Privacy Policy
Effective July 11, 2026
This policy explains what data Samong ("Samong", "we") collects, how we use it, and the rights you have over it. Samong is the data controller for the personal data described here; you can reach us at [email protected]. Our approach is simple: we collect only what we need to run the service, we never sell your data, and we make it easy for you to take your data with you.
1.Data we collect
We collect four kinds of data:
- Account data — the email address you sign up with and a securely hashed password, or, if you use Google sign-in, the email address of your Google account. We use your email to identify your account and send essential service messages.
- Content you create — the cards, notes, whiteboards, and PDFs you store in Samong. This is yours; we store it so the service can show it back to you and your invited collaborators.
- Usage & billing data — basic technical logs needed to operate and secure the service; billing records (plan, status, and Stripe customer reference); and AI usage records (which feature you used, when, the document and page range involved, and token counts for billing) — these records never contain the text you submit. We do not store full payment card numbers.
- Support & feedback data — bug reports and feedback you send from inside the app, including any screenshots you choose to attach.
2.How we use it
We use your data only to:
- Provide, sync, and back up the service for you.
- Authenticate you and keep your workspace secure and isolated.
- Process payments and manage your subscription.
- Send essential service and account emails (and product updates you can opt out of).
- Diagnose problems and improve reliability.
- Prevent abuse, spam, and automated bot signups.
We do not sell your data, and we do not use it for advertising.
3.Subprocessors
We rely on a small set of trusted providers to run Samong. Each processes data only as needed to deliver its part of the service:
- Stripe — payment processing for paid plans, including card subscriptions and PromptPay payments.
- Resend — sending transactional and account emails.
- Cloudflare — DNS and network security in front of samong.app, bot protection at sign-in (Turnstile), email routing, privacy-friendly web analytics (aggregate traffic measurement, no cookies and no cross-site tracking), and object storage (Cloudflare R2) for the files you upload — PDFs, images, and other media — and for database backups.
- Hetzner — application hosting and database servers, located in the European Union (Germany and Finland).
- Google — the Gemini API for the optional AI features (only the text you submit, and only when you use one), and Google sign-in if you choose to log in with your Google account.
- Sentry — error and crash reporting so we can find and fix problems, configured to minimise personal data (no session replay, and identifying details are stripped where possible).
4.AI features
Samong’s AI features are optional. When you use one, the text you select is sent to Google’s Gemini API to generate the result — a mindmap, a summary, a chat reply, or a translation — which is then returned to you and saved in your workspace like any other content. This happens only when you actively invoke an AI feature; we never send your content to the AI provider in the background.
We keep a record of each AI action — which feature, when, which document and pages, and token counts — for billing and abuse prevention. These records do not contain the text you submitted or the output you received.
We do not use your content to train models, and we do not use AI features to profile you or for advertising. Google processes the text you submit under its own API terms — see Google’s privacy policy for how it handles that data. Because this provider runs on Google’s infrastructure, the relevant content may be processed outside your country, including in the United States.
5.Cookies
Samong uses cookies only for session authentication — to keep you logged in and to let header-less browser loads (such as PDF previews and images) authenticate securely. Sign-in pages also use Cloudflare Turnstile to block bots; it runs its check without tracking you across sites. We do not use advertising or cross-site tracking cookies.
6.Where your data lives
Our application servers and database run on Hetzner in the European Union (Germany and Finland). Files you upload are stored in Cloudflare R2, with primary storage in the Asia-Pacific region, and may be cached on Cloudflare’s global network so they load quickly wherever you are. Some providers we rely on — Stripe, Resend, Sentry, and Google — process data in the United States and other countries. Wherever your data is processed, it is protected by this policy and by our agreements with each provider, which include standard contractual protections for international transfers.
7.Data retention
We keep your account and content for as long as your account is active. When you delete your account, we remove your content from our active systems, and residual copies age out of our routine backups within about 30 days. We may retain limited records where required by law — such as billing records for tax and accounting — along with the minimal AI-usage and abuse-prevention records described above.
8.Your rights
Under Thailand’s Personal Data Protection Act (PDPA), the EU General Data Protection Regulation (GDPR), and similar privacy laws where you live, you have rights over your personal data. We support these directly in the product wherever we can:
- Access — see the personal data we hold about you.
- Export — download your content yourself, anytime, from your settings (notes as markdown, whiteboards as PNG/SVG/PDF).
- Correction — update inaccurate account information.
- Deletion — delete your account and content yourself from your settings.
To exercise any right we do not yet offer as a self-service option, or to ask a question, email [email protected]. You also have the right to lodge a complaint with your local data protection authority.
9.Children
Samong is not directed at children under 13, and we do not knowingly collect personal data from them. If you believe a child under 13 — or under the minimum age set by the law of your country — is using Samong, contact us at [email protected] and we will delete the account.
10.Changes to this policy
We may update this policy as Samong grows or as the law changes. If we make material changes, we will notify you by email or in the app. Questions about your privacy? Email [email protected].