Privacy Policy

Last updated: January 21, 2026

1. Introduction

1.1 What This Privacy Policy Covers

This Privacy Policy explains how Fuerte vision, MB ("we," "us," or "PrismaScribe") collects, uses, stores, and protects your personal data when you use the PrismaScribe AI transcription platform (the "Service"). It applies to all users of our website, web application, and related services.

This Privacy Policy should be read together with our Terms of Service, which govern your use of the Service.

1.2 GDPR Compliance Statement

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and all applicable European Union and Lithuanian data protection laws. As an EU-based company, we adhere to the highest standards of data protection.

We process your personal data lawfully, fairly, and transparently. This Privacy Policy is designed to help you understand:

• What personal data we collect and why
• How we use and protect your data
• Your rights under GDPR and how to exercise them
• How to contact us with privacy questions or concerns

1.3 Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

We will respond to all rights requests within 30 days (extendable by 60 days for complex requests, with explanation).

1.4 Contact Information for Privacy Questions

If you have any questions about this Privacy Policy, how we handle your personal data, or wish to exercise your GDPR rights, please contact us:

Email: hello@prismascribe.ai

Postal Address:

Fuerte vision, MB
Ašmenėlės g. 102C, LT-11330 Vilnius, Lithuania

We aim to respond to all privacy inquiries within 2 business days, and formally respond to all GDPR rights requests within 30 days.

2. Data Controller Information

2.1 Who We Are

The data controller responsible for your personal data is:

Legal Name: Fuerte vision, MB

Registration Number: 307414067

Registered Address: Ašmenėlės g. 102C, LT-11330 Vilnius, Lithuania

Country of Registration: Republic of Lithuania (European Union)

Contact Email: hello@prismascribe.ai

As the data controller, we determine the purposes and means of processing your personal data and are responsible for its protection under GDPR.

2.2 Data Protection Officer (DPO)

Under GDPR Article 37, we are not required to appoint a formal Data Protection Officer because we:

• Are not a public authority
• Do not engage in large-scale processing of special categories of personal data
• Do not engage in large-scale systematic monitoring of individuals

However, we are fully committed to data protection compliance. All privacy inquiries and data subject rights requests should be directed to hello@prismascribe.ai, and will be handled by our privacy-responsible team members.

2.3 Supervisory Authority

As an EU-based company operating in Lithuania, our lead supervisory authority is:

State Data Protection Inspectorate of Lithuania

Address: L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania

Website: https://vdai.lrv.lt/

Email: ada@ada.lt

Phone: +370 5 271 2804

You have the right to lodge a complaint with the State Data Protection Inspectorate if you believe we have violated your data protection rights. However, we encourage you to contact us first at hello@prismascribe.ai so we can attempt to resolve any concerns.

2.4 EU Representative

As we are an EU-based company (Lithuania), we are not required to appoint an EU representative under GDPR Article 27. We operate directly within the European Union and are subject to EU data protection law.

2.5 International Data Transfers

While we are based in the EU, some of our service providers operate servers outside the European Economic Area (EEA). We have implemented appropriate safeguards for all international transfers, as detailed in Section 5 (International Data Transfers) of this Privacy Policy.

3. What Personal Data We Collect

We collect only the personal data necessary to provide, improve, and secure our Service. This section explains what data we collect, organized by category.

3.1 Account Information

When you create an account with PrismaScribe, we collect:

Processing by: Clerk (authentication service provider) - see Section 5 for data transfer details.

3.2 Usage Data

When you use our Service, we collect and process:

Processing by:

• ElevenLabs (transcription) - audio/video content, file metadata
• Google Gemini API (translation/summarization) - transcript text only
• Cloudflare R2 (storage) - all uploaded files and generated content

3.3 Payment Information

For paid subscriptions, we collect:

Processing by: Stripe (payment processor) - see Section 5 for data transfer details.

