Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is:

Please replace the placeholders above with your actual company information.

2. Information We Collect

We collect the following categories of personal data:

2.1 Account Information

• Email address (required for account creation)
• Display name (optional)
• Password (stored in encrypted form)
• Account creation date and last login information
• Credit balance and transaction history

2.2 Uploaded Content

• Images of historical documents you upload for transcription
• Upload batch names and metadata
• Processing status and timestamps

2.3 Transcription Results

• Original transcriptions in source languages
• English translations
• Structured data extracted from documents (names, dates, places, relationships)
• Detected languages and processing metadata

2.4 Payment Information

• Credit purchase transactions
• Stripe payment intent and session IDs
• Transaction amounts and timestamps
• Note: We do not store credit card numbers or full payment details. Payment processing is handled securely by Stripe.

2.5 Authentication Data

• If you use Google or Microsoft OAuth, we receive your email address and name from the provider
• OAuth provider identifiers
• Authentication tokens (managed by ASP.NET Identity)

2.6 Usage Data

• Service tier selections
• Processing logs and error information
• Action logs for administrative purposes

3. How We Use Your Information

We process your personal data for the following purposes:

• Service Delivery: To provide transcription, translation, and data extraction services
• Account Management: To create and manage your account, process payments, and maintain credit balances
• Communication: To send service-related notifications and respond to your inquiries
• Service Improvement: To analyze usage patterns and improve our AI models and service quality
• Legal Compliance: To comply with legal obligations and protect our legal rights
• Security: To detect and prevent fraud, abuse, and security threats

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Contract Performance (Article 6(1)(b)): Processing necessary to perform our service contract with you
• Legitimate Interests (Article 6(1)(f)): Processing for our legitimate business interests, such as service improvement and security
• Consent (Article 6(1)(a)): Where you have provided explicit consent, such as for optional features
• Legal Obligation (Article 6(1)(c)): Processing required to comply with legal obligations

5. Data Sharing and Third Parties

We share your data with the following third-party service providers:

5.1 Payment Processing

Stripe - We use Stripe to process credit card payments. Stripe receives payment information directly and processes it according to their privacy policy. We only receive transaction confirmations and payment identifiers.

Stripe Privacy Policy: https://stripe.com/privacy

5.2 Authentication Services

Google OAuth / Microsoft OAuth - If you choose to sign in with Google or Microsoft, these providers authenticate you and share your email address and name with us.

Google Privacy Policy: https://policies.google.com/privacy
Microsoft Privacy Policy: https://privacy.microsoft.com/privacystatement

5.3 AI Processing Services

Google Gemini AI - Your uploaded images and transcriptions are sent to Google's Gemini AI service for translation. Google processes this data according to their privacy policy.

Google AI Privacy: https://ai.google.dev/terms

OpenAI - For structured data extraction, your translated text is sent to OpenAI's API. OpenAI processes this data according to their privacy policy.

OpenAI Privacy Policy: https://openai.com/policies/privacy-policy

5.4 Cloud Storage

Your uploaded images and transcription results are stored in secure cloud storage. The specific provider depends on your deployment configuration.

5.5 Other Disclosures

We may disclose your personal data if required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our users.

6. Data Retention

We retain your personal data for the following periods:

• Account Data: Retained for the duration of your account and up to 3 years after account closure for legal and accounting purposes
• Uploaded Images: Retained until you delete them or close your account, plus up to 90 days for backup purposes
• Transcription Results: Retained until you delete them or close your account, plus up to 90 days for backup purposes
• Payment Records: Retained for 7 years as required by tax and accounting regulations
• Transaction History: Retained for 3 years after the last transaction

You may request deletion of your data at any time, subject to legal retention requirements.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

7.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and to access that data, along with information about how it is processed.

7.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

7.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent and there is no other legal basis
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

7.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

7.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

7.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

7.7 Right to Withdraw Consent (Article 7)

Where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.

7.8 Exercising Your Rights

To exercise any of these rights, please contact us at [CONTACT EMAIL]. We will respond to your request within one month (Article 12(3)).

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Authentication: To maintain your login session (ASP.NET Identity cookies)
• Security: To protect against cross-site request forgery (CSRF tokens)
• Preferences: To remember your preferences and settings

We use essential cookies that are necessary for the website to function. These cookies do not require consent under GDPR. We do not use third-party tracking cookies or advertising cookies.

You can control cookies through your browser settings, but disabling essential cookies may affect website functionality.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit using HTTPS/TLS
• Encryption of sensitive data at rest
• Secure password storage using industry-standard hashing algorithms
• Access controls and authentication mechanisms
• Regular security assessments and updates
• Secure cloud storage with access restrictions

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to maintaining high security standards.

10. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

• United States (for Stripe, Google, Microsoft, OpenAI services)

When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other appropriate safeguards as required by GDPR Chapter V

Third-party service providers (Stripe, Google, Microsoft, OpenAI) have their own data transfer mechanisms and privacy policies that comply with applicable data protection laws.

11. Children's Privacy

Our service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately, and we will take steps to delete such information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date
• Sending an email notification for significant changes (if you have provided an email address)

Your continued use of our service after changes become effective constitutes acceptance of the updated policy.

13. Contact Information

For questions, concerns, or to exercise your rights under GDPR, please contact us:

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR or LOPDGDD.

As we are based in Spain, our supervisory authority is:

You may also contact your local data protection authority if you are located in another EU member state. Find your local supervisory authority at:

https://edpb.europa.eu/about-edpb/board/members_en