← Back to home
Legal

Privacy Policy

Last updated: May 18, 2026

TranscriptLabs ("we", "us", "the Service") operates the website transcriptlabs.io. This Privacy Policy explains what personal data we process, on what legal basis, and what rights you have under the EU General Data Protection Regulation (GDPR) and Polish data protection law.

TL;DR: We collect the minimum data needed to operate the Service. We never sell your data and never use it for third-party advertising. We do advertise our own product on Google and — only if you consent in the cookie banner — use Google Ads cookies to measure whether those ads led to a sign-up or purchase (see Cookie Policy). Transcripts you extract are stored in your account and used only to generate AI reports for you. AI providers do not train on your data.

1. Data Controller

The data controller responsible for personal data processed through the Service is:

NODE Piotr Nowicki
al. Komisji Edukacji Narodowej 36, lok. 112B
02-797 Warszawa, Poland
NIP (VAT): PL9512304601
REGON: 147233931
Registered with CEIDG (Polish Central Registration of Business Activity)

Contact for privacy matters: info@transcriptlabs.io

2. Data we process

2.1 Account information

  • Email address — to create your account, send magic-link sign-in emails, and contact you about service issues
  • Display name and avatar — optional, only if you sign in with a provider that supplies them

2.2 Payment information

Payments are processed by Stripe Payments Europe Limited. We do not see or store your card details. We store the Stripe customer ID and metadata about purchases (pack size, amount, currency, timestamp, invoice number) for invoicing, accounting, and tax compliance.

2.3 Consent audit trail (checkout)

At the moment you complete a credit purchase, we record alongside the transaction:

  • The version identifiers of the Terms of Service, Refund Policy, Privacy Policy, and the consent-checkbox text in force at that time
  • The exact timestamp at which you confirmed the immediate-execution consent
  • Your browser's User-Agent string (truncated to 500 characters)
  • A salted SHA-256 hash of your IP address at the time of consent (we do not store the IP itself in this record; the hash is irreversible without our server-side salt and is intended only to corroborate that a later disputed consent originated from the same network)

The purpose of this record is strictly evidentiary: to be able to prove, in case of a chargeback, withdrawal dispute, or regulatory inquiry, which document version you accepted, when, and from what device. This record is retained for the same period as the underlying invoice (see Section 6).

2.4 Service usage data

  • YouTube channel URLs and titles you submit for analysis
  • Public transcripts retrieved from those channels (text, video IDs, video titles)
  • AI reports we generate for you
  • Credit balance and usage logs (when reports were generated, our infrastructure cost)

2.5 Shared transcript cache (performance infrastructure)

We maintain an internal cache of transcripts keyed by YouTube video ID. When one user extracts a video's transcript, subsequent requests for the same video reuse the cached text instead of re-fetching it from YouTube. The cache is private infrastructure:

  • Users never see other users' transcripts as content — each user only sees transcripts in their own account.
  • The cache exists purely as a performance optimization (reduces YouTube fetch latency, residential proxy bandwidth, and load on YouTube's servers).
  • Each cache entry retains an audit reference to the user who first triggered the extraction (used only for chargeback / takedown investigation, never for cross-user disclosure).
  • Transcripts originate from publicly available YouTube videos. Their copyright belongs to the original video creators / YouTube.

Takedown: if you are a content rights holder and want a specific video's transcript removed from our cache, email info@transcriptlabs.io with the YouTube video URL. We delete from the cache and from all user accounts within 7 calendar days.

2.6 Technical data

  • Session cookies for authentication (managed by Supabase Auth)
  • IP address and user agent logged briefly by Vercel for security and abuse prevention; not used for behavioural profiling
  • Advertising / conversion cookies (Google Ads) — only if you consent. Disabled by default via Google Consent Mode v2. Used solely to measure our own ads and limited remarketing of our own ads; see the Cookie Policy for the exact cookies, durations, and how to withdraw consent

3. How we use your data

  • Provide the Service (extract transcripts, generate AI reports)
  • Process payments and manage your credit balance
  • Send transactional emails (sign-in links, receipts, service notifications)
  • Detect and prevent abuse, fraud, and security incidents
  • Maintain a consent audit trail for paid digital-service purchases (see Section 2.3) so that we can defend against chargebacks and prove which document versions a buyer accepted
  • Comply with our legal obligations (tax, accounting, regulatory requests)
  • Improve the Service via aggregate, anonymized analysis (never individual identification)

We also use your data, only with your consent, to:

  • Measure the performance of our own ads on Google and carry out limited remarketing of our own ads (Google Ads cookies — off by default, see Cookie Policy)

We do NOT use your data for:

  • Selling or sharing your personal data with data brokers or for any third party's own advertising
  • Cross-site behavioural profiling beyond the consent-based ad-conversion measurement described above
  • Training AI models on your transcripts
  • Any purpose unrelated to operating or promoting the Service