Important: We do not have access to your full payment card details. Stripe provides us only with:

• Last 4 digits of your card
• Card brand (Visa, Mastercard, etc.)
• Card expiration date
• Billing address

3.4 Technical Data

We automatically collect certain technical information when you use our Service:

3.5 Communications Data

When you contact us, we collect:

• Support Correspondence: Your messages, attachments, and our responses when you contact customer support
• Feedback and Inquiries: Feedback you provide about our Service
• Survey Responses: If you participate in surveys or research
• Email Communications: Records of emails we send you and your interactions with them (open rates, click-through rates)

3.6 Data We Do NOT Collect

We are committed to data minimization. We do not intentionally collect:

3.7 Data Retention Summary

We retain personal data only as long as necessary:

• Account data: Until you delete your account
• Usage data (files, transcriptions): Until you delete them, or account deletion
• Payment records: 7 years (Lithuanian tax/accounting law requirement)
• Technical logs: 90 days maximum
• Support correspondence: 3 years

See Section 7 (Data Retention) for complete retention details.

4. How We Use Your Personal Data

We use your personal data only for specific, explicit, and legitimate purposes. For each purpose, we identify the lawful basis under GDPR Article 6(1).

4.1 To Provide the Service (Legal Basis: Contract Performance - Article 6(1)(b))

What we do:

• Process uploaded files through ElevenLabs AI transcription engine to convert audio/video to text
• Generate translations of transcripts using Google Gemini API (when you request translation)
• Generate summaries of transcripts using Google Gemini API (when you request summarization)
• Store your files securely on Cloudflare R2 (Western Europe region)
• Manage your account including authentication, access control, and profile management
• Deliver transcriptions, translations, and summaries to you via our web interface
• Enable file organization through folders, tags, and project management features
• Provide download functionality for your transcripts and processed content

Legal basis: Processing is necessary to perform our contract with you (the Terms of Service). Without this processing, we cannot provide the Service.

Data involved:

• Account information (email, name, password hash)
• Uploaded files (audio, video)
• Generated content (transcriptions, translations, summaries)
• File metadata and organization data

Processors involved:

• Clerk (authentication)
• ElevenLabs (transcription)
• Google Gemini API (translation, summarization)
• Cloudflare R2 (storage)

4.2 Payment Processing (Legal Basis: Contract Performance - Article 6(1)(b))

What we do:

• Process subscription payments through Stripe
• Manage billing cycles and automatic renewals
• Generate invoices and payment receipts
• Handle refunds and disputes in accordance with our Terms of Service
• Enforce payment terms including suspension for non-payment
• Maintain transaction records for accounting and tax purposes

Legal basis: Processing is necessary to perform our contract with you. We cannot provide paid subscription services without payment processing.

Additional legal basis for long-term retention: Legal obligation (Article 6(1)(c)) - Lithuanian law requires us to retain accounting and tax records for 7 years.

Data involved:

• Payment information (processed by Stripe)
• Billing address
• Transaction history
• Subscription status

Processors involved:

• Stripe (payment processing, PCI DSS Level 1 compliant)

4.3 Customer Support (Legal Basis: Legitimate Interest - Article 6(1)(f))

What we do:

• Respond to inquiries sent to hello@prismascribe.ai
• Troubleshoot technical issues you experience with the Service
• Provide guidance on using features and capabilities
• Investigate and resolve service disruptions or errors
• Follow up on support tickets to ensure resolution

Legal basis: Legitimate interest - we have a legitimate interest in providing excellent customer support to maintain service quality and customer satisfaction. This interest is not overridden by your rights and freedoms.

Your rights: You can object to this processing under GDPR Article 21. However, this may limit our ability to provide support.

Data involved:

• Contact information (email, name)
• Support correspondence
• Technical data related to your issue
• Account information (to identify your account)

4.4 Service Improvement and Development (Legal Basis: Legitimate Interest - Article 6(1)(f))

What we do:

• Analyze usage patterns to understand how users interact with the Service
• Improve AI accuracy by analyzing transcription quality (without using your data for training)
• Develop new features based on user needs and behavior
• Optimize performance of the platform (speed, reliability, scalability)
• Identify and fix bugs to improve service stability
• Conduct A/B testing of new features and improvements

Legal basis: Legitimate interest - we have a legitimate interest in improving our Service to remain competitive and meet user needs. This interest is not overridden by your rights and freedoms.

