Dialor

Accounts are coming soon.

We’re still building log in and sign up. For now, access is invite-only — request a beta passcode and we’ll send one your way.

Privacy policy

Effective 14 June 2026

This page explains what Dialor stores, what it doesn’t, and how you can ask for your data to be removed. If anything is unclear, email hello@dialor.app and we’ll explain.

The short version

  • We do not store your PDFs, your notes, your highlights, your chats with the AI, or your AI provider API key on our servers. Those live in your browser and in a folder you choose on your own computer.
  • We do keep a small record of who is in the beta: your name, email, the optional role and message you typed when you requested access, the passcode we emailed you, and a counter of how many times you’ve used the app plus the date you last used it.
  • You can ask us to delete everything we have about you at any time by emailing hello@dialor.app. We’ll do it as soon as we see the message — usually within a few days.
  • We never sell, rent, or trade your personal data to anyone. We don’t share it for advertising or marketing. We only pass it to the small set of service providers listed further down, and only the minimum each one needs to do its job.

Who runs Dialor

Dialor is run by Melih Akdağ as an individual project. For anything related to your data — questions, corrections, deletion requests, complaints — email hello@dialor.app.

What stays on your computer

Dialor is designed so most of your reading life never leaves your device:

  • Your PDFs are opened directly from a folder you pick. Dialor never uploads them to us.
  • Your annotations, highlights, and AI chat replies are written as plain files (annotations.jsonl, source.md, figures/) inside that same folder. They’re yours; we don’t read them, copy them, or back them up.
  • Your AI provider API key(Anthropic, OpenAI, Mistral, Google, OpenRouter, Ollama, or any custom endpoint) lives only in your browser’s local storage. We never see it, save it, or log it.
  • Your settings — theme, workspace folder choice, dialectic engagement preference — all live in your browser too.

What we do store on our server

When you ask for beta access and we approve you, we keep one row in a database with these fields:

FieldWhy we keep itLegal basis
NameTo address you in emails and know who you are when you write in.Consent (you typed it into the form)
EmailTo send you the invite passcode and reply to your messages.Consent + necessary to deliver the beta you asked for
Role (optional)Lets us see who’s testing — students, researchers, engineers — so we can prioritise features fairly.Consent
Message (optional)What you wrote in the “Anything you’d like to tell us?” box.Consent
Invite passcodeUnlocks the app for you. We need to compare what you paste against what we issued.Necessary to deliver the service
Status (pending / granted / revoked)So we know whether your access is currently valid.Necessary to deliver the service
Timestamps (requested, granted, revoked, last seen)To run the beta — who’s active, who never came back, who to follow up with.Legitimate interest
API call countA single number that goes up when you use AI features. Lets us see if testers are actually using the tool, and roughly how much.Legitimate interest

That’s everything. The counter is a single integer — we don’t see what you asked, what document you opened, which model you used, or anything you typed inside the app.

What passes through our server but isn't stored

When you use AI features, your request travels through a Dialor server route on its way to the AI provider you chose. That route reads the request body just long enough to forward it, then forgets it. Specifically:

  • Your API key is forwarded to the provider (Anthropic, OpenAI, etc.) and never written to our database or our logs.
  • The page bytes, chat messages, and parsed markdown we forward to the provider are not kept by us after the response is delivered.
  • Server access logs (run by our hosting provider, Vercel) record standard request metadata — paths, IP, timestamp — for security and debugging. These logs are not used for analytics or marketing.

What the AI provider does with the content you send is governed by their privacy policy and your account with them — not Dialor’s. Pick a provider whose practices you’re comfortable with.

Who else sees this data

To run Dialor we use a small set of services. Each one sees a slice of the data:

  • Vercel hosts the website and the API routes. They see request metadata and act as a data processor. Vercel privacy policy.
  • Neon (a Databricks company) hosts the database that holds the beta-user row described above. Databricks privacy notice.
  • Resend sends the confirmation email and the invite passcode email. They see your name and email address. Resend privacy policy.
  • Your chosen AI provider (you decide which one in Settings) sees only the requests you trigger inside the app. Your relationship is directly with them — we just pass the bytes through.

