Privacy Policy

Overview

gist. ("we", "our", "us") is a macOS application that uses artificial intelligence to analyze content visible on your screen and provide contextual, actionable responses. This Privacy Policy describes how we handle information in connection with your use of the gist. application and the website at gistapp.net.

By downloading or using gist., you agree to the practices described in this policy. If you do not agree, please do not use the app.

This policy applies to:

• The gist. macOS application
• The gistapp.net website
• All related backend services operated by gist.

What we collect

We collect the minimum information necessary to operate the service. Here is a complete breakdown:

Screen content, the most important section

Because gist. reads your screen, this deserves the most transparency. Here is exactly what happens when you press ⌘⇧Space and make a selection:

1. You drag to select a region of your screen. Only that region is captured, not your full display.
2. The selected image is sent over an encrypted HTTPS connection to our backend server running on Google Cloud Run.
3. Our backend passes the image to an AI provider (see Section 5) for analysis.
4. The AI provider returns a text response. That response is sent back to your device and displayed in the HUD.
5. The image and the response are both discarded immediately after the request completes. They are never written to a database, object store, or log file on our infrastructure.

What this means in practice

gist. is designed to be used on anything visible on your screen, emails, contracts, financial data, code, personal messages. The ephemerality of screen content is intentional and fundamental to the product. We deliberately chose not to build a history feature in V1 precisely because storing screen captures would create significant privacy obligations.

We strongly recommend not using gist. to capture content that should never leave your device, such as passwords, private keys, or highly classified material, not because we store it, but because it must transit our servers and AI provider infrastructure to be analyzed.

How we use your data

We use the limited data we do collect exclusively to operate the service:

• Account data (name, email) is used to authenticate you via Apple Sign In, manage your account, and send you transactional emails if necessary (e.g. subscription receipts).
• Usage count is used to enforce the 20-capture free tier limit and to calculate daily usage against our fair-use rate limits. It is not used for profiling or behavioral targeting.
• Subscription data is used to grant or revoke access to unlimited captures and to process your subscription through the App Store.
• Error logs are used exclusively to diagnose and fix bugs. They contain no screen content, no personal data beyond an anonymous session identifier, and are retained for no more than 30 days.

What we do not do with your data

• We do not use your data to train AI models.
• We do not sell or license your data to any third party.
• We do not use your data for advertising purposes.
• We do not build profiles of your behavior or interests.
• We do not share your data with other users.

Third-party providers

gist. relies on several third-party services to function. Each receives only the minimum data required for their specific role. For AI processing, we use a small set of approved providers and route each request through our internal decision system based on service conditions (for example, availability and performance). Here is a complete list:

We have data processing agreements in place with all providers who process personal data on our behalf. We select providers who maintain strong privacy practices for API customers.

Data retention

We retain data only as long as necessary for the purpose it was collected:

When you delete your account, all account data is permanently removed from our systems within 30 days. Anonymized, aggregated usage statistics (containing no personal identifiers) may be retained indefinitely for product analytics.

Security

We implement appropriate technical and organizational measures to protect your data. Specific measures include:

• All data in transit is encrypted using TLS 1.2 or higher. Screen captures travel from your device to our backend to AI providers exclusively over encrypted connections.
• Firebase Authentication handles credential management, we never see or store your password or Apple ID credentials.
• Our backend infrastructure runs on Google Cloud with standard security controls including VPC isolation, IAM access policies, and audit logging.
• Daily token limits (500,000 tokens per day) act as a secondary security control against account abuse, even if credentials are compromised.
• Access to production systems and user data is restricted to essential personnel only.

No system is perfectly secure. If you discover a security vulnerability in gist., please report it responsibly to security@gistapp.net before public disclosure.

Your rights

Depending on your location, you may have certain rights with respect to your personal data. We honor these rights for all users regardless of jurisdiction:

• Access. You can request a copy of the personal data we hold about you (name, email, usage count, subscription status).
• Correction. You can update your account information at any time through the app's Account settings.
• Deletion. You can delete your account at any time through Settings → Account → Delete account. All your data will be permanently removed within 30 days.
• Portability. You can request an export of your account data in a machine-readable format by emailing us.
• Objection. You can object to certain processing activities. Given the limited nature of our data collection, there is little to object to, but contact us if you have concerns.
• Restriction. You can request that we restrict processing of your data in certain circumstances.
• Complaint. If you are in the EU or UK, you have the right to lodge a complaint with your local data protection authority.

GDPR (EU/EEA users)

For users in the European Union or European Economic Area, gist. acts as a data controller for account and usage data. Our legal basis for processing is contract performance (to provide the service you signed up for) and legitimate interests (rate limiting and abuse prevention). We do not rely on consent as a basis for core service functionality.

CCPA (California users)

California residents have additional rights under the California Consumer Privacy Act. We do not sell personal information as defined by CCPA. You may submit a request to know, delete, or opt out using the contact details in Section 11.

KVKK (Turkish users)

Türkiye'deki kullanıcılar için, kişisel verileriniz 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK) kapsamında işlenmektedir. Verilerinize erişim, düzeltme, silme veya itiraz haklarınızı kullanmak için aşağıdaki iletişim adresimize başvurabilirsiniz.

Children

gist. is not directed at children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

Policy changes

We may update this Privacy Policy from time to time. When we do, we will:

• Update the "Last updated" date at the top of this page.
• For material changes, notify you via in-app notification or email at least 14 days before the change takes effect.
• For minor clarifications, simply update this page without individual notice.

Continued use of gist. after a policy change constitutes acceptance of the updated terms. If you disagree with a material change, you may delete your account before it takes effect.

Previous versions of this policy are available on request by emailing privacy@gistapp.net.

Contact

If you have any questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern, please reach out:

For general support, use hello@gistapp.net. For security vulnerability reports, use security@gistapp.net.