Your rights: You can object to this processing under GDPR Article 21, which will exclude your data from analytics and improvement activities.

Data involved:

• Usage patterns and feature interactions
• Technical data (browser, device, IP address)
• File metadata (NOT file content)
• Performance metrics

Important limitations:

• We DO NOT use your uploaded audio/video content for service improvement
• We DO NOT use your transcript content for AI training
• We analyze only metadata and usage patterns

4.5 Legal Compliance and Safety (Legal Basis: Legal Obligation - Article 6(1)(c) and Legitimate Interest - Article 6(1)(f))

What we do:

• Comply with Lithuanian and EU law including data protection, tax, and commercial regulations
• Respond to legal requests from law enforcement, courts, or regulatory authorities (when legally required)
• Prevent fraud and abuse including payment fraud, account sharing, and terms violations
• Enforce our Terms of Service including investigating violations
• Protect our legal rights in disputes or legal proceedings
• Conduct security monitoring to detect and prevent unauthorized access
• Investigate security incidents and data breaches

Legal basis:

• Legal obligation (Article 6(1)(c)) for compliance with laws, regulations, and valid legal orders
• Legitimate interest (Article 6(1)(f)) for fraud prevention, security, and enforcement of our rights

Data involved:

• Any personal data relevant to the legal obligation or security concern
• Account information
• Usage logs and technical data
• Payment information (for fraud prevention)
• Communications data (for abuse investigation)

Your rights: You cannot object to processing based on legal obligation. For processing based on legitimate interest (fraud prevention, security), you can object under Article 21, but we may refuse if we demonstrate compelling legitimate grounds.

4.6 Marketing and Communications (Legal Basis: Consent - Article 6(1)(a) OR Legitimate Interest - Article 6(1)(f))

What we do:

Service Communications (Legitimate Interest):

• Transactional emails: Account confirmations, password resets, payment receipts (necessary for the service)
• Important service updates: Changes to Terms of Service, Privacy Policy, or critical service announcements
• Security notifications: Suspicious activity, password changes, login from new device

Marketing Communications (Consent):

• Promotional emails: New features, special offers, product updates
• Educational content: Tips, tutorials, best practices for using PrismaScribe
• Surveys and feedback requests: Invitations to provide feedback or participate in research

Legal basis:

• Legitimate interest (Article 6(1)(f)) for service communications necessary to maintain the service relationship
• Consent (Article 6(1)(a)) for marketing and promotional emails

Your rights:

• Opt-out: You can unsubscribe from marketing emails at any time using the "unsubscribe" link in every marketing email
• Withdraw consent: You can withdraw consent for marketing communications at any time without affecting your ability to use the Service
• Cannot opt-out of service communications: Transactional and security emails are necessary to provide the Service safely

Data involved:

• Email address
• Name (for personalization)
• Service usage data (for targeted, relevant communications)
• Email interaction data (open rates, clicks - for improving email effectiveness)

5. International Data Transfers

5.1 Overview

Your data is primarily stored within the European Union using Cloudflare R2 storage infrastructure located in Western Europe (WEUR bucket). However, to provide our transcription, translation, and payment services, we work with certain trusted service providers that process data outside the European Economic Area (EEA).

We understand that international data transfers require special protection under GDPR, and we have implemented appropriate safeguards for all transfers to ensure your data receives the same level of protection as it would within the EU.

5.2 EU-US Data Transfers

For transfers to the United States, we rely on service providers that participate in recognized data protection frameworks:

EU-US Data Privacy Framework (DPF)

• Our authentication provider (Clerk) is certified under the EU-US Data Privacy Framework, which provides a legally recognized mechanism for transferring personal data from the EU to the United States
• The DPF requires participating companies to adhere to strict data protection principles and is subject to enforcement by the US Federal Trade Commission

Standard Contractual Clauses (SCCs)

• In addition to DPF certification, we use Standard Contractual Clauses (approved by the European Commission under GDPR Article 46(2)(c)) with US-based processors
• SCCs are legally binding contracts that impose EU data protection obligations on data processors outside the EEA

5.3 Other International Transfers

ElevenLabs Transcription Processing

• Primary processing locations: United States (default), European Union, India
• Data transferred: Audio/video files uploaded for transcription, file metadata
• Safeguards: Data Processing Agreement, Standard Contractual Clauses
• You can request EU-only processing by contacting us at hello@prismascribe.ai

Google Gemini API (Translation/Summarization)

• Processing locations: Global Google Cloud infrastructure
• Data transferred: Transcript text only (audio/video files are NOT sent to Google)
• Safeguards: Google Cloud Data Processing Addendum, Standard Contractual Clauses
• Data retention: 55 days for abuse monitoring purposes, then automatically deleted
• Training prohibition: Your data is NOT used to train Google's AI models (paid tier guarantee)

5.4 Legal Safeguards for International Transfers

All international data transfers are protected by one or more of the following legally recognized safeguards:

Additional Transfer Impact Assessments

• We conduct Transfer Impact Assessments (TIAs) to ensure that the laws and practices in destination countries do not undermine the protections provided by SCCs
• We continuously monitor legal developments (such as court decisions and regulatory guidance) that may affect the validity of our transfer mechanisms
• If a transfer mechanism becomes invalid, we will implement alternative safeguards or suspend transfers until adequate protection can be ensured

5.5 Your Rights Regarding International Transfers

You have the right to:

• Be informed about which of your data is transferred outside the EEA and to which countries
• Request copies of the safeguards we use (such as SCCs) by emailing hello@prismascribe.ai
• Object to transfers to specific countries if you have compelling legitimate grounds
• Request EU-only processing for transcription services (may affect service availability or pricing)

5.6 Third-Party Processor Details

The following table provides complete transparency about our data processors and international transfers:

Important Note on Cloudflare R2: Your primary data storage is in the EU. Files are stored in Cloudflare's Western Europe bucket and do not leave the EU for storage purposes.

6. Data Security

6.1 Security Measures Overview

Protecting your personal data is our highest priority. We implement industry-standard technical and organizational security measures to protect your data against unauthorized access, accidental loss, destruction, or damage.

Important Disclaimer: While we employ robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your data using best practices and industry standards.

6.2 Technical Security Measures

Encryption in Transit

• All data transmitted between your browser and our servers is encrypted using HTTPS with TLS 1.2 or higher
• API communications with third-party processors use encrypted channels
• Certificate pinning and secure protocols prevent man-in-the-middle attacks

Encryption at Rest

• All files stored in Cloudflare R2 are encrypted using AES-256-GCM encryption
• Encryption keys are managed separately from data and rotated regularly
• Database backups are encrypted using industry-standard encryption algorithms

Password Security

• Passwords are never stored in plain text
• Authentication is handled by Clerk, which uses industry-standard password hashing (bcrypt with high work factor)
• We support and encourage the use of strong, unique passwords and multi-factor authentication (MFA)

Secure Authentication

• Session tokens are cryptographically signed and expire after periods of inactivity
• OAuth 2.0 and OpenID Connect protocols for third-party authentication
• Rate limiting and anomaly detection to prevent brute-force attacks

Infrastructure Security

• Regular security patching and updates to all systems
• Network segmentation and firewall protection
• Intrusion detection and prevention systems (IDS/IPS)
• Distributed Denial of Service (DDoS) protection via Cloudflare

6.3 Organizational Security Measures

Access Controls

• Role-based access control (RBAC) ensuring employees have access only to data necessary for their roles
• Principle of least privilege applied across all systems
• Multi-factor authentication required for all administrative access
• Regular access reviews and immediate revocation upon employee departure

