Scribeer.io
Privacy & Security Policy
At Scribeer, privacy is not an afterthought, but the core of our product. We understand that your audio and transcriptions may contain sensitive information. Below you can read how we protect your data within European borders with a "Security-First" approach.
Processing Overview & Legal Bases
Scribeer processes personal data on the following legal bases (Article 6 GDPR):
| Processing Activity | Legal Basis |
|---|---|
| Transcription (Cloud Mode) | Performance of contract (Art. 6(1)(b)) |
| Account & login credentials | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) & legal obligation (Art. 6(1)(c)) |
| Analytics (PostHog) | Consent (Art. 6(1)(a)) |
| Error tracking (Sentry) | Legitimate interest (Art. 6(1)(f)) |
| Email communication | Performance of contract (Art. 6(1)(b)) |
1. Security of Your Transcripts
Your data is yours. We use industry-standard security to guarantee this:
- Encryption: All transcriptions are stored encrypted (AES-256) in a secure database.
- Isolation (RLS): We use Row Level Security (RLS). This means your data is technically isolated at database level; only you have access through your unique account.
Private Mode (Local)
For users of our Private Mode, an even stricter privacy level applies:
- 100% Local: Audio files are processed on your own device via WebGPU. The audio never leaves your browser.
- Local Storage: Transcriptions are stored by default in your browser's local database (IndexedDB). Scribeer has no access to this.
- Optional Sync: Only if you explicitly choose "Save to account" will an encrypted copy be sent to our secure servers.
Accountability: Every form of access to transcriptions is logged and audited in our system to prevent misuse.
2. European Processing & Transfers
Scribeer keeps transcription data in European infrastructure by default.
- EU Endpoints: Your audio files are processed via the European infrastructure of our partners.
- Exception for optional AI Assistant: Only anonymized text may be processed via an external AI provider. Depending on provider configuration, this may be (partly) outside the EEA.
3. Your Privacy: No AI Training
Many AI tools use user data to improve their models. Scribeer does not.
No Training
Scribeer never uses your audio and transcriptions to train its own models.
Inspection
We never look at your transcriptions unless you explicitly share them with us (for example for a support request) or when legally required.
Privacy Gateway AI Assistant (optional)
When using the AI Assistant, we only send anonymized text after review and confirmation. This feature only works when a team configures its own OpenAI API key. For external AI providers, data is not used for model training according to their API policy. When a customer uses their own API key, the policy and configuration of that provider account apply.
4. Retention Periods
We do not retain data longer than necessary:
- Audio Files: Once transcription is complete, the audio file is immediately deleted from our active storage.
- Transcriptions: These are retained for 90 days in your dashboard or until you delete them yourself.
- Permanent Deletion: After deletion by the user, data is permanently removed from all our backups within 30 days.
5. Our Partners (Sub-processors)
For optimal operation, we use the following specialized partners that meet the strictest privacy requirements:
- Supabase: Storage and database (Servers in EU/Frankfurt).
- Deepgram: AI processing via the specific EU cluster.
- Render: Application hosting (Servers in EU).
- Stripe: Secure payment processing.
- PostHog: Analytics and usage statistics (Servers in EU, only with consent).
- Sentry: Error tracking and monitoring (legitimate interest).
- OpenAI (optional, AI Assistant): Only for anonymized text and only when the team enables this feature with its own OpenAI API key. Processing location depends on provider configuration (may be outside the EEA).
- Google (Gmail SMTP): Sending emails such as team invitations and feedback confirmations.
6. Your Rights (GDPR)
- Access, correction and deletion of your data.
- Data portability (you can always export your transcriptions).
- Restriction of processing in certain circumstances.
- Object to further processing.
7. Cookies & Analytics
Scribeer distinguishes two types of cookies: functional cookies (always active) and analytics cookies (only with your consent).
Functional Cookies (no consent required)
| Cookie | Purpose | Retention |
|---|---|---|
| scribeer_session | Keeps you logged in and securely stores your session data. Essential for operation. | 7 days |
| scribeer_cookie_consent | Remembers your cookie preference. Stored in localStorage. | Permanent |
| scribeer_lang | Remembers your language preference (Dutch or English). | 1 year |
Session Cookie Security
Our session cookie is secured with HttpOnly (not accessible to JavaScript), SameSite protection (against CSRF attacks) and is only sent via HTTPS in production.
Analytics Cookies (only with consent)
We explicitly ask for consent before activating analytics. You can refuse or change this at any time.
| Service | Purpose | Location |
|---|---|---|
| PostHog | Usage statistics and session replay to improve the app. Which features are used, where users get stuck. | EU (GDPR compliant) |
Your Control
On your first visit, we ask for consent via a banner. Decline? Then PostHog is not loaded and no analytics cookies are placed. You can change your choice at any time via the "Cookie settings" link in the footer of every page.
What We DON'T Do
- No Google Analytics, Facebook Pixel or advertising tracking
- No data selling to third parties
- No cross-site tracking
- PostHog respects the "Do Not Track" browser setting
Error Tracking (Sentry)
For detecting and resolving technical errors, we use Sentry. This falls under "legitimate interest" (Article 6(1)(f) GDPR) for ensuring the security and functionality of our service.
- Records technical error information and a pseudonymous user ID (no name or email) to correlate errors per session
- No consent required (no tracking purpose)
- Helps us fix bugs quickly
GDPR Compliant: By asking explicit consent for analytics and only automatically loading functional cookies, we fully comply with GDPR and ePrivacy directive.
Scribeer is located at Groenplaats 12, Veenendaal, Netherlands, and registered with the Chamber of Commerce under number 99771470.
Have questions about your privacy or want to view a data processing agreement? Contact us at [email protected].