Last updated: 3 March 2026
1. Who we are
Transcribr (“we”, “us”, “our”) is an audio and video transcription platform operated from Barcelona, Spain. Questions about this policy can be directed to contact@transcribr.co.
Note for self-hosted users. If you run the Transcribr open-source stack on your own infrastructure, this policy does not apply to you — your deployment is entirely under your own control and responsibility.
2. What data we collect
Account data
When you create an account we collect your email address, display name, and a hashed password. We never store your password in plain text.
Content data
The core purpose of the service is transcription. To provide it we process:
- Audio and video files you upload or that are captured via a meeting bot
- Transcripts and summaries generated from those files
- Meeting participant names returned by your meeting platform (Google Meet, Zoom, Microsoft Teams, etc.) when you use the meeting bot feature
Integration credentials
When you connect a third-party service (GitHub, GitLab, Slack, Notion, Linear, Jira, Google Calendar, Microsoft Outlook), we store the OAuth access tokens required to act on your behalf. These are encrypted at rest.
Billing data
If you subscribe to a paid plan, payment is handled by our payment processor (Stripe). We store your subscription status, plan tier, and usage metrics. We do not store full card numbers — Stripe retains those.
Technical data
We store server-side logs (request timestamps, IP addresses, error traces) for security and debugging. Your browser stores a JWT authentication token in localStorage to keep you signed in. No third-party tracking cookies are set by the application.
3. How we use your data and our lawful basis
| Purpose | Data used | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Providing the transcription service | Audio, video, transcripts, summaries | Performance of contract |
| Account management and authentication | Email, password hash, JWT | Performance of contract |
| Processing payments and managing subscriptions | Billing data | Performance of contract / Legal obligation |
| Operating the meeting bot | Participant names, audio | Performance of contract |
| Maintaining service security and integrity | Logs, IP addresses | Legitimate interests |
| Communicating service updates and essential notices | Legitimate interests |
We do not use your content (audio, transcripts, summaries) to train AI models. We do not sell your data to third parties.
4. Sub-processors
To provide the service we share data with the following sub-processors. Each is bound by a data processing agreement.
| Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | File storage (S3) | USA (EU regions used where available) |
| OpenAI | AI summarisation and description generation | USA |
| Stripe | Payment processing | USA |
| Recall.ai | Meeting bot — joining calls and retrieving transcripts | USA |
| Hetzner / homelab | Database and application hosting | EU |
Transfers to processors located outside the European Economic Area are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission.
5. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion, plus 30 days |
| Audio and video files | Until you delete the job, or account deletion |
| Transcripts and summaries | Until you delete the job, or account deletion |
| Billing records | 7 years (legal obligation under Spanish tax law) |
| Server logs | 90 days rolling |
| OAuth tokens | Until you disconnect the integration, or account deletion |
When you delete your account we permanently delete your personal data within 30 days, except where we are required to retain it by law (e.g., billing records).
6. Meeting recordings and participant data
The meeting bot feature joins calls on your behalf and captures audio or retrieves captions. You are solely responsible for ensuring that all participants in a recorded meeting have been informed of and have consented to the recording, in accordance with the laws of your jurisdiction and theirs.
We process participant names and transcript content solely to deliver the transcription result to you. Participant data is not shared with third parties beyond the sub-processors listed in section 4.
7. Your rights
As a data subject under the GDPR you have the following rights, which you can exercise by contacting contact@transcribr.co:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure (“right to be forgotten”) — request deletion of your data
- Portability — receive your data in a machine-readable format
- Restriction — ask us to pause processing while a dispute is resolved
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing relies on consent, withdraw it at any time
We will respond to requests within 30 days. You also have the right to lodge a complaint with the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD), at aepd.es.
8. Security
We apply industry-standard measures including encryption in transit (TLS), encryption at rest for sensitive credentials, access controls, and regular dependency updates. No system is perfectly secure; in the event of a data breach we will notify affected users and the relevant supervisory authority within the timeframes required by law.
9. Children
The service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with their data, please contact us and we will delete it promptly.
10. Changes to this policy
We will notify you of material changes by email at least 14 days before they take effect. The “last updated” date at the top of this page always reflects the current version. Continued use of the service after the effective date constitutes acceptance of the updated policy.
11. Contact
Transcribr Barcelona, Spain contact@transcribr.co