Privacy Policy
Last updated: March 17, 2026
1. Who We Are
Readmember is operated by Marko Lumbar, an individual based in Koper, Slovenia. As the operator, Marko Lumbar is the Data Controller under GDPR Article 4(7).
Contact: hello@readmember.com
2. What Data We Collect
- Account data: Email address and name, provided during registration or via Google OAuth.
- Content data: Book titles, highlight text, page numbers, chapter names, and personal notes you enter.
- Review data: Spaced repetition history (quality scores, review intervals, repetition counts).
- OCR images: Photos you upload for text extraction via Google Cloud Vision. Images are not stored — they are processed and immediately discarded. Only the extracted text is retained.
- Server log data: IP addresses, browser type, and request timestamps automatically logged by Vercel infrastructure. This data is not actively analyzed by us.
3. Why We Collect It (Legal Basis)
| Data | Purpose | Legal Basis |
|---|---|---|
| Account data | Authentication and service provision | Contract performance (Art. 6(1)(b)) |
| Content data | Core app functionality | Contract performance (Art. 6(1)(b)) |
| Review history | Spaced repetition algorithm | Contract performance (Art. 6(1)(b)) |
| Email address (digest) | Daily email digest (opted-in feature) | Contract performance (Art. 6(1)(b)) |
| Analytics (future) | Product improvement | Consent (Art. 6(1)(a)) |
| Log data | Security and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
4. Third-Party Data Processors
Data processing agreements are in place via each processor's standard DPA, accepted at account creation with each provider.
| Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase | Authentication + database | EU (AWS eu-central-1) | EU-based, no transfer |
| Anthropic | AI categorization of highlights | USA | Standard Contractual Clauses (SCCs) |
| Google Cloud Vision | OCR text extraction | USA | Standard Contractual Clauses (SCCs) |
| Resend | Transactional email | USA | Standard Contractual Clauses (SCCs) |
| Vercel | Web hosting + CDN | USA/EU | Standard Contractual Clauses (SCCs) |
5. International Data Transfers
Data transferred to US-based processors (Anthropic, Google, Resend, Vercel) is protected by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c).
6. AI-Assisted Categorization
Readmember uses AI (Claude Haiku by Anthropic) to suggest category labels for your highlights. This does not constitute automated decision-making under GDPR Article 22, as it produces no legal or similarly significant effects — it is a convenience feature. You can always override or change any AI-suggested category manually, and manual category selection is always available.
7. Data Retention
| Data | Retention Period |
|---|---|
| Account + content data | Until account deletion |
| Email logs (Resend) | 30 days |
| Server logs (Vercel) | 30 days |
| OCR images | Not stored (deleted immediately after processing) |
| Backups | Up to 30 days after deletion request |
8. Minimum Age
Readmember is not intended for persons under 15 years of age — the age of digital consent in Slovenia under ZVOP-2 Article 113. By registering, you confirm you are at least 15 years old.
9. Your Rights Under GDPR
- Right of access (Art. 15): Request a copy of your personal data.
- Right to rectification (Art. 16): Correct inaccurate data.
- Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”).
- Right to restrict processing (Art. 18): Limit how your data is used.
- Right to data portability (Art. 20): Receive your data in a machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)): Where processing is based on your consent (e.g. analytics cookies), you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any right, email hello@readmember.com. We respond within 30 days.
10. No Data Selling
We do not sell, rent, or trade your personal data to any third party.
11. Security Measures
- All data in transit is encrypted via HTTPS/TLS 1.2+.
- Data at rest is encrypted by Supabase (AES-256).
- Access to production systems is restricted to the data controller.
- Row-level security is enforced at the database level.
12. Data Breaches
In the event of a personal data breach, we will notify the Information Commissioner of the Republic of Slovenia (IP RS) within 72 hours and affected users without undue delay, as required by GDPR Articles 33–34.
13. Supervisory Authority
You have the right to lodge a complaint with:
Informacijski pooblaščenec (IP RS)
Dunajska cesta 22, 1000 Ljubljana, Slovenia
Email: gp.ip@ip-rs.si
Website: www.ip-rs.si
14. Changes to This Policy
For material changes, we will notify you by email at least 30 days before the change takes effect. Minor changes (corrections, clarifications) will be reflected with an updated “Last updated” date. Continued use of the service after the effective date constitutes acceptance.
15. Analytics (Future)
We may add analytics tools (e.g. Google Analytics, PostHog) in the future. Before doing so, this policy will be updated and you will be asked for explicit consent via our cookie consent banner.
16. Cookies
For full information about the cookies and localStorage values we use, see our Cookie Policy.