Skip to content
Legal

Privacy policy.

What we collect, why we collect it, what we do with it, and the rights you have over it.

Last updated 3 May 2026.

Contents
  1. Who we are
  2. Personal data we process
  3. Why we process it
  4. Your audio and transcripts
  5. Sub-processors
  6. International transfers
  7. Retention
  8. Your rights
  9. Cookies
  10. Security
  11. Children
  12. Changes to this policy
  13. Contact and complaints

1. Who we are

The data controller for the personal data processed through CleanScribe is:

Data controller
PRIVESC.EU WEB SRL
14 Alexandru Lapusneanu Street, Sector 1
Bucharest, postal code 012867, Romania

Tax ID (CUI): 28132460
Trade Register: J2011/002562407
EUID: ROONRC.J2011/002562407
Incorporated: 4 March 2011

Email (general, privacy, and data-protection enquiries):
support@cleanscribe.ai

This policy explains how we process your personal data when you use the CleanScribe service. It is written to comply with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and Romanian Law 190/2018.

2. Personal data we process

We process the following categories of personal data:

  • Account data — your email address, hashed password, display name, account creation date, and a unique account identifier.
  • Billing data — your subscription tier, billing history, and the customer identifier issued by Stripe. We do not store your card number or full payment details; Stripe handles those directly.
  • Usage data — the transcriptions you create, their titles, durations, statuses, the model used, and minutes consumed against your monthly quota.
  • Audio and transcripts — the audio or video files you upload and the transcripts we generate. See section 4 for how we treat them.
  • Audit data — the action you took, the resource it targeted, the IP address you connected from, your user-agent string, a correlation identifier, and the timestamp. Used for security and abuse investigation.
  • Support data — emails you send us and our replies.

3. Why we process it

We process your personal data on the following legal bases (GDPR Art. 6):

  • To perform our contract with you (Art. 6(1)(b)): create and maintain your account, process and store your audio and transcripts, enforce your monthly quota, take payment, and respond to your support enquiries.
  • To comply with legal obligations (Art. 6(1)(c)): keep accounting records as required by Romanian law, respond to lawful requests from authorities, and record consent or contractual choices.
  • For our legitimate interests (Art. 6(1)(f)): keep the service secure (audit logs, abuse detection), prevent fraud and account takeover, improve the service through aggregate, non-identifying analytics, and recover overdue invoices. Where we rely on legitimate interest, we have considered the impact on your rights and concluded that the processing is proportionate. You can object at any time using the contact details in section 13.
  • With your consent (Art. 6(1)(a)): for any optional processing that requires it (currently, none — we do not send marketing emails, place tracking cookies, or share data with advertisers).

4. Your audio and transcripts

Your audio, video, and transcripts belong to you. We process them only to deliver the service you asked for: transcribing the audio and giving you back a navigable transcript.

Specifically:

  • We do not use your content to train models — ours or anyone else’s.
  • We do not sell your content.
  • We do not share your content with anyone other than the sub-processors listed in section 5, and only as strictly necessary to deliver the service.
  • You can delete a transcription from your dashboard at any time. Deletion removes the audio file from object storage, the transcript from the database, and the associated timestamp anchors. Audit-log entries about your account are retained per section 7.

Audio you upload may contain personal data of third parties (your interview subjects, meeting participants, and so on). You are the controller of that personal data; we are a processor. By uploading it, you confirm that you have a lawful basis to do so. If you are processing audio of EU residents under GDPR, please ask us for our standard data processing addendum.

5. Sub-processors

We use a small number of trusted third parties to deliver the service. Each is a separate data processor, bound by a written agreement that meets GDPR Art. 28 requirements.

  • Hetzner Online GmbH (Germany) — virtual server hosting and S3-compatible object storage. Stores account databases and audio/transcript files. Region: Falkenstein, Germany (EU).
  • Google LLC / Google Ireland Limited — automated transcription via Google’s hosted AI services. Audio chunks are sent to Google’s Files API, transcribed, and deleted from Google’s storage on completion. Per Google’s API terms, the audio is not used to train Google’s models.
  • Stripe Inc. (United States) and Stripe Payments Europe Limited (Ireland) — payment processing for subscriptions. Stripe is the controller of card data; we receive only customer identifiers, subscription state, and invoices.

