Legal
Keepsake Privacy Policy / Data Protection
How Keepsake handles local app data, optional voice API data, AI processing, hosting, domain, logging, in-app purchase processing, and placeholder-based pseudonymization of capture text.
Last updated: July 5, 2026Controller and contact
Controller: Elias Anderlohr, elch.cc, Heidestraße 23, 60316 Frankfurt am Main, Germany.
Privacy and data protection requests can be sent to keepsake@elch.cc. You can also call +49 156 79713762.
Local app data
Keepsake is local-first. Saved facts/cards, reminders, learned autocomplete suggestions, settings, imports, and attached photos are stored on your device unless you choose to export, share, delete, or upload something.
No account is required for the app. The app does not sync your saved cards to the Keepsake API.
Keepsake does not add app-level encryption to local app storage or local attachment files. Treat the app as a memory aid for everyday facts, not as a password manager or secure vault. Do not store passwords, recovery phrases, bank details, full identity document numbers, medical secrets, or other confidential data.
Voice API data
Voice capture is optional and creates a short-lived API session when you record.
The app uploads the audio file with minimal processing context. The API keeps the audio in memory while it is being processed and clears the audio buffer after processing or failure.
The API stores short-lived session and segment records containing status, transcript only when needed for review, retry, or explicitly enabled debugging, candidate cards, sensitive-data warnings, upload size, and timestamps. Candidate cards are returned to the app so you can review them before saving locally.
After the app finalizes a voice session and receives the merged candidate cards, the API immediately deletes the server-side session record, segment records, review transcripts, and parsed candidate-card records for that session. If a session is abandoned before finalization, the retention cleanup removes segment records after about 45 minutes.
AI processing
Keepsake currently uses Mistral AI SAS for voice transcription and text-to-card parsing: Mistral AI SAS, 15 rue des Halles, 75001 Paris, France.
Audio is sent for transcription. Typed, file, pasted, and OCR text is pseudonymized on-device with typed placeholders before parsing, while local-only placeholder mappings stay on the device. The API applies a second placeholder redaction pass as defense in depth before text is sent to the AI provider.
The AI provider receives placeholder text rather than the original detected sensitive values for text-based capture flows. Keepsake restores those placeholder values locally for review after parsing and marks sensitive fields so they stay out of system search by default.
Raw AI provider responses are not stored by the Keepsake API. Operational logs record provider events and metadata, not transcript text or parsed card content.
In-app purchases and RevenueCat
Keepsake may offer optional paid features through in-app purchases. Purchases are processed by the app store provider used on your device, such as Apple App Store or Google Play.
Keepsake uses RevenueCat, Inc., 1032 E Brandon Blvd #3003, Brandon, FL 33511, United States, to manage in-app purchase status, receipt validation, entitlement access, purchase restoration, and purchase analytics.
When you buy, restore, or check access to paid features, RevenueCat may process technical and transaction-related data such as an anonymous app user ID, device and operating system information, app version, product identifiers, entitlement status, purchase history, Apple receipt data, Google purchase tokens, timestamps, locale or currency information, and related diagnostic metadata.
Keepsake does not send saved cards, attached photos, voice recordings, transcripts, parsed card content, passwords, or other Vault content to RevenueCat. Keepsake should use RevenueCat's anonymous app user ID flow unless this policy is updated to disclose additional customer attributes.
RevenueCat processes this purchase-related end-user data on behalf of Keepsake. RevenueCat states that customer data is stored on AWS infrastructure in the United States and uses contractual safeguards for international transfers where required.
Hosting and domain
The Keepsake API runs on European server infrastructure hosted by STRATO GmbH, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany. Server-side API processing and short-lived voice session data are handled on this German-hosted infrastructure.
The elch.cc domain used for the API is registered and managed through GoDaddy. Domain registration and DNS providers may process technical domain and DNS data; Keepsake API application data is hosted on STRATO.
The AI processor used for transcription and parsing is Mistral AI SAS in France. This means the current voice and text parsing setup is European: the Keepsake API is hosted in Germany and AI processing is performed by a French provider.
Purchase status and receipt validation use RevenueCat, Inc. in the United States, separate from the Keepsake API hosting stack.
Retention
- Uploaded audio is held only in memory while the segment is processed and is cleared immediately after transcription/parsing completes or fails.
- Parsed candidate-card records, review transcripts, and segment metadata are deleted immediately when the app finalizes the voice session and receives the merged result.
- Voice sessions expire after about 10 minutes.
- Upload tokens expire after about 30 minutes.
- If a voice session is abandoned before finalization, voice segment records are cleaned up after about 45 minutes.
- Operational logs record request and processing metadata such as request IDs, route paths, status codes, segment IDs, byte sizes, provider names, model names, and errors. They are used for security, debugging, abuse prevention, and service operation.
Security and minimization
- The API uses HTTPS in production, upload tokens, request size limits, rate limits, and short retention windows.
- Request logging records method, path, status, and request IDs. The API does not intentionally log transcript text, prompt text, or parsed candidate-card content.
- For typed, pasted, file, and OCR text flows, the app replaces detected sensitive values with typed placeholders before sending text for parsing and keeps the placeholder mappings local to the capture session. The API runs an additional placeholder-based protection pass before model parsing.
- Automated placeholder detection and redaction are imperfect. Do not speak or upload passwords, recovery phrases, bank secrets, full identity document numbers, or other highly confidential data.
Legal bases and rights
Where the GDPR applies, processing is based on providing the requested service, protecting the service from abuse, your decision to use optional voice capture, and providing paid app functionality including purchase validation and purchase restoration where applicable. You may request access, correction, deletion, restriction, portability, or objection where applicable.
Purchase-related processing is also used to prevent fraud or abuse and to comply with legal obligations related to purchase records. Some purchase records may also be retained by Apple, Google, RevenueCat, or other service providers for legal, tax, fraud-prevention, or platform reasons.
You may also complain to a competent data protection authority. Because the API stores voice processing data only briefly, deletion requests should be made as soon as possible after a voice session.