← Back to transcription.solutions

Privacy Policy

Last updated: May 2026

Transcription.Solutions is a paid SaaS that converts audio and video into text. This page explains exactly what we collect, how long we keep it, and who we share it with. If anything here is unclear, email [email protected].

1. What we collect

When you use Transcription.Solutions, we process:

  • Account data: email, password hash (via Supabase Auth), display name if you provide one, plan and billing status.
  • Source media: the audio or video files you upload, the URLs you paste, and recordings you make in-browser.
  • Derived data: transcripts, speaker labels, AI summaries we generate from your media.
  • Usage metadata: minutes consumed, plan transitions, billing events. Stored to enforce quotas and process refunds.
  • Operational logs: IP, user-agent, timestamps, error traces. Used to debug and to detect abuse.

2. How long we keep it

  • Source media (audio/video): deleted within 24 hours after transcription completes. This is enforced by an hourly retention job and recorded on the job record (`source_media_deleted_at`).
  • Transcripts and summaries: kept until you delete them, or 30 days after you delete your account.
  • Account data: kept while your account exists. On account deletion (Settings → Delete account, or email us), all data is purged within 30 days; billing records may be retained longer where required by tax law.
  • Operational logs: 30 days, then aggregated/anonymized.

3. Data processors (subprocessors)

We use the following third parties to deliver the service. Each is bound by their own privacy terms.

  • Supabase — authentication and primary database (EU/US regions).
  • AssemblyAI — primary speech-to-text and speaker diarization (paid API). Per AssemblyAI's policy, customer audio and transcripts are not used to train their models.
  • OpenAI — fallback speech-to-text (used only when AssemblyAI is unavailable). Per OpenAI's API policy, content is not used to train their models.
  • OpenRouter — routes our AI summarization and translation prompts to the model we've chosen (currently DeepSeek). Prompts and outputs are not used to train models.
  • Recall.ai — meeting bot orchestration (used only when you schedule a meeting bot). Recall.ai dispatches a bot to your meeting URL, receives the meeting audio, and returns it to us as an MP3 file. The audio is then processed by AssemblyAI (above) and the source file is deleted from both Recall.ai and our storage within 24 hours.
  • Stripe — payment processing; we never see your card number.
  • AWS S3 — encrypted object storage for source media and transcripts.
  • Apify — Instagram URL resolution (only used when you paste an Instagram link).
  • Cloudflare — DNS, CDN, bot protection (Turnstile).
  • SendGrid / Resend — transactional email (verification, password reset, billing receipts).
  • Sentry — error tracking. Stack traces and request metadata; no source media or transcript content.

4. Do you train models on my recordings?

No.We don't train any models ourselves. The third-party APIs we use (AssemblyAI, OpenAI, OpenRouter) all default to nottraining on customer content. We also don't sell your data, share it with advertisers, or use it for any purpose beyond running the service for you.

5. Your rights (GDPR / CCPA)

You can:

  • Access all your data — log in to Settings → Profile.
  • Delete any individual transcript, or your entire account, at any time. Account deletion purges everything within 30 days.
  • Export transcripts in TXT/SRT/VTT/DOCX from each job's detail page.
  • Object / restrict processing: email [email protected].
  • Object to meeting recording (GDPR Article 21 right to object): Any participant in a meeting where our meeting bot is present may remove the bot immediately by clicking the opt-out link the bot posts in the meeting chat. Upon opt-out, the bot leaves the meeting and we delete all audio and derived data from that session.
  • Lawful basis for meeting recordings (GDPR Article 6(1)(f)): We process meeting audio under legitimate interest — providing the transcription service the meeting organiser subscribed to, balanced against the right to object via the in-meeting opt-out mechanism. For participants in two-party-consent jurisdictions (Illinois BIPA, California AB 2905), the in-meeting chat disclosure serves as the notice; voiceprint data collected during diarization is treated as a biometric identifier under BIPA (see Terms of Service § Meeting bot and recording consent).

6. Cookies

We use only essential cookies — your auth session and Stripe checkout. No advertising cookies, no cross-site tracking. Self-hosted analytics (Umami) runs without cookies and without personal identifiers.

7. Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production systems is restricted to a small ops team and logged. We don't claim SOC 2 or ISO 27001 — we're a small team. If you need formal compliance, email us before purchasing.

8. Changes to this policy

Material changes will be announced via email and a banner on the dashboard at least 14 days before they take effect.

9. Contact

Email: [email protected]