All three operational providers process your data within the European Union: Vercel functions run from Stockholm (Sweden), Neon hosts the database in Frankfurt (Germany), and Resend processes email from Ireland. Your row never leaves the EU on our side.

The AI provider you choose in Settings determines where your prompts and document content go. The options range from EU-based (Mistral, or Ollama running on your own machine) to US-based (Anthropic, OpenAI, Google) to gateways like OpenRouter that route to many providers. Whichever you pick, you’re choosing the legal regime that applies to that content. Dialor doesn’t store any of it.

How long we keep it

We keep your beta-user row for as long as you’re in the beta or until you ask us to delete it. Email hello@dialor.app and we’ll remove your row from the database. Email-system logs at Resend and request logs at Vercel may persist for a short retention window controlled by those providers (typically days to weeks); those are outside our direct control but bound by the contracts above.

Your rights

If you live in the EU, the EEA, or the UK, the GDPR gives you the right to:

  • Access — ask for a copy of what we hold about you.
  • Correction— ask us to fix anything that’s wrong.
  • Deletion — ask us to erase your row entirely.
  • Portability — ask for the data as a JSON file you can take elsewhere.
  • Objection — tell us to stop processing your data on legitimate-interest grounds.
  • Withdraw consent — change your mind about being part of the beta.
  • Complain— to your local supervisory authority if you think we’re mishandling things.

To exercise any of these, email hello@dialor.app from the address registered to your account so we can be sure it’s you. We aim to respond within a few days. For access and portability requests, we’ll send back a JSON file containing every field stored against your row — the same shape used in the table above. For deletion, we’ll remove the row outright and reply to confirm.

What we may do with your row

We act as the controller of the small record described above. Day to day, that means:

  • Access — only the admin reads the row, and only when there is a reason to: reviewing a new request, answering a support email, sending an invite, or running a data-subject request.
  • Update — fields like last_seen_at and api_calls_count are bumped automatically each time you use AI features. status changes when we approve or revoke. Other fields only change if you ask us to correct them.
  • Restrict / revoke — we may revoke your passcode (status set to revoked) if we have a good-faith reason to: abuse of the service, security concerns, or as part of winding down the beta. We’ll tell you by email when we do.
  • Delete— at your request, or if we’re obliged to by law. We may also delete rows for users whose access was revoked long ago and who never came back, once enough time has passed that the record no longer serves a purpose.

No automated decisions

Dialor doesn’t make automated decisions or build profiles about you. A human reviews every beta request before approving or declining, and the usage counter is just a number — nothing else uses it programmatically.

If something goes wrong

If we discover a security incident that exposes your data, we’ll email the people affected without unnecessary delay and, where the law requires it, notify the competent supervisory authority within 72 hours of becoming aware. We’ll tell you what happened, what we know about the impact, and what we’re doing about it.

Security

Connections to the site use HTTPS. The database and email service encrypt data at rest. The passcode we email you is the only thing that unlocks the app — please keep it private; if you think it’s leaked, email us and we’ll revoke it and issue a new one. We never ask for your AI provider API key by email.

Cookies and tracking

Dialor does not use analytics, advertising trackers, or third-party cookies. The site uses one small piece of browser storage to remember your theme choice; that’s it. Public pages may be indexed by search engines (Google, Bing) so people can find Dialor — search indexing is separate from analytics and doesn’t involve tracking individuals.

Children

Dialor is not directed at children under 16. Please don’t sign up if you are.

Changes

If this policy changes meaningfully we’ll email the people in the beta before the change takes effect. Smaller wording fixes will be updated here without notice; the effective date at the top will tell you when.