On savorapp.ai, when Meta Pixel and Conversions API are configured, we disclose limited personal information to Meta to measure whether our own marketing works — for example, page views, signup conversions, hashed email on lead events, browser cookies (_fbp, _fbc), IP address, and user agent. This helps us understand campaign effectiveness; it is not used to monetize or broker your private Savor Content.

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), certain disclosures to advertising and analytics platforms for cross-context behavioral advertising can be classified as sharing — and, in some interpretations, as a sale — even when we receive no payment. We describe this plainly so it is not hidden behind a narrower "we don't sell private Savor Content" statement.

In the mobile app, product analytics (Mixpanel) are designed to be content-free. The Meta SDK on iOS may send standard activation events when you redeem an early-access invite, only after App Tracking Transparency where required — not your capture content.

Categories Disclosed for Website Marketing (Last 12 Months)

When Meta measurement is enabled on the website, we may disclose:

Identifiers — hashed email (lead events), cookie IDs (_fbp, _fbc)
Internet or network activity — page views and conversion events (e.g. waitlist signup, thank-you page)
Device / technical data — IP address, user agent

Recipient: Meta Platforms (Pixel + Conversions API). Purpose: measure Savor's own advertising and signup funnel effectiveness — not to sell or broker private Savor Content.

Your Choices (Including California Residents)

If you are a California resident, you may have the right to:

Know what personal information we collect, use, and disclose
Request deletion or correction of personal information we hold
Opt out of the sale or sharing of personal information for cross-context behavioral advertising
Not receive discriminatory treatment for exercising these rights

To opt out of sale/sharing for website marketing measurement, email support@savorapp.ai with the subject line California Privacy — Do Not Sell or Share. Include the email address you used on the waitlist, if any. We will honor verified requests within the timeframes required by law.

If your browser sends a Global Privacy Control (GPC) signal, we treat it as a request to opt out of sale/sharing where we can technically honor it on savorapp.ai. You can also limit cookies through your browser settings.

Our plain-English position: we do not sell your information for money, and we do not sell or share your private Savor Content for advertising. We do use limited website disclosures to Meta for marketing measurement, and we describe that here because California law may classify it as sharing — even when that is not what people ordinarily mean by "selling your data."

Security

HTTPS/TLS for data in transit between app, website, and our APIs
Server-side API keys (OpenAI, etc.) kept off the mobile client in production config guidance
Privacy-safe analytics enforcement — content fields blocked in production logging
Firestore rules deny direct client access to waitlist leads

No method of electronic storage or transmission is 100% secure. We work to protect your information and review our practices as the product grows.

Children's Privacy

Savor is a general-audience productivity tool, not directed at children under 13. We do not knowingly collect personal information from children under 13 through the website waitlist without appropriate consent.

Voice and camera features in the app may send content for processing; parents can deny those permissions in device Settings and children can still type captures. If you believe we have collected a child's personal information, contact us and we will delete it.

Changes to This Policy

We may update this policy as features evolve (for example, optional accounts, sharing, or subscriptions). We will update the "Last updated" date at the top. Material changes may also be noted in the app or on this page.

Contact

Questions, concerns, or privacy requests:

Email: support@savorapp.ai
Website: savorapp.ai