Privacy Policy
Last updated: February 11, 2026
1. Data Controller
The data controller responsible for the processing of your personal data is:
Busch & Busch GbR
Untere Zahlbacher Str. 6a
55131 Mainz, Germany
Email: privacy@getlevin.com
2. What Levin Does
Levin is a personal thought and task management app. You can capture thoughts via text or voice, and Levin uses artificial intelligence to analyze your messages, extract tasks, and help you organize your thinking. This privacy policy explains what data we collect, why, and how we protect it.
3. Data We Collect
Account Data
When you create an account, we collect your email address, display name, and profile picture URL from your authentication provider (Apple, Google, or email). This data is necessary to provide and secure your account.
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
User-Generated Content
Thoughts, tasks, topics, notes, and tags that you create within Levin. This is the core content of the service.
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
Voice Recordings
When you use the voice input feature, your audio recording is sent to our server and forwarded to OpenAI's Whisper API for transcription. The audio data is processed transiently and is not stored permanently by us. OpenAI may retain the data for up to 30 days for abuse monitoring, after which it is deleted.
Legal basis: Consent (Art. 6(1)(a) GDPR) — granted when you activate the microphone
AI Analysis Data
When you send a message, its text content is transmitted to OpenAI's API for analysis. The AI extracts potential tasks, topics, and insights from your messages. We also generate vector embeddings (mathematical representations) of your content to enable semantic search and suggestions. These embeddings are stored alongside your content in our database.
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
Push Notification Tokens
If you enable push notifications, we store your device's push notification token to send you reminders and updates.
Legal basis: Consent (Art. 6(1)(a) GDPR)
Usage Data
We track credit usage (number of AI analysis requests) to manage your monthly free tier allocation. We do not use third-party analytics or tracking SDKs.
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
4. What We Do Not Collect
- We do not use advertising SDKs or ad trackers
- We do not track you across other apps or websites
- We do not sell your data to third parties
- We do not collect location data
- We do not access your contacts, photos, or camera
5. Third-Party Services
Clerk (Authentication)
We use Clerk for user authentication (sign-in with Apple, Google, or email). Clerk receives your email address, name, and profile picture to manage your session. Clerk is based in the United States and operates under Standard Contractual Clauses for EU data transfers.
Privacy policy: clerk.com/legal/privacy
OpenAI (AI Analysis & Transcription)
Your message text and voice recordings are sent to OpenAI's API for analysis and transcription. OpenAI processes this data as a sub-processor and does not use API data to train its models. OpenAI may retain API inputs and outputs for up to 30 days for abuse and misuse monitoring, after which the data is deleted. OpenAI is based in the United States and operates under Standard Contractual Clauses for EU data transfers.
Privacy policy: openai.com/policies/privacy-policy
Expo (Push Notifications)
We use Expo's push notification service to deliver notifications to your device. Expo receives your device push token and notification content.
Privacy policy: expo.dev/privacy
6. International Data Transfers
Some of our service providers (Clerk, OpenAI, Expo) are based in the United States. When your data is transferred outside the European Economic Area, we ensure adequate protection through EU Standard Contractual Clauses (SCCs) as approved by the European Commission. You may request a copy of the applicable safeguards by contacting us.
7. Data Retention
Account & content data: Retained for as long as your account is active. When you delete your account, all your data (thoughts, tasks, topics, embeddings, analysis results, and notification tokens) is permanently and irreversibly deleted.
Voice recordings: Processed transiently during transcription and not stored permanently by Levin. OpenAI may retain for up to 30 days per their API data retention policy.
Server logs: Retained for a maximum of 30 days for error monitoring, then automatically deleted.
8. Your Rights Under GDPR
As a data subject under the General Data Protection Regulation, you have the following rights:
- Right of access (Art. 15) — obtain a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — delete your account and all associated data via the app settings
- Right to restriction of processing (Art. 18) — limit how we use your data
- Right to data portability (Art. 20) — receive your data in a structured format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right regarding automated decision-making (Art. 22) — Levin's AI provides suggestions only; no decisions with legal or significant effects are made automatically
- Right to withdraw consent — for voice recordings and push notifications, you may withdraw consent at any time by disabling the respective permissions on your device
To exercise any of these rights, contact us at privacy@getlevin.com. We will respond within 30 days.
9. Account Deletion
You can delete your account at any time from the Settings screen within the app. Account deletion is permanent and immediate. All your data, including thoughts, tasks, topics, AI analysis results, vector embeddings, notification tokens, and account information, will be permanently removed from our database. This action cannot be undone.
10. Data Security
We protect your data using industry-standard security measures including encrypted data transmission (TLS/HTTPS), secure authentication via Clerk, server-side input validation, and access controls. All API endpoints require authentication, and data access is scoped to the authenticated user.
11. Children's Privacy
Levin is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
12. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. For our company, the responsible authority is the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate (Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz).
13. Changes to This Policy
We may update this privacy policy from time to time. If we make material changes, we will notify you through the app or by email. The “last updated” date at the top indicates when the policy was last revised.
14. Contact
For any questions about this privacy policy or your personal data, contact: