Privacy Policy
Short version: Your audio files are never stored, and transcript text is not retained after processing. We keep only minimal operational metadata needed for paid usage, abuse prevention, and support. We don't sell data. No user accounts. To request deletion of any data we hold, email scribeforge.tech@gmail.com.
1. Data controller
The data controller for scribeforge.tech is the individual operator:
- Business: WPSani.store · VAT no. IT12343720012
- Email: scribeforge.tech@gmail.com
For all privacy-related requests, email the above with subject "Privacy Request — ScribeForge".
2. What data we collect and why
| Data | Purpose | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Audio files | Loaded into server memory, sent to xAI Grok STT API for transcription, then immediately discarded. Never written to permanent storage. | Contract performance (Art. 6(1)(b)) | Not stored. Deleted from memory after each request. |
| Transcript text | Returned to your browser as the processing result. Not retained by ScribeForge after the request completes. | Contract performance (Art. 6(1)(b)) | Not stored server-side after the response is sent. |
| IP address | Enforce the free daily limit (2 transcriptions/day/IP) and prevent abuse. | Legitimate interest (Art. 6(1)(f)) | Daily counters; IP logs up to 30 days. |
| Email + license key | Issued after a Stripe purchase. Used to deliver the key, process refunds, and manage subscriptions. | Contract performance (Art. 6(1)(b)) | Until deletion request or 3 years after last activity. |
| Paid usage metadata | Minimal metadata linked to a paid license key, such as timestamp, file name, transcript length, duration, file size, and estimated processing cost. Used for usage history, abuse review, support, and unit-economics analysis. | Legitimate interest (Art. 6(1)(f)) and contract performance (Art. 6(1)(b)) | Until deletion request or 3 years after last activity. |
| Session recordings | Anonymised replays of mouse, click, and scroll events (rrweb). Never includes audio content or payment data. Used to identify UX issues and improve the product. | Legitimate interest (Art. 6(1)(f)) | 30 days, then deleted. To opt out, email us. |
| Star ratings & feedback | Optional rating submitted after transcription. Stored as aggregate counters, not linked to identity. | Legitimate interest (Art. 6(1)(f)) | Indefinite (aggregate only, not personal). |
3. Third-party processors
- xAI (USA) — your audio is sent to the Grok STT API (
scribe_v2) for transcription. xAI's privacy policy. xAI uses Standard Contractual Clauses for EU data transfers. - Stripe (USA/EU) — payment processing. We never see or store card data. Stripe's privacy policy.
- Brevo (EU) — transactional email delivery (license key emails and support/feedback notifications). Brevo's privacy policy.
- Plausible Analytics (EU) — cookieless, privacy-friendly analytics. No personal data collected. Plausible's privacy policy.
- Telegram — IP address, browser user agent, and referrer are sent to an internal private channel for operational monitoring. Accessible only to the service operator.
Data transfers outside the EU/EEA: xAI and Stripe are US-based and operate under Standard Contractual Clauses. We do not sell data to any third party.
4. Cookies and local storage
Your license key is stored in your browser's localStorage — it never leaves your device except when sent to our server for validation.
Plausible Analytics is cookieless and does not track you across sites.
Google Ads conversion tracking (gtag.js, ID AW-17757853805) is loaded only if you accept cookies via the consent banner on first visit. If loaded, Google may set _gcl_aw and _gcl_dc cookies (ad click attribution, up to 90 days). Legal basis: Consent (Art. 6(1)(a)). Withdraw by clearing cookie_consent from localStorage or emailing us. Google's privacy policy.
5. Your rights under GDPR
If you are in the EU/EEA you have the right to: access, rectification, erasure, restriction of processing, data portability, objection (especially for legitimate-interest processing such as session recordings), and withdrawal of consent.
Email scribeforge.tech@gmail.com — subject "Privacy Request — ScribeForge". We respond within 30 days.
You may also lodge a complaint with your national supervisory authority. In Italy: Garante per la protezione dei dati personali. EU directory: edpb.europa.eu.
6. Data security
The ScribeForge server uses HTTPS (TLS). The SQLite database is stored on a private server and not publicly accessible. License keys use UUID v4 (cryptographically random). Session recordings are server-stored and not publicly accessible.
7. Children
ScribeForge is not intended for persons under 16. We do not knowingly collect data from children.
8. Changes
We may update this policy. The "Last updated" date above reflects any changes. Material changes will be announced on the site.
9. Contact
scribeforge.tech@gmail.com · Subject: Privacy Request — ScribeForge