Privacy Policy

The apps do not collect any personal data. There is no analytics, no telemetry, no advertising IDs, no crash reporting to our servers, and no fingerprinting. We do not learn who you are, what you do in the app, or which prompts you use.

All your prompts, collections, favorites, settings, and placeholder defaults are stored exclusively on your device:

• iOS / macOS: in the app's local file system (sandbox); optionally in your iCloud Drive if you enable iCloud sync.
• Android: in the app-private storage at /data/data/tech.balane.textdeck/files/textdeck/. Other apps cannot access it.

On Android, you can enable optional cross-device synchronization by picking a folder in your own cloud storage (e.g. Google Drive, Dropbox, OneDrive) via the Android Storage Access Framework (SAF). TextDeck writes a single backup file (textdeck-backup.json) to that folder and reads it back on app launch.

We have no access to this folder. Synchronization happens directly between your devices via your cloud provider, with whom you already have an existing relationship. The respective cloud provider's privacy policy applies to their processing of your data.

To browse and install community prompt packs, the app anonymously contacts raw.githubusercontent.com (operated by GitHub, Inc.) to download JSON files. These requests are not tied to any account, login, or identifier set by us. GitHub may log the request (IP address, user agent, timestamp) according to their own privacy policy — see https://docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.

Legal basis: Art. 6 (1) (b) GDPR (performance of contract — the prompt library is a core function of the app).

The optional AI features (improve a prompt, suggest placeholders) run entirely on your device via Apple’s Foundation Models framework (Apple Intelligence, iOS 26 / macOS 26 and later). Your prompt text is processed locally only. No data is sent to any server of ours (there is none) or to any third-party AI service. There is no bring-your-own-key option and no integration of external AI providers.

On devices without Apple Intelligence the feature is simply unavailable — there is no cloud fallback.

The Android app requests only the INTERNET permission (for prompt library fetches). No other permissions are requested — no access to location, contacts, calendar, microphone, camera, photos, or other app data.

When you use the Export feature, TextDeck creates a JSON file with your data and hands it to the Android/iOS share sheet. You choose which app (email, cloud, messenger, ...) you share the file with. TextDeck does not transmit this file to any third party on its own.

The prompt library is open source and lives at https://github.com/JHBalane/global-prompt-library. You can inspect and verify the library source code.

When visiting this website, the hosting provider automatically stores technical information in server log files:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the retrieved file
• Website from which access is made (referrer URL)
• Browser used and, if applicable, the operating system

The processing is carried out for the technical provision of the website, to ensure system security, and to optimize the internet service.

The processing is based on Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest lies in the proper functioning and security of our website.

The data is deleted as soon as it is no longer required for the purpose for which it was collected. This is usually the case after 7 to 30 days.

Vercel operates servers worldwide, including in the USA. Data transfer to the USA is based on the EU-US Data Privacy Framework, for which the European Commission has issued an adequacy decision (Art. 45 GDPR). A data processing agreement pursuant to Art. 28 GDPR has been concluded with Vercel.

Umami only collects anonymous, aggregated usage data such as page views, dwell time, and referrer. Identification of individual visitors is not possible.

Umami is completely cookie-free and GDPR-compliant. No cookies are set and no fingerprinting is performed.

Umami is self-hosted by us on servers of Railway Inc. in the EU. No data is transferred to third parties.

Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest lies in the analysis and optimization of our internet service. Since Umami does not collect personal data and does not set cookies, no consent is required.

OpenReplay is operated exclusively by us on servers of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) in a German data center. No data is transferred to third parties or to third countries. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Hetzner.

The ingest endpoint is https://replay.balane.tech/ingest.

During a recorded session we in particular collect:

• Page views, navigation, and referring website (referrer)
• Clicks, scrolling, and mouse movements
• Screen size, browser, operating system, and language
• Console output and JavaScript error messages
• A truncated IP address for approximate geolocation

Form inputs, email addresses, numbers, and dates are masked in the browser before being sent to the server ("Obscured Input Mode"). Password fields are never recorded. A browser "Do Not Track" signal is respected.

• Session recordings are automatically and irrevocably deleted after 30 days.
• Aggregated metrics that cannot be linked back to individual sessions are deleted after 365 days.

OpenReplay stores a session token in your browser's localStorage in order to associate recordings. In addition, we persistently store your consent decision under the key "td-consent-openreplay-v1" in your localStorage so that the banner does not ask you again.

Art. 6 (1) (a) GDPR and § 25 (1) TDDDG (consent). Recording starts only if you have actively chosen "Accept" in the cookie banner.

You can withdraw your consent at any time with effect for the future by clicking "Privacy settings" in the footer and choosing "Decline". The lawfulness of processing carried out before the withdrawal remains unaffected.

Art. 6 (1) (f) GDPR (legitimate interest in responding to your inquiry) or Art. 6 (1) (b) GDPR, if your inquiry is aimed at concluding a contract.

The data is deleted as soon as the processing of your inquiry is completed and no legal retention obligations exist.