We will update this list when we add or change a sub-processor and let signed-in users know via email or an in-app notice in advance, where practicable.

6. International transfers

Most of your personal data stays in the European Economic Area, on Hetzner infrastructure in Germany. When data is transferred outside the EEA — for example, when audio is sent to Google for transcription, or when payment metadata is processed by Stripe in the United States — we rely on appropriate safeguards under GDPR Chapter V, including the European Commission’s Standard Contractual Clauses and, where available, an adequacy decision (currently in force for transfers to certified recipients in the United States under the EU-US Data Privacy Framework).

You can request a copy of the safeguards that apply to your data by emailing support@cleanscribe.ai.

7. Retention

We keep your personal data only as long as we need it for the purposes described above:

  • Account data — for the life of your account, plus thirty days after deletion to allow recovery from accidental deletion.
  • Audio and transcripts — until you delete them, or up to ninety days after account closure, whichever comes first.
  • Billing records — for ten years from the date of issue, as required by Romanian accounting law.
  • Audit logs — five hundred and forty-eight days (approximately eighteen months), then automatically deleted.
  • Support correspondence — three years after the last message, for warranty and dispute purposes.

8. Your rights

Under the GDPR, you have the right to:

  • Access — ask for a copy of the personal data we hold about you (Art. 15).
  • Rectification — ask us to correct inaccurate or incomplete data (Art. 16).
  • Erasure — ask us to delete your data (Art. 17), subject to retention obligations.
  • Restriction — ask us to limit how we process your data while a question is resolved (Art. 18).
  • Portability — receive your data in a structured, commonly used, machine-readable format (Art. 20).
  • Object — to processing based on legitimate interests (Art. 21).
  • Withdraw consent — where we rely on it (Art. 7(3)).
  • Lodge a complaint — with a supervisory authority (Art. 77). See section 13.

To exercise any of these rights, email support@cleanscribe.ai. We’ll respond within thirty days. We may need to verify your identity first.

9. Cookies

We use a minimal set of cookies, all strictly necessary to operate the service. We do not place advertising cookies, analytics cookies, or any third-party tracking cookies.

  • Authentication cookie — keeps you signed in. Set when you log in. Removed when you sign out.
  • Antiforgery cookie — protects forms against cross-site request forgery. Required for the service to function.
  • Session cookie — short-lived, used to remember temporary state during navigation.

Because all of our cookies are strictly necessary, we don’t show a cookie banner or ask for consent for them under EU ePrivacy law.

10. Security

We protect your data with measures appropriate to the risks involved, including:

  • encryption of data in transit (HTTPS with HSTS);
  • password hashing using current industry-standard algorithms;
  • least-privilege access controls within the engineering team, with all access logged;
  • strict-SameSite session cookies and antiforgery tokens on every form;
  • rate-limiting on authentication endpoints to deter credential stuffing;
  • tenant isolation enforced at the database query and storage path level;
  • persistent audit logging of every privileged action.

If we ever discover a personal-data breach affecting you, we will notify the Romanian supervisory authority within seventy-two hours where required, and notify you directly without undue delay where the breach is likely to result in a high risk to your rights.

11. Children

The service is not directed at children under sixteen, and we do not knowingly collect personal data from anyone under sixteen. If you believe a child has created an account, write to support@cleanscribe.ai and we’ll close it.

12. Changes to this policy

We may update this policy from time to time. If we make a material change we’ll let signed-in users know via email or an in-app notice at least fourteen days before the change takes effect. The “last updated” date at the top of the policy reflects the most recent revision.

13. Contact and complaints

Questions, requests, or concerns about how we handle your personal data: write to support@cleanscribe.ai. The full registered details of the data controller are listed in section 1.

You also have the right to lodge a complaint with the Romanian data protection authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28–30, Sector 1, București
www.dataprotection.ro

If you live in another EU/EEA country, you may instead contact the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.