Employee Training and Awareness

• Mandatory data protection and security training for all employees
• Regular updates on GDPR requirements and privacy best practices
• Confidentiality agreements signed by all team members
• Clear incident response procedures and regular drills

Vendor Due Diligence

• Comprehensive security assessments before engaging third-party processors
• Regular reviews of processor security practices and compliance certifications
• Preference for processors with SOC 2, ISO 27001, or equivalent certifications
• Ongoing monitoring of security incidents and breach notifications from processors

Data Processing Agreements

• Legally binding Data Processing Agreements (DPAs) with all processors
• DPAs include security obligations, breach notification requirements, and audit rights
• Sub-processor approval and notification procedures
• Contractual liability for processor security failures

6.4 Data Breach Notification

We have established procedures to detect, respond to, and notify you of data breaches in compliance with GDPR Articles 33 and 34:

Notification to Supervisory Authority (Article 33)

• If we discover a personal data breach, we will notify the Lithuanian Data Protection Inspectorate within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk to your rights and freedoms)
• Notification includes: nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed

Notification to Affected Individuals (Article 34)

• If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay
• Notification will be clear and plain language, explaining: the nature of the breach, contact point for more information, likely consequences, and measures you can take to mitigate potential harm
• We will provide recommendations (such as password changes or fraud monitoring) where applicable

Breach Response Process

1. Detection: Continuous monitoring for security incidents
2. Containment: Immediate action to stop the breach and prevent further data loss
3. Assessment: Evaluation of scope, affected data, and risk level
4. Notification: Compliance with 72-hour notification deadline
5. Remediation: Fixing vulnerabilities and implementing preventive measures
6. Documentation: Comprehensive records of all breaches, responses, and lessons learned

6.5 Your Responsibilities for Account Security

While we implement strong security measures, account security is a shared responsibility:

Your Obligations

• Use strong, unique passwords: Avoid reusing passwords from other services
• Enable multi-factor authentication (MFA): Add an extra layer of security to your account
• Keep credentials confidential: Never share your password or session tokens
• Use secure devices: Ensure your devices have up-to-date security software
• Log out on shared devices: Always log out when using public or shared computers
• Report suspicious activity: Contact us immediately at hello@prismascribe.ai if you notice unauthorized access

What to Do If You Suspect Unauthorized Access

1. Change your password immediately
2. Review your account activity and recent transcriptions
3. Contact us at hello@prismascribe.ai with details
4. Consider enabling MFA if not already enabled
5. Review devices with active sessions and revoke unfamiliar sessions

6.6 Third-Party Processor Security

We rely on the security measures implemented by our trusted processors:

We continuously monitor our processors' security practices and incident reports. If a processor experiences a breach affecting your data, we will fulfill our notification obligations and work with the processor to mitigate harm.

7. Data Retention

7.1 Retention Principles

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

Our Retention Philosophy

• Purpose limitation: When data is no longer needed for its original purpose, it is deleted
• Storage minimization: We don't keep data "just in case" – retention periods are based on legitimate needs
• Transparent deletion: You can request deletion at any time (subject to legal exceptions)
• Automated deletion: Systems are configured to automatically delete data when retention periods expire

7.2 Retention Periods by Data Category

The following table specifies how long we retain different categories of personal data:

Third-Party Processor Retention

• ElevenLabs: Retains audio files for 2 years from upload date (per their data retention policy)
• Google Gemini API: Retains transcript text for 55 days for abuse monitoring, then automatically deletes (NOT used for training)
• Clerk: Retains authentication data until we request deletion following account closure
• Stripe: Retains payment data for 7 years to comply with financial regulations

7.3 Deletion Process

User-Initiated Deletion

• You can delete individual files, transcripts, or translations at any time from your dashboard
• Deletion is immediate from our primary storage (Cloudflare R2)
• We send deletion requests to processors within 24 hours (subject to their deletion timelines)
• Deleted data cannot be recovered – deletion is permanent

Account Deletion Process

When you delete your account:

1. Immediate: Account access is revoked; you cannot log in
2. Within 24 hours: Deletion requests sent to all processors (Clerk, Stripe for non-payment data)
3. Within 30 days: All user-generated content and uploaded files permanently deleted from Cloudflare R2
4. Payment data exception: Payment records retained for 7 years per Lithuanian tax law
5. Anonymization: Where deletion is not possible due to legal requirements, data is anonymized (stripped of identifiers)

How to Request Deletion

• Individual files: Use the delete button in your dashboard
• Account deletion: Contact hello@prismascribe.ai with subject "Account Deletion Request"
• Specific data categories: Email hello@prismascribe.ai specifying what you want deleted

7.4 Retention After Account Deletion

Grace Period for Free Tier Users

• Free tier accounts: 30-day grace period before permanent deletion
• During this period, you can reactivate your account by logging in
• After 30 days, all data is permanently deleted and cannot be recovered

Subscription Users

• Active subscriptions: Account deletion cancels subscription immediately (no refunds for unused time)
• You can request to download your data before deletion (see Section 8.5 on data portability)

What Is Deleted vs. Retained

7.5 Legal Holds and Exceptions

When We Cannot Delete Data

We may be unable to delete certain data if:

• Legal obligation: We are required by law to retain data (e.g., tax records for 7 years)
• Legal claims: Data is necessary for the establishment, exercise, or defense of legal claims
• Pending litigation: A court order or legal hold prevents deletion
• Fraud prevention: Data is needed to prevent fraudulent account recreation or abuse

Notification

If we cannot fulfill a deletion request due to a legal exception, we will:

1. Notify you within 30 days of your request
2. Explain the specific legal basis preventing deletion
3. Specify when the data will be deleted (if a retention period applies)
4. Restrict processing to the minimum necessary for the legal purpose

Anonymization Alternative: Where full deletion is not legally possible, we will anonymize your data by removing all personal identifiers, rendering it no longer "personal data" under GDPR.

8. Your GDPR Rights (Detailed)

Under the General Data Protection Regulation (GDPR), you have comprehensive rights regarding your personal data. This section explains each right in detail and how to exercise them.

8.1 Right of Access (Article 15)

What This Right Gives You

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data along with specific information about the processing.

What We Will Provide

Upon request, we will provide:

• Confirmation of whether we process your personal data
• A copy of your personal data in a commonly used electronic format
• Information about: processing purposes, data categories, recipients, retention periods, your rights, the right to lodge a complaint, data sources (if not collected from you), and existence of automated decision-making

What Data You Can Access

• Account information (name, email, registration date)
• Uploaded files and generated content (transcripts, translations, summaries)
• Payment history and subscription details
• Technical logs related to your account (last 90 days)
• Communication history with our support team

How to Request Access

• Email hello@prismascribe.ai with subject line: "GDPR Access Request"
• Specify what data you want to access (or request "all personal data")
• We will respond within 30 days with your data package

Format of Data Provided

• Structured data (account info, metadata): JSON or CSV format
• Files and content: Original formats (e.g., MP3, TXT, PDF)
• Delivered via secure download link with 7-day expiration

8.2 Right to Rectification (Article 16)

What This Right Gives You

You have the right to have inaccurate personal data corrected and to have incomplete personal data completed.

What You Can Correct

• Account profile information (name, email address)
• Billing information (address, company name)
• Communication preferences
• Generated content (transcripts, translations) that you have edited

How to Update Your Data

• Self-service: Most data can be corrected directly in your account settings
• Email request: For data you cannot edit yourself, email hello@prismascribe.ai
• We will make corrections within 30 days and notify any third parties who received the incorrect data (if applicable)

Third-Party Data: If we have shared inaccurate data with processors (e.g., incorrect email to Clerk), we will notify them of the correction.

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

What This Right Gives You

You have the right to have your personal data deleted without undue delay under certain circumstances.

When You Can Request Erasure

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where consent was the legal basis for processing)
• You object to processing and there are no overriding legitimate grounds
• Your data has been unlawfully processed
• Erasure is necessary to comply with a legal obligation
• The data was collected in relation to the offer of information society services to a child

Exceptions – When We Cannot Delete

• Legal obligation: We must retain payment records for 7 years under Lithuanian tax law
• Legal claims: Data is necessary for defending or establishing legal claims
• Public interest: Processing is necessary for public health, archiving, scientific/historical research
• Ongoing contract: Data is necessary to fulfill our contract with you (e.g., active subscription)

How to Request Erasure

• Email hello@prismascribe.ai with subject: "Right to Erasure Request"
• Specify what data you want deleted (or request "complete account deletion")
• We will process your request within 30 days and confirm deletion

What Happens After Deletion

• Immediate access revocation
• Deletion from our systems within 30 days
• Deletion requests sent to all processors
• Payment records anonymized (identifiers removed) after 7 years

8.4 Right to Restrict Processing (Article 18)

What This Right Gives You

You have the right to restrict (limit) how we process your data in certain circumstances, rather than requesting full deletion.

When You Can Request Restriction

• You contest the accuracy of your data (restriction applies while we verify accuracy)
• Processing is unlawful, but you prefer restriction over deletion
• We no longer need the data, but you need it for legal claims
• You have objected to processing based on legitimate interests (restriction applies while we verify whether our legitimate grounds override yours)

What "Restriction" Means

• We store your data but do not actively process it (except with your consent)
• We can process restricted data for: storage, legal claims, protection of another person's rights, or important public interest reasons
• You will be informed before restriction is lifted

How to Request Restriction

• Email hello@prismascribe.ai with subject: "Right to Restrict Processing"
• Explain the reason for your request
• We will respond within 30 days and confirm restriction measures

Impact on Service: Restricting processing may limit or prevent your use of PrismaScribe services during the restriction period.

8.5 Right to Data Portability (Article 20)

What This Right Gives You

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

What Data Is Portable

• Data you provided to us (not data we generated or derived)
• Data processed based on consent or contract (not legal obligation or legitimate interest)

Specifically Includes

• Account information (name, email, registration date)
• Uploaded files (audio/video files in original format)
• Transcripts you generated (TXT, JSON, or SRT format)
• Translation and summary outputs
• File metadata (upload dates, durations, language settings)

Format Options

• JSON: Structured data (account info, metadata)
• CSV: Tabular data (file lists, usage history)
• Original formats: Audio/video files, transcripts in TXT/SRT
• ZIP archive: All data packaged together for easy download

How to Request Data Portability

• Email hello@prismascribe.ai with subject: "Data Portability Request"
• Specify format preferences (or we will use default formats)
• We will provide a secure download link within 30 days
• Link expires after 7 days for security reasons

Direct Transmission: If technically feasible, we can transmit your data directly to another service provider you specify (requires compatible API).

8.6 Right to Object (Article 21)

What This Right Gives You

You have the right to object to processing of your personal data in certain situations.

When You Can Object

1. Processing Based on Legitimate Interests

• You can object to processing based on our legitimate interests (see Section 4.3)
• We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms

2. Direct Marketing

• You have an absolute right to object to processing for direct marketing purposes
• We will stop all marketing processing immediately upon objection
• Use the "Unsubscribe" link in marketing emails or email hello@prismascribe.ai

3. Profiling

• You can object to profiling related to direct marketing (we do not currently use profiling)

How to Object

• Marketing: Click "Unsubscribe" in any marketing email (immediate effect)
• Other processing: Email hello@prismascribe.ai with subject: "Right to Object"
• Explain your specific situation and grounds for objection
• We will respond within 30 days

Impact on Service: Objecting to certain processing may affect our ability to provide services (e.g., objecting to transcription processing means we cannot generate transcripts).

8.7 Rights Related to Automated Decision-Making and Profiling (Article 22)

What This Right Gives You

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you.

