Privacy Policy

The data controller responsible for the processing of your personal data is Roas Labs SpA, operator of Transcapt ("we", "us"). You can reach our privacy team at [email protected].

This policy describes how we process personal data in accordance with the EU General Data Protection Regulation 2016/679 ("GDPR") and other applicable data-protection laws.

We collect only the data necessary to operate the service:

• Account data: email address, hashed password (or OAuth identifier), display name.
• Content data: audio and video files you upload, generated transcripts, and export files (TXT, SRT, DOCX, PDF).
• Payment metadata: order identifier, pack purchased, amount, currency, timestamp. We do not store full card numbers; card data is handled by our payment providers.
• Technical data: IP address, browser user-agent, locale, device type, approximate geolocation (country-level), timestamps of requests.
• Cookies and similar technologies: see Section 11 and our Cookie Policy.

We process your data for the following purposes, each under a specific GDPR legal basis:

• Providing the transcription service (account creation, upload, transcription, export, storage, billing) — Article 6(1)(b), performance of a contract with you.
• Security, fraud prevention, and service integrity (rate limiting, abuse detection, audit logs) — Article 6(1)(f), our legitimate interest in operating a secure service.
• Product analytics and service improvement (aggregated usage patterns, error rates) — Article 6(1)(f), legitimate interest, and where required, Article 6(1)(a) consent collected via the cookie banner.
• Transactional email (confirmations, receipts, account notices) — Article 6(1)(b), contract performance.
• Marketing email and optional communications — Article 6(1)(a), your explicit opt-in consent, which you may withdraw at any time.
• Legal obligations (tax, accounting, responding to lawful requests) — Article 6(1)(c).

We rely on the following sub-processors. Each is bound by a written data-processing agreement and appropriate safeguards:

Some sub-processors are located outside the European Economic Area, notably in the United States (OpenAI, Lemon Squeezy, Resend, parts of Cloudflare's edge). Where no adequacy decision applies, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where relevant, supplementary technical and organisational measures such as in-transit encryption and access controls. A copy of the relevant SCCs is available on request.

We retain personal data only as long as necessary for the purposes described:

• Original audio or video files: deleted automatically 24 hours after the transcription completes.
• Transcripts and export files: stored in your account until you delete them, or until 30 days after you close your account.
• Account metadata (email, settings): up to 30 days after account closure, then deleted.
• Billing records: retained for up to 7 years to comply with tax and accounting law.
• Backups: rolling backups are purged within 90 days of the corresponding live deletion.
• Security and audit logs: up to 12 months.

Under the GDPR you have the right to:

• Access the personal data we hold about you and receive a copy.
• Request rectification of inaccurate or incomplete data.
• Request erasure ("right to be forgotten") where legal conditions are met.
• Receive your data in a structured, commonly used, machine-readable format (portability).
• Request restriction of processing.
• Object to processing based on legitimate interests, including direct marketing.
• Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.
• Lodge a complaint with a supervisory authority in the EU member state of your residence, place of work, or place of the alleged infringement.

Write to [email protected] from the email registered on your account, or via a method that lets us reasonably verify your identity. We respond within 30 days, extendable by 60 days for complex requests (you will be notified). The service is free unless the request is manifestly unfounded or excessive, in which case a reasonable fee may apply.

Transcapt is not directed at children. We do not knowingly process personal data of persons under the age of 16. If you believe a child has provided us with personal data, contact [email protected] and we will delete the account and associated data.

We apply technical and organisational measures appropriate to the risk: TLS 1.2+ for all traffic, encryption at rest on database and storage, role-based access control, audit logging, least-privilege service accounts, regular backup and restore testing, and prompt patching of security updates. No system is perfectly secure; if we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority within 72 hours as required by Article 33 GDPR.

We use cookies and similar technologies for authentication, consent management, and (with your opt-in) analytics. See the Cookie Policy for the full list, purposes, and durations.

We may update this policy to reflect changes to the service, to sub-processors, or to applicable law. For material changes we will notify you by email and by a banner on the site at least 14 days before the new version takes effect. The "Last updated" date at the top of the page always reflects the current version.

We are not currently required to appoint a Data Protection Officer under Article 37 GDPR. All privacy inquiries are handled by our privacy team at [email protected].

Controller: Roas Labs SpA — Transcapt. Privacy contact: [email protected].

EU users may lodge a complaint with the data-protection authority in their country of residence. A directory is available at edpb.europa.eu/about-edpb/board/members.