GDPR & Data Protection

1. Introduction

1.1 About This Document

This GDPR & Data Protection page supplements our Privacy Policy and provides specific information required by the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), United Kingdom, and Switzerland.

1.2 Data Controller

For the purposes of data protection legislation:

• Company Name: TranscribeAI
• Operating Website: audiototext.site
• Contact Email: privacy@audiototext.site
• DPO Contact: dpo@audiototext.site

1.3 Scope

This document applies to all personal data we collect and process about:

• Registered users of our service
• Website visitors
• Newsletter subscribers
• Business contacts and partners
• Team members within collaborative accounts

2. Legal Basis for Processing

2.1 Contract Performance

We process your personal data to fulfill our contractual obligations when you:

• Create an account and use our transcription services
• Subscribe to a paid plan
• Use team collaboration features
• Access your transcription history and saved files

Legal Basis: Article 6(1)(b) GDPR - Processing necessary for contract performance

2.2 Consent

We process your data based on your consent for:

• Marketing communications and newsletters
• Non-essential cookies and analytics
• User research and feedback surveys
• Beta feature testing and early access programs

Legal Basis: Article 6(1)(a) GDPR - Consent. You may withdraw consent at any time.

2.3 Legitimate Interests

We process certain data based on our legitimate business interests:

• Fraud prevention and security monitoring
• Service improvement and quality assurance
• Network and information security
• Anonymous usage analytics
• Business development and research

Legal Basis: Article 6(1)(f) GDPR - Legitimate interests. We balance our interests against your rights and freedoms.

2.4 Legal Obligations

We process personal data to comply with legal requirements:

• Tax and accounting records
• Response to lawful requests from authorities
• Compliance with payment processing regulations
• Data breach notifications to authorities

Legal Basis: Article 6(1)(c) GDPR - Legal obligation

3. Personal Data We Collect

3.1 Account Information

• Email address (required for account creation)
• Name (optional)
• Password (encrypted)
• Profile information (optional)
• Account preferences and settings

3.2 Service Usage Data

• Audio files you upload for transcription
• Transcription outputs and edits
• Custom vocabulary and speaker labels
• Export preferences and formats
• Team collaboration activities

3.3 Payment Information

• Billing name and address
• Payment method details (processed by Stripe - we do not store card numbers)
• Transaction history
• Invoices and receipts

3.4 Technical Data

• IP address
• Browser type and version
• Device information
• Operating system
• Cookies and similar technologies
• Access logs and timestamps

3.5 Communications

• Support ticket content and correspondence
• Feedback and survey responses
• Contact form submissions
• Email communications with our team

4. Your GDPR Rights

4.1 Right of Access (Article 15)

You have the right to:

• Obtain confirmation that we process your personal data
• Access your personal data
• Receive information about how we process your data

How to exercise: Log into your account to access most of your data, or email privacy@audiototext.site for a complete copy.

4.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

How to exercise: Update your information in account settings or contact us at privacy@audiototext.site.

4.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes collected
• You withdraw consent and no other legal basis exists
• You object to processing and no overriding legitimate grounds exist
• The data has been unlawfully processed
• Deletion is required for legal compliance

How to exercise: Delete your account in settings or email privacy@audiototext.site. We will delete your data within 30 days, except where retention is required by law.

4.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing when:

• You contest the accuracy of the data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

How to exercise: Email privacy@audiototext.site with your request.

4.5 Right to Data Portability (Article 20)

You have the right to:

• Receive your personal data in a structured, machine-readable format
• Transmit this data to another controller

How to exercise: Request a data export at privacy@audiototext.site. We will provide your data in JSON format within 30 days.

4.6 Right to Object (Article 21)

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing (including profiling)
• Processing for scientific, historical research, or statistical purposes

How to exercise: Click unsubscribe in marketing emails or email privacy@audiototext.site.

4.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing with legal or significant effects. We do not currently use automated decision-making that produces legal or similarly significant effects.

4.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

How to exercise: Adjust preferences in account settings or click unsubscribe in emails.

5. Data Processing Activities

5.1 Purpose of Processing

We process personal data for the following purposes:

• Service Delivery: Provide transcription services, manage accounts, process payments
• Communication: Send service updates, respond to inquiries, provide support
• Improvement: Analyze usage, develop features, enhance user experience
• Security: Prevent fraud, protect against threats, ensure platform security
• Compliance: Meet legal obligations, resolve disputes, enforce agreements
• Marketing: Send promotional communications (with consent)

5.2 Data Retention

We retain personal data only as long as necessary:

• Account Data: Until account deletion + 30 days
• Audio Files: Until deleted by user or account closure
• Transcriptions: Until deleted by user or account closure
• Payment Records: 7 years (tax and accounting requirements)
• Support Tickets: 3 years
• Marketing Consent: Until withdrawal or 2 years of inactivity
• Access Logs: 90 days

5.3 Automated Processing

We use automated processing for:

• AI Transcription: Audio files are automatically processed by AssemblyAI's AI models
• Fraud Detection: Automated systems flag suspicious activities
• Usage Analytics: Automated analysis of aggregated, anonymized data

None of these automated processes make decisions with legal or similarly significant effects without human review.