4. Legal basis for processing (GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)): account creation, transcript extraction, report generation, payment processing — these are required to provide the Service you requested
  • Compliance with a legal obligation (Art. 6(1)(c)): retaining payment and tax records as required by Polish and EU law
  • Legitimate interests (Art. 6(1)(f)): security, abuse prevention, fraud detection, basic service analytics, and maintaining the consent audit trail described in Section 2.3 (necessary to defend against chargebacks and to prove the validity of the immediate-execution consent under Art. 16(m) ECRD / art. 38 ust. 1 pkt 13 ustawy o prawach konsumenta). We balance these against your fundamental rights — you may object at any time.
  • Consent (Art. 6(1)(a)): relied upon for advertising and conversion-measurement cookies (Google Ads). These are disabled by default (Google Consent Mode v2) and are only activated if you opt in via the cookie banner. You may withdraw consent at any time, with effect for the future, via "Manage cookie preferences" on the Cookie Policy page (Art. 7(3)). The separate immediate-execution acknowledgement at checkout is a contractual waiver of withdrawal under Art. 16(m) ECRD, not a GDPR Art. 6(1)(a) consent.

5. Third-party processors

We use the following sub-processors. Each is bound by their own privacy practices and a Data Processing Agreement (DPA) where required by GDPR.

ServicePurposeData sharedPrivacy policy
SupabaseDatabase + authenticationAccount data, transcripts, reportssupabase.com/privacy
VercelWeb hosting + serverless functionsRequest metadata (IP, user agent)vercel.com/legal/privacy-policy
StripePayment processingEmail, billing details, paymentstripe.com/privacy
Anthropic (Claude)AI report generationTranscript content (per-request, not retained beyond 30 days for safety review; not used for training)anthropic.com/legal/privacy
ResendTransactional emailsEmail address, message contentresend.com/legal/privacy-policy
Google (Google Ireland Ltd / Google LLC)Ad-conversion measurement & remarketing of our own ads — only with consentClick ID (GCLID), cookie ID, IP address, ad-interaction eventspolicies.google.com/privacy

For the Google Ads cookies, Google acts partly as our processor and partly as an independent controller. They are governed by the Google Ads Data Processing Terms and are not set at all unless you consent — see the Cookie Policy.

6. Data retention

  • Account data: retained while your account is active. Deleted on request.
  • Transcripts and reports: retained while your account is active. You can delete individual channels or your whole account at any time.
  • Payment records and invoices: retained for 5 years after the end of the calendar year in which the transaction occurred (Polish tax law: art. 86 § 1 of the Polish Tax Ordinance / Ordynacja podatkowa).
  • Consent audit trail (per Section 2.3): retained alongside the corresponding invoice for the same 5-year period, then deleted together with the invoice. The audit trail is not used for any purpose other than evidence in disputes.
  • Server logs: retained for up to 12 months, then anonymized.

7. Your rights under GDPR

You have the right to:

  • Access your data — request a full export by emailing us
  • Rectify inaccurate data via your account settings or by contacting us
  • Erasure ("right to be forgotten") — delete your account and all associated data
  • Restrict processing in specific circumstances
  • Data portability — receive your data in a structured, machine-readable format (JSON)
  • Object to processing based on legitimate interests
  • Withdraw consent where processing is based on consent (Art. 7(3))

To exercise any of these rights, email info@transcriptlabs.io from the address registered with your account. We will respond within 30 days as required by GDPR.

Right to lodge a complaint: if you believe we have processed your data unlawfully, you may file a complaint with the Polish Data Protection Authority:

Prezes Urzędu Ochrony Danych Osobowych (PUODO)
ul. Stawki 2, 00-193 Warszawa
Website: uodo.gov.pl

Residents of other EU/EEA countries may also lodge complaints with their local data protection authority.

8. International transfers

Some of our processors store data outside the European Economic Area (EEA), primarily in the United States. Where data is transferred outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, or
  • EU–U.S. Data Privacy Framework certification where the processor is certified, or
  • Other GDPR Chapter V mechanisms as applicable

9. Automated decision-making

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects on you. AI-generated reports are advisory and informational only.

10. Children's privacy

TranscriptLabs is not intended for users under 16. We do not knowingly process personal data of children under 16. If you believe we have, contact us and we will delete it without delay.

11. Security

We use industry-standard technical and organizational measures:

  • HTTPS/TLS for all data in transit
  • Encrypted database connections (mTLS)
  • Row-level security in our database (you can only access your own data)
  • Regular dependency updates and security patches
  • Secrets stored in encrypted environment variables, never in source code
  • Minimum-privilege access for employees and contractors

No method of transmission or storage is 100% secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and affected users without undue delay, as required by Articles 33–34 GDPR.

12. Changes to this policy

We may update this Privacy Policy. Material changes will be announced by email and via a notice on this page at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

13. Contact

Questions about this policy or your data:
Email: info@transcriptlabs.io
Postal: NODE Piotr Nowicki, al. Komisji Edukacji Narodowej 36, lok. 112B, 02-797 Warszawa, Poland

Privacy PolicyTerms of ServiceRefund PolicyCookie PolicyContact
© 2026 NODE Piotr Nowicki (TranscriptLabs). TranscriptLabs is a product of NODE Piotr Nowicki, a sole proprietorship registered in Poland (NIP PL9512304601).