Verbative

Privacy Policy

Last updated: 2026-07-12 Applies to verbative.de, the Verbative account system, and the Verbative VS Code extension.

This policy explains what personal data Florian Cramer ("we", "us") collects when you use Verbative, why we collect it, the legal bases on which we rely, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Who is responsible (data controller)

The controller responsible for your personal data is:

Florian Cramer Cramer Digital Noppiusstraße 16 52062 Aachen Germany Email: info@verbative.de VAT ID (§ 27a UStG): DE369065906

We have not appointed a Data Protection Officer because we are not legally required to do so (Art. 37 GDPR, § 38 BDSG). For any privacy matter, contact us at the address above.

2. The short version

3. Personal data we collect

4. Your voice and prompts (how the extension works)

Verbative drives Anthropic's Claude Code CLI by voice. There are two transcription modes, and you choose:

In both modes, all spoken output is synthesised locally on your device with the bundled Kokoro engine. We do not receive, store, or have any access to your microphone audio, your prompts, or Claude's responses. Your Verbative Shot screenshot images also stay only on your own machine — on the free plan we record only that a capture happened (the same minimal usage record described in section 3: a timestamp, the random device identifier, the event type, and a per-day count), never the image itself.

5. Why we use your data and our legal bases

Under Art. 6(1) GDPR we rely on:

Is providing this data required? Your email address is necessary to create an account and perform the contract; without it we cannot give you an account. Billing data is necessary to take payment. Usage metering is generated automatically as you use the Service and is needed to enforce plan limits. Marketing consent is entirely optional. There is no statutory obligation to provide any of this data, but if you do not, we may be unable to provide the corresponding part of the Service.

6. Cookies, analytics, and local storage

We use only what is strictly necessary. When you sign in on the website, Supabase sets a session cookie. The extension stores your license token and settings locally on your device. We use no advertising cookies and no third-party tracking.

For website analytics we use PostHog in a cookieless, EU-hosted configuration: it sets no cookies and stores no identifiers on your device, collects no personal data, and records only anonymous, aggregated interactions.

We also record a small number of product events on our server (e.g. that a free licence was created, an account signed in, or an account upgraded to Advanced), identified only by an internal account/device ID (never your email, audio, or prompts), carrying no message content; PostHog is asked not to build a personal profile. Because nothing is stored on or read from your device, neither use needs a consent banner under § 25 TDDDG / Art. 5(3) of the ePrivacy Directive; the server-side product events rest on our legitimate interest (Art. 6(1)(f) GDPR). Analytics runs only in production. We honour a "Do Not Track" signal on the website.

7. Who we share data with (processors and recipients)

We never sell your data. We share it only with the providers that operate Verbative on our behalf — most as processors under a data-processing agreement (Stripe acts as our Merchant of Record and independent controller for the purchase, see below) — and only as far as needed:

Anthropic is not our processor. In Cloud transcription mode your prompt travels directly from your machine to Anthropic through your own Claude Code CLI, under your own agreement with Anthropic — we never receive, store, or route it. In Local mode nothing is sent to Anthropic for transcription. We have no data-processing agreement with Anthropic because we share no personal data with it.

We may also disclose data where legally required, or to establish, exercise, or defend legal claims.

8. International data transfers

Some providers above process data on servers outside the EEA (e.g. in the United States). Where that happens, the transfer is protected by an appropriate safeguard under Chapter V GDPR. For transfers to providers in the United States, we rely on the European Commission's EU–US Data Privacy Framework adequacy decision (of 10 July 2023) where the recipient is certified, and otherwise on the Commission's Standard Contractual Clauses together with supplementary measures. You can request a copy of the relevant safeguards at the contact address in section 1.

9. How long we keep your data

When you delete your account, we delete or anonymise your personal data from our live systems without undue delay, except records we are legally obliged to keep, which we restrict from further use until the retention period expires. Copies may briefly persist after deletion — in our own encrypted operational backups until they are overwritten on the rolling 30-day cycle described above, and in the routine resilience/backup layers our processors (for example Supabase and IONOS) operate on their own infrastructure until overwritten in the normal course. If a backup is ever restored, we re-apply outstanding deletions.

10. Your rights

Under the GDPR / UK GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), to object to processing based on legitimate interests (Art. 21), and to withdraw consent at any time (Art. 7(3)).

Right to object (Art. 21). Where we process your data on the basis of our legitimate interests (section 5), you have the right to object at any time, on grounds relating to your particular situation. If you object, we will stop that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims. You may also object at any time, and without giving any reason, to any processing of your data for direct-marketing purposes.

To exercise any of these, email info@verbative.de. We respond within one month, at no charge and with no disadvantage to you.

You also have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU member state of your residence, place of work, or the place of the alleged infringement. For us, the competent authority is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Postfach 20 04 44, 40102 Düsseldorf, poststelle@ldi.nrw.de, www.ldi.nrw.de.

11. Automated decision-making

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR. Enforcing the free-tier limits is a simple per-feature daily count used only to allow or block the next action; we do not combine it with other data to evaluate or predict your behaviour, and we do not use it to profile you.

12. Security

We protect your data with appropriate technical and organisational measures: encryption in transit (TLS), access controls and least privilege, passwordless authentication, and payment data handled entirely by PCI-DSS-compliant Stripe. We design Verbative to hold as little personal data as possible in the first place.

13. Children

Verbative is a developer tool and is not intended for minors. We do not knowingly collect personal data from minors. If you believe that personal data of a minor has been provided to us, please contact us so we can take appropriate steps (including deletion where applicable).

14. Changes to this policy

We may update this policy as the product or the law evolves. We will change the "Last updated" date above and, for material changes, give reasonable notice (for example by email or an in-app notice).

15. Contact

Questions about this policy or your data? Email info@verbative.de, or write to us at the postal address in section 1.