Privacy Policy

Last updated: April 28, 2026

This policy describes how Anecdotario (the service) collects, uses, shares, and protects your personal data. It is drafted in compliance with Uruguay's Personal Data Protection Law 18.331, the European Union's General Data Protection Regulation (GDPR), and Brazil's Lei Geral de Proteção de Dados (LGPD), where applicable.

1. Who we are

Anecdotario is operated by Orionis SAS (the "controller"), domiciled in Montevideo, Uruguay. Contact for privacy matters and the exercise of rights: privacy@orionis.consulting.

2. What we collect

  • Account data: email, hashed password, optional display name and avatar.
  • Your content: text anecdotes, audio recordings, photos, people tags, comments, derivative compositions (short stories, screenplays, novels).
  • Usage data: creation/edit timestamps, chapters covered, interview sessions, accumulated score, unlocked achievements.
  • Payment data: the card itself is processed by Lemon Squeezy or Mercado Pago. We only receive payment confirmation, never your card number.
  • Narrative profile: a private summary the system builds from your interviews (people, places, key moments) to personalize questions. Lives in your account only.
  • Technical data: IP address, browser, OS, language. Anonymized in logs.

3. Purposes

  • Operate the service (display your anecdotes, generate questions, produce compositions).
  • Improve question quality via your narrative profile.
  • Process payments and manage subscriptions.
  • Send notifications you opted into (reminders, year recap, etc.).
  • Comply with legal obligations and resolve disputes.
  • Detect and prevent abuse or fraud.

We do not use your data to train general AI models, sell profiles to third parties, or show you third-party advertising.

You can view and erase your narrative memory at any time from Profile → Memory. Erasing sends the system back to the generic question bank until your next session generates new memory.

  • Performance of contract for operating the service: Law 18.331 art. 9(b) / GDPR art. 6(1)(b) / LGPD art. 7(V).
  • Explicit consent for sensitive data. When you upload an anecdote, audio, or photo that may include sensitive data (health, religion, intimate life, sexual or political orientation, voice biometrics), the act of uploading constitutes explicit consent under Law 18.331 art. 18 / GDPR art. 9(2)(a) / LGPD art. 11. You may withdraw at any time by (i) deleting the specific content, (ii) deleting your account, or (iii) emailing privacy@orionis.consulting to pause AI processing without losing the content.
  • Legitimate interest for security, fraud prevention, non-invasive technical improvement (GDPR art. 6(1)(f)).
  • Legal compliance when required by court order or competent authority.

5. Sub-processors

To operate the service we rely on the following providers:

  • Supabase, database, auth, storage (USA / global).
  • Anthropic, AI model for question generation and draft structuring (USA).
  • OpenAI, Whisper for audio transcription (USA).
  • Vercel, application hosting (global).
  • Lemon Squeezy, international payment processing (USA).
  • Mercado Pago, Uruguay/Latin America payment processing.

Each provider operates under its published data-processing terms. Transcripts and prompts sent to Anthropic and OpenAI through their standard APIs are not used to train their models by default, but may be retained by those providers for up to 30 days for abuse-detection purposes per their current terms. We do not contract Zero Data Retention plans at this time, we are an early-stage startup operating under default provider terms. If a provider changes this policy, we'll notify you before it takes effect.

6. International transfers

Your data may travel outside Uruguay (mainly to the USA via our sub-processors). We apply:

  • TLS 1.2+ in transit and encryption at rest.
  • Data minimization, only data strictly needed for each function is sent.
  • For US transfers, the Standard Contractual Clauses (SCCs) each provider publishes in its DPA or equivalent terms; we avoid sending identifiers together with sensitive content where possible.
  • For Brazil transfers, providers apply equivalent clauses under LGPD art. 33.

By using the service you give informed consent to these transfers. If you don't agree, you can terminate the account at any time.

7. Retention

  • Active account (login within last 10 months): we retain your content indefinitely, it is the heart of the product.
  • Prolonged inactivity: if you don't sign in for 10 months we email you; unless you reactivate within 60 days or ask us to keep the archive, we erase your content at the 12-month mark of inactivity. This honors the storage-minimization principle (GDPR art. 5(1)(e)).
  • If you delete your account: erased within 30 days, except records required by law (e.g., invoices kept for 5 years).
  • Technical logs: 90 days.
  • Backups: up to 30 days after last change.

8. Your rights

Under Law 18.331 and, where applicable, GDPR and LGPD, you may request:

  • Access to your data.
  • Rectification of inaccurate data.
  • Erasure when no legal obligation requires retention.
  • Objection to legitimate-interest processing.
  • Portability of your data in a structured, readable format (JSON or Markdown).
  • Restriction while a dispute is pending.
  • No automated decisions with significant effects. Suggested questions are recommendations you accept or skip, not decisions.

Email privacy@orionis.consulting. We respond within 30 calendar days, extendable up to 60 days for complex cases, we'll let you know before extending. Exercising rights is free of charge (except for manifestly unfounded or excessive requests). If unsatisfied, you may file with the URCDP, or with the AEPD or another EU DPA if you live in the EU, or with the ANPD if you live in Brazil: gub.uy/unidad-reguladora-control-datos-personales.

9. Third parties mentioned in your anecdotes

When you tell an anecdote you may mention other people. You enter that data on your own responsibility. Anecdotes are private by default, only you see them, unless you explicitly share or tag a friend within the app (who will only see what you choose to share).

If someone mentioned contacts us asking to be removed from your anecdotes, we will let you know. Without your involvement we may anonymize or remove a clearly identified mention if the request has legal grounds.

10. Adults only

Anecdotario is intended for people aged 18 or older. By creating an account you represent that you meet this requirement. If you are a parent or guardian and discover a minor in your care created an account, email privacy@orionis.consulting with reasonable proof of the relationship: we'll disable the account and erase associated data within 30 days at no cost to you.

11. Security

  • TLS for all connections.
  • Passwords hashed with bcrypt via Supabase Auth.
  • Per-user isolation in the database (Row Level Security).
  • Audit on error-log access.
  • Encrypted backups.
  • Production access limited to authorized personnel.

No system is 100% secure. If we detect a breach:

  • We notify the relevant authority without undue delay, URCDP (Uruguay, Decree 64/020), AEPD or another EU DPA (GDPR art. 33, within 72 hours), and ANPD (Brazil, LGPD art. 48, within the timeframe defined by the authority).
  • If the breach poses high risk to your rights, we notify you directly with the information the law requires: nature of the breach, data affected, mitigations taken, contact for more info.

12. Cookies

We use only strictly necessary cookies to keep you signed in. We do not use ad-tracking or third-party cookies that profile your browsing outside Anecdotario.

13. Updates

We'll notify you of any change by email and/or in-app with reasonable advance notice. For materially adverse changes (new sub-processors with different scope, changes in legal basis, transfers to new jurisdictions), we ask for your explicit acceptance before they take effect. If you don't accept within 30 days you may terminate the account and export your data. Non-material changes (corrections, clarifications, wording improvements) take effect on notice.

14. Contact

Orionis SAS
Montevideo, Uruguay
Privacy and rights: privacy@orionis.consulting
General inquiries: hola@orionis.consulting

URCDP (control authority in Uruguay): gub.uy/unidad-reguladora-control-datos-personales