6. Data Sharing and Transfers

6.1 Third-Party Service Providers

We share personal data with trusted service providers who process data on our behalf:

• AssemblyAI: AI transcription processing (USA - Standard Contractual Clauses)
• Stripe: Payment processing (USA - Privacy Shield successor framework)
• Vercel: Application hosting (USA - Standard Contractual Clauses)
• Supabase: Database services (EU and USA regions available)
• Resend: Transactional emails (USA - Standard Contractual Clauses)

All service providers are bound by Data Processing Agreements (DPAs) and must comply with GDPR.

6.2 International Data Transfers

Some of our service providers are located outside the EEA. We ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
• Additional Safeguards: Encryption, access controls, audit rights

For EU customers on Enterprise plans, we offer EU-only data processing (no transfers outside EEA).

6.3 Data Processing Agreement (DPA)

Enterprise customers can request a Data Processing Agreement that includes:

• Detailed processing terms and conditions
• Standard Contractual Clauses for international transfers
• Security measures and audit rights
• Sub-processor list and notification procedures
• Data breach notification terms

Contact legal@audiototext.site to request a DPA.

6.4 No Data Sales

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

7. Data Security Measures

7.1 Technical Measures

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• Encrypted database connections
• Regular security assessments and penetration testing
• Automated vulnerability scanning

7.2 Organizational Measures

• Role-based access controls
• Staff training on data protection
• Confidentiality agreements for all employees
• Incident response procedures
• Regular policy reviews and updates

7.3 Data Breach Response

In the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours
• Affected individuals will be informed without undue delay if there is a high risk to rights and freedoms
• We will document all breaches and our response measures
• We will take immediate steps to contain and mitigate the breach

For more details, see our Security page.

8. Special Categories of Data

8.1 Sensitive Personal Data

We do not intentionally collect special categories of personal data (Article 9 GDPR) such as:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data (for identification purposes)
• Health data
• Sex life or sexual orientation

8.2 Audio Content

However, audio files you upload may contain sensitive information. You are responsible for:

• Obtaining necessary consents before uploading audio containing personal data
• Ensuring compliance with applicable laws for your audio content
• Understanding the sensitivity of data in your uploads
• Using appropriate security measures (such as our Enterprise plan for HIPAA compliance)

8.3 Children's Data

Our service is not directed to children under 16. We do not knowingly collect personal data from children. If we discover we have collected data from a child under 16, we will delete it promptly.

9. Cookies and Tracking

9.1 Cookie Types

We use the following types of cookies:

• Strictly Necessary: Essential for service operation (no consent required)
• Functional: Remember your preferences and settings
• Analytics: Help us understand usage and improve our service
• Marketing: Track campaign effectiveness (with consent)

9.2 Cookie Management

You can manage cookie preferences:

• Through our cookie consent banner on first visit
• In your account settings
• Through your browser settings

Note: Disabling certain cookies may affect service functionality.

9.3 Analytics

We use privacy-focused analytics that:

• Anonymize IP addresses
• Do not track across websites
• Respect Do Not Track (DNT) signals
• Aggregate data to prevent individual identification

10. Data Protection Officer

10.1 Contact DPO

You can contact our Data Protection Officer for:

• Questions about data processing
• Exercising your GDPR rights
• Privacy concerns or complaints
• Data protection advice

Email: dpo@audiototext.site
Response Time: We aim to respond within 5 business days and resolve requests within 30 days.

10.2 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of:

• Your habitual residence
• Your place of work
• The place of the alleged infringement

Find your local supervisory authority: EDPB Member List

11. Privacy by Design and Default

11.1 Privacy by Design

We implement data protection principles in our service design:

• Minimal data collection by default
• Privacy-friendly default settings
• Encryption and pseudonymization where possible
• Regular privacy impact assessments
• Privacy considerations in feature development

11.2 Data Minimization

• We collect only data necessary for specified purposes
• Optional fields are clearly marked
• Users can use the service with minimal personal information
• Automatic deletion of temporary processing files

11.3 Transparency

• Clear, plain-language privacy information
• Granular consent options where applicable
• Accessible privacy controls in account settings
• Regular updates on data processing activities

12. Third-Party Links

Our service may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to read their privacy policies before providing any personal data.

13. Changes to This Policy

We may update this GDPR & Data Protection page to reflect:

• Changes in data protection laws
• Changes to our data processing activities
• Guidance from supervisory authorities
• Feedback from data protection impact assessments

Material changes will be communicated via:

• Email notification to registered users
• Prominent notice on our website
• In-app notification

The "Last Updated" date at the top of this page indicates when changes were made.

14. How to Exercise Your Rights

14.1 Request Process

To exercise any of your GDPR rights:

1. Send an email to privacy@audiototext.site with your request
2. Include your account email and specify which right you wish to exercise
3. We may request additional information to verify your identity
4. We will acknowledge your request within 5 business days
5. We will fulfill your request within 30 days (or explain any delay)

14.2 No Fee

We do not charge a fee for exercising your rights unless:

• Your request is clearly unfounded or excessive
• You request multiple copies of the same information

14.3 Response Timeline

• Acknowledgment: Within 5 business days
• Fulfillment: Within 30 days of request
• Extension: Up to 60 additional days for complex requests (we will explain why)

15. Contact Information

15.1 Privacy Inquiries

• General Privacy Questions: privacy@audiototext.site
• Data Protection Officer: dpo@audiototext.site
• Legal/DPA Requests: legal@audiototext.site
• Security Concerns: security@audiototext.site

15.2 General Contact

For non-privacy inquiries, visit our Contact page.