← Back

Legal

Privacy Policy

Last updated: June 2025 — Note: this policy has not been reviewed by a lawyer. It represents our genuine intent, but should not be treated as legal advice.

Who we are

Gherkin is a personal project operated by Lucy Sasvari, based in Germany. For any privacy-related questions, contact: lucysasvari@gmail.com

What we collect and why

Account information

Your email address and name, collected at sign-up via Clerk. Used to identify your account and allow you to log in. Legal basis: contract performance.

Your reflections

The answers you write in response to prompts. Stored in our database and used to surface patterns in who you are over time. Legal basis: contract performance and your explicit consent when you choose to reflect.

Semantic embeddings

A numerical representation of your reflection text, used to power our recommendation engine (RAG). These vectors cannot be meaningfully reversed into your original text. Legal basis: legitimate interest in providing the core feature.

Onboarding preferences

Your answers during onboarding (e.g. topics of interest). Used to personalise your experience. Legal basis: contract performance.

Who we share your data with

We use a small number of third-party services to run Gherkin. All are processors acting on our behalf.

  • Clerk — authentication and account management (US)
  • Neon — database hosting, EU region (AWS eu-central-1, Frankfurt)
  • Vercel — application hosting (US)
  • Anthropic — AI text generation for tone rendering (US)
  • OpenAI — semantic embeddings only, no reflection text stored (US)
  • Upstash — rate limiting, request counts only (US)

Some of these services are based in the United States. Data transfers are covered by Standard Contractual Clauses (SCCs) or equivalent safeguards where required by GDPR.

Your rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data (“right to be forgotten”)
  • Request a portable copy of your data in a common format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time

To exercise any of these rights, email us at lucysasvari@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the German data protection supervisory authority, the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).

Data retention

We retain your data for as long as your account is active. If you delete your account, we will delete your reflections, embeddings, and preferences within 30 days. Account data held by Clerk follows their own retention policy.

Governing law

This policy is governed by the laws of the Federal Republic of Germany and the General Data Protection Regulation (GDPR).