TalebuddyTalebuddy← Back

Legal

Privacy Policy

Last updated: 8 March 2026

1. Introduction

This Privacy Policy explains how Kadima Technology ("we", "us", "our") collects, uses, stores, and shares information when you use Talebuddy ("the Service"). By using the Service you agree to the practices described in this policy.

We are committed to processing your data in accordance with the General Data Protection Regulation (GDPR), the Dutch Implementation Act (UAVG), and other applicable data protection laws.

2. Data We Collect

2.1 Account data

When you create an account we collect your email address and, if you choose to provide it, a display name. We use this to authenticate you and communicate with you about the Service.

2.2 Content data

The documents, notes, and other content you create in Talebuddy ("Your Content") are stored on our servers so they can be synced across your devices. If you use the Obsidian Vault integration, we also store the credentials you provide to connect to your self-hosted CouchDB instance; we do not store or access the vault content itself beyond what is necessary to serve the feature to you.

2.3 AI interaction data

When you use AI features, the text you submit as a prompt (and the context around it, such as selected paragraphs) is sent to an AI provider. Depending on your plan and configuration this may be:

  • On-device (local AI): All processing happens on your device using a locally-run model (Google Gemma). No prompt data is sent to our servers or to Google for local AI features.
  • Cloud AI: Prompts are sent to third-party providers (Google Gemini, Anthropic Claude, DeepSeek, Qwen) via our server. We do not persistently store the content of your prompts or AI outputs beyond the time needed to return the response to you.

2.4 Usage and diagnostic data

We collect anonymised usage metrics (e.g. which features are used, session duration, error rates) to improve the Service. This data does not contain the content of your documents. We may also collect crash reports that include device type, OS version, and a stack trace.

2.5 Payment data

Subscription payments are processed by our payment processor. We do not store full payment card details; we receive only a payment token, the last four digits of your card, and transaction status.

2.6 Communications

If you contact us by email or through the in-app feedback form, we retain the content of that communication and your email address to respond to you and improve the Service.

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)): Account data, content data, and payment data — necessary to provide the Service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f)): Usage and diagnostic data — we have a legitimate interest in maintaining, improving, and securing the Service, balanced against your privacy interests.
  • Legal obligation (Art. 6(1)(c)): Where we are required to retain or disclose data by applicable law.
  • Consent (Art. 6(1)(a)): Where we ask for your consent for optional processing (e.g. marketing communications); you may withdraw consent at any time.

4. How We Use Your Data

  • Providing and maintaining the Service, including syncing your content across devices.
  • Authenticating you and protecting your account.
  • Processing payments and managing subscriptions.
  • Routing AI prompts to the appropriate provider and returning responses to you.
  • Sending transactional emails (account confirmation, password reset, billing receipts).
  • Sending service announcements and, with your consent, product updates and offers.
  • Analysing anonymised usage data to understand how features are used and guide product decisions.
  • Detecting, investigating, and preventing abuse, fraud, and violations of our Terms of Service.
  • Complying with legal obligations.

5. AI Providers & Data Sharing

When you use cloud AI features, your prompt text is transmitted to third-party AI providers. Each provider has its own privacy policy and data retention practices:

  • Google (Gemini): Subject to Google's privacy policy and API data usage terms.
  • Anthropic (Claude): Subject to Anthropic's privacy policy and usage policies.
  • DeepSeek: Subject to DeepSeek's privacy policy.
  • Qwen / Alibaba Cloud: Subject to Alibaba Cloud's privacy policy.

We encourage you to review the privacy policies of these providers. By using cloud AI features, you acknowledge that your prompts will be processed by the selected provider under their terms. We select providers that offer appropriate contractual protections, but we are not responsible for third-party data handling beyond our contractual arrangements with them.

For local AI (Gemma), prompt data never leaves your device. No personal data is sent to Google or to us when using local AI features.

6. Data Sharing with Third Parties

We do not sell your personal data. We may share data with third parties only in the following circumstances:

  • Service providers: Infrastructure providers (cloud hosting, CDN, email delivery, payment processing) who process data on our behalf under data processing agreements.
  • AI providers: As described in Section 5.
  • Legal requirements: Where required by law, court order, or to protect the rights, property, or safety of Kadima Technology, its users, or the public.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to you and subject to equivalent data protection commitments.

7. Data Retention

We retain your account and content data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required by law to retain it longer (e.g. financial records for tax purposes, which may be retained for up to 7 years).

Anonymised usage metrics are retained indefinitely as they do not identify you. Support communications are retained for up to 2 years after the matter is resolved.

8. International Data Transfers

Kadima Technology is based in the Netherlands (EU). Some of our service providers and AI providers are based outside the European Economic Area (EEA). Where we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision.

9. Security

We implement industry-standard technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. However, no system is completely secure; you use the Service at your own risk and are responsible for keeping your account credentials confidential.

10. Your Rights

Under the GDPR and applicable law, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format and transmit it to another controller.
  • Objection: Object to processing based on legitimate interests or for direct marketing purposes.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@kadima-tech.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens.

11. Cookies & Local Storage

We use cookies and browser local storage for the following purposes:

  • Essential: Session authentication tokens and user preferences required to provide the Service. These cannot be disabled without affecting functionality.
  • Analytics: Anonymised usage metrics (if you have not opted out). You can disable these in your account settings.

We do not use cookies for advertising or cross-site tracking. You can control cookies through your browser settings, but disabling essential cookies may prevent you from using the Service.

12. Children

The Service is not directed at children under 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy with an updated date and, where appropriate, by email. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact & Data Controller

Kadima Technology is the data controller for your personal data. If you have questions, concerns, or requests relating to this policy or your data, please contact our privacy team:

privacy@kadima-tech.com

Kadima Technology
Haelen, the Netherlands