Data Controller

TheScribe is operated by:

For GDPR purposes, STM Tech Solutions SRL is the data controller responsible for your personal information.

Introduction

Welcome to TheScribe. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and protect your information when you use our note-taking and transcription service.

This policy applies to all users in the United States, European Union, and worldwide. We comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws.

Information We Collect

1. Account Information

When you create an account, we collect:

• Email address
• First and last name
• Password (encrypted and never stored in plain text)
• Account creation date

2. Content You Create

To provide our service, we store:

• Audio recordings you upload for transcription
• Text notes you create
• Transcriptions and AI-refined content
• Folders and organizational structures
• Tags for note categorization
• Note metadata (creation date, modification date, word count)

3. Usage Information

We automatically collect:

• Browser type and version
• Device information (type, operating system)
• IP address and general location (country/region)
• Pages visited and features used
• Time spent on the platform
• Error logs and performance data

4. Payment Information

Payment processing is handled entirely by Stripe, our payment processor. We do not store any credit card information on our servers.

What we store:

• Your unique Stripe customer identifier (used to link your account to Stripe)
• Your subscription identifier (used to track your Pro subscription)
• Subscription status (active, canceled, etc.)

All payment details (card numbers, expiration dates, CVV) are stored securely by Stripe and never transmitted to or stored on our servers. See Stripe's Privacy Policy for details on how they handle your payment information.

5. Cookies and Analytics

We use cookies and browser storage to provide and improve our service:

Essential (Always Active):

• Authentication: Secure authentication tokens are stored in localStorage to keep you logged in
• Preferences: Your theme preference (dark/light mode) is stored in localStorage
• Cookie consent: We remember your cookie preferences so we don't ask repeatedly

Analytics (Requires Your Consent):

• Usage analytics: We use analytics services to understand how you use TheScribe, which features are most valuable, and where we can improve
• Performance monitoring: Track page load times and errors to improve app performance
• No personal identification: Analytics data is aggregated and anonymized

You can accept or reject analytics cookies at any time through our cookie consent banner. Rejecting analytics cookies will not affect your ability to use TheScribe.

How We Use Your Information

We use your information to:

• Provide our service: Transcribe audio, refine notes, organize content
• Authenticate you: Securely log you in and maintain your session
• Process payments: Manage subscriptions and billing
• Improve our platform: Analyze usage patterns and fix bugs
• Communicate with you: Send service updates, security alerts, and support responses
• Enforce our terms: Prevent fraud and abuse
• Comply with legal obligations: Respond to legal requests when required

TheScribe AI and Data Processing

TheScribe AI powers our transcription and note refinement features. To deliver these capabilities, we work with trusted third-party AI infrastructure providers:

• Speech Recognition: Your audio recordings are processed using advanced speech recognition technology to convert them into text with high accuracy across 100+ languages
• AI Refinement: TheScribe AI refines and enhances your notes with intelligent writing assistance using secure third-party AI infrastructure

When you use these features:

• Your audio content is processed by our speech recognition provider for transcription
• Your text content is processed by our AI infrastructure provider for refinement when you request it
• We have data processing agreements in place with all providers
• Your content is not used to train AI models (per our agreements with providers)
• Processed data is not retained by third-party services beyond what's necessary for processing

Data Storage and Security

We take security seriously and implement industry-standard practices to protect your data:

Encryption in Transit

All communication between you and TheScribe, and between TheScribe and its downstream dependencies, is protected using TLS 1.2 or higher connections. This ensures that your data is encrypted while being transmitted over the internet.

Encryption at Rest

TheScribe encrypts your data at rest using AWS owned encryption keys from AWS Key Management Service (AWS KMS). This includes all your notes, audio recordings, transcriptions, folders, tags, and account information. You don't have to take any action to protect the AWS managed keys that encrypt your data.

For more information about AWS encryption, see AWS owned keys in the AWS Key Management Service Developer Guide.

Infrastructure Security

Your data is hosted on Amazon Web Services (AWS), which provides enterprise-grade security and compliance:

• Physical security: AWS data centers feature 24/7 security, biometric access controls, and video surveillance
• Compliance certifications: AWS maintains SOC 1/2/3, ISO 27001, PCI DSS Level 1, and GDPR compliance
• Data residency: Your data is stored in secure AWS data centers in the United States or European Union based on your location
• Network isolation: Our infrastructure uses isolated networks to prevent unauthorized access

Access Controls

• Secure authentication: We use industry-standard authentication protocols to verify your identity
• Password security: Passwords are hashed and never stored in plain text
• Least privilege access: Our systems follow the principle of least privilege - each component only has access to the specific data it needs to function
• Multi-factor authentication: Our team uses MFA to access production systems

Data Durability and Backup

• Automatic backups: Your data is continuously backed up to prevent loss
• Point-in-time recovery: We can restore your data to any point within the last 35 days if needed
• High durability: Your audio files are stored with 99.999999999% (11 nines) durability by automatically replicating across multiple facilities
• Disaster recovery: Our infrastructure is designed to withstand facility-level failures with automatic failover

Security Monitoring

• 24/7 monitoring: We monitor all systems around the clock for unusual activity and security threats
• Automated alerts: Our team is immediately notified of any security-related events
• Audit logging: All access to production systems is logged and regularly reviewed
• Vulnerability management: We regularly scan for security vulnerabilities and apply patches promptly

While we implement comprehensive security measures and use enterprise-grade infrastructure, no system can be 100% secure. We continuously monitor, test, and improve our security practices to protect your data. If you discover a security vulnerability, please report it to security@thescribe.io.

Data Retention

We retain your data as follows:

• Active accounts: Your data is retained as long as your account is active
• Deleted notes: Permanently deleted within 30 days
• Account deletion: When you delete your account, your data is marked for deletion and permanently removed within 30 days
• Legal requirements: Some data may be retained longer if required by law (e.g., billing records for tax purposes)
• Backups: Deleted data may persist in backups for up to 90 days before being permanently removed

Your Privacy Rights

Depending on your location, you have the following rights:

For All Users

• Access: Request a copy of your personal data
• Correction: Update or correct your information
• Deletion: Request deletion of your account and data
• Export: Download your notes and data in a portable format

For EU Users (GDPR Rights)

• Right to be forgotten: Request complete deletion of your data
• Data portability: Receive your data in a machine-readable format
• Restrict processing: Limit how we use your data
• Object to processing: Object to certain uses of your data
• Withdraw consent: Withdraw consent for data processing at any time
• Lodge a complaint: File a complaint with your local data protection authority

For California Users (CCPA Rights)

• Know: Know what personal information we collect and how it's used
• Delete: Request deletion of your personal information
• Opt-out: Opt-out of the sale of personal information (we do not sell your data)
• Non-discrimination: Not be discriminated against for exercising your rights

To exercise any of these rights, please contact us at privacy@thescribe.io or use the account deletion feature in your Settings page.

Data Sharing and Disclosure

We do not sell your personal data. We only share your information in these limited circumstances:

• Service providers: AWS, Stripe, and other vendors who help us operate TheScribe
• Legal requirements: When required by law, court order, or government request
• Business transfers: If TheScribe is acquired or merged, your data may be transferred to the new owner
• With your consent: When you explicitly authorize us to share your data
• Aggregated data: We may share anonymized, aggregated statistics that cannot identify you

International Data Transfers

TheScribe is based in Romania (European Union). We store and process data on AWS servers in multiple regions:

• EU users: Your data is stored and processed in AWS EU regions, keeping it within the European Union
• US users: Your data is stored and processed in AWS US regions
• Other regions: Your data may be stored in either US or EU regions based on service availability

When data is transferred between regions or to third-party service providers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and other appropriate safeguards to ensure adequate protection of your data.

Children's Privacy

TheScribe is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at privacy@thescribe.io, and we will delete it.

Changes to This Privacy Policy

We may update this privacy policy from time to time. When we make significant changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email if you have an account
• Display a prominent notice on our website

Your continued use of TheScribe after changes are posted constitutes acceptance of the updated policy.

Contact Us

If you have questions about this privacy policy or how we handle your data, please contact us: