The short version: we treat your data the way we'd want ours treated.
When you create an account, we store your email address, display name, and profile information. As you use Tarina, we store the timeline events, stories, and photos you add. If you sign in with Google, we receive your name and email from your Google account. We don't collect analytics, we don't track you across the web, and we definitely don't sell your data to anyone.
Your data lives in a Supabase PostgreSQL database with row-level security enabled. Only you can access your own data through the app. The database is hosted in the EU (West Europe, Ireland). Photos and media are stored in EU-based object storage. Import files are temporarily stored in Cloudflare R2 with EU jurisdiction during processing and automatically deleted once processing is complete.
We use Supabase for authentication and data storage, Anthropic (Claude) for optional AI-powered story suggestions, Google OAuth for sign-in, and Cloudflare for DNS and temporary import file storage. That's the full list. No ad networks, no tracking pixels, no mysterious third-party SDKs phoning home.
When you use the AI story assist feature, the context of your event (title, date, category) is sent to Anthropic's Claude API to generate a writing suggestion. This is optional and only happens when you explicitly request it. We don't use your data to train AI models.
If you choose to connect your Google Calendar, we request read-only access to your calendar events via the Google Calendar API (calendar.readonly scope). We use this solely to identify significant life events in your calendar history — trips, concerts, and other notable occasions — and suggest adding these as entries on your personal timeline. You review every suggestion and decide what to add, edit, or dismiss. We read event titles, dates, and locations only. We never read event descriptions, attendee lists, or video conference links. Raw calendar data is not retained beyond the processing window. We never create, modify, or delete your calendar events. You can disconnect Google Calendar at any time from your account settings — we will immediately revoke access and delete your stored tokens. We do not share your Google Calendar data with any third parties. Our use of Google Calendar data complies with the Google API Services User Data Policy, including the Limited Use requirements.
If you import a data export from Facebook or Google Takeout, the zip file is uploaded to temporary EU-based storage and processed by our import pipeline to identify life events worth adding to your timeline. The original zip file is deleted immediately after processing. We extract only event-like data (dates, locations, event names) and discard everything else. We do not share imported data with any third parties.
We use essential cookies to keep you logged in and to remember your language preference. No tracking cookies, no cookie banners to click through seventeen times. You're welcome.
You own your data. You can export or delete everything at any time from your account settings. If you want everything wiped, just ask and we'll take care of it within 30 days — no hoops to jump through. If you're in the EU, you also have the right to access, correct, and object to processing of your personal data under GDPR.
We keep your data for as long as your account is active. If you delete your account, your data is permanently deleted within 30 days. Import files are deleted immediately after processing. OAuth tokens for connected services are deleted when you disconnect the integration.
We take reasonable measures to protect your personal data from unauthorised access, loss, or misuse. All data is transmitted over encrypted connections (HTTPS/TLS). Your data is stored in a PostgreSQL database with row-level security enabled — enforced at the database level so data from one account cannot be accessed by another. OAuth tokens for connected services (Google Calendar, Strava, etc.) are encrypted before storage. Import files are stored in temporary encrypted object storage and deleted immediately after processing. Access to production systems is restricted to the developer and protected by SSH key authentication. While no system can guarantee absolute security, we are committed to protecting your data and will notify you promptly in the event of a breach that affects your personal information.
Questions, concerns, or data requests? Reach out at tarina.app@pm.me. We aim to respond within a few business days.
Last updated: March 2026