Our Current Practices

• We do NOT make automated decisions with legal or similarly significant effects
• AI transcription, translation, and summarization are tools you control, not automated decisions about you
• Subscription upgrades/downgrades require your explicit action
• We do not use automated creditworthiness assessments or algorithmic pricing

Transparency About AI Processing

• ElevenLabs AI transcribes audio (you review and edit output)
• Google Gemini AI translates/summarizes transcripts (you control when and whether to use these features)
• These are processing tools, not decision-making systems that affect your rights

If We Introduce Automated Decision-Making

Should we introduce automated decision-making in the future, we will:

1. Notify you and update this Privacy Policy
2. Obtain your explicit consent (where required)
3. Provide information about the logic involved
4. Give you the right to human intervention and to contest decisions

8.8 How to Exercise Your Rights

General Request Process

1. Submit Request

• Email: hello@prismascribe.ai
• Subject line: Specify the right you're exercising (e.g., "Right to Access Request")
• Include: Your registered email address, description of your request, any specific details

2. Identity Verification

• To protect your data, we must verify your identity before fulfilling requests
• We will ask you to confirm information from your account or send a verification email to your registered address
• For sensitive requests (e.g., full account deletion), we may require additional verification

3. Response Timeline

• 30 days: Standard response time from receipt of your request
• Extension: We may extend by an additional 60 days for complex requests (we will notify you within 30 days with reasons for the delay)
• No undue delay: We aim to respond as quickly as possible

4. Response Format

• Electronic format by default (email or secure download link)
• Paper format available upon request

Request Template

8.9 Right to Lodge a Complaint with Supervisory Authority

Your Right to Complain

If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of:

• Your habitual residence
• Your place of work
• The place of the alleged infringement

Lithuanian Data Protection Inspectorate (Our Lead Supervisory Authority)

Since PrismaScribe is established in Lithuania, our lead supervisory authority is:

Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate)

• Address: A. Juozapavičiaus g. 6, LT-09310 Vilnius, Lithuania
• Phone: +370 5 271 2804
• Email: ada@ada.lt
• Website: https://vdai.lrv.lt/
• Online complaint form: Available on website

How to File a Complaint

1. Try to resolve with us first: Contact hello@prismascribe.ai (not required, but often faster)
2. Prepare complaint: Document the issue, dates, communications, and your concerns
3. Submit to authority: Use online form or email/postal mail
4. Cooperate with investigation: Respond to any follow-up questions from the authority

Other EU Supervisory Authorities: You can also complain to the supervisory authority in your own EU country. Find your local authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Your Right Is Not Affected: Lodging a complaint does not affect your right to seek judicial remedies or compensation through civil courts.

8.10 No Fee for Exercising Your Rights

Free Exercise of Rights

You can exercise all of your GDPR rights free of charge. We will not charge fees for:

• Access requests
• Rectification requests
• Erasure requests
• Restriction requests
• Data portability requests
• Objection requests

Exception: Manifestly Unfounded or Excessive Requests

We may charge a reasonable fee or refuse to act on requests that are:

• Manifestly unfounded: Clearly made in bad faith or for harassing purposes
• Excessive: Repetitive requests for the same information within a short period without valid reason

If we determine a request is manifestly unfounded or excessive:

1. We will explain why we consider it so
2. We will give you an opportunity to justify the request
3. If we charge a fee, it will be reasonable and based on administrative costs
4. If we refuse the request, we will explain your right to complain to a supervisory authority

Reasonable Requests Are Always Free: Even if you make multiple requests over time for legitimate reasons (e.g., updating information, verifying compliance), these will always be free.

Questions About Your Rights?

If you have any questions about your GDPR rights or how to exercise them, please contact our Data Protection Team at hello@prismascribe.ai. We are here to help you understand and exercise your rights.

9. Cookies and Tracking Technologies

9.1 What Are Cookies

Cookies are small text files stored on your device (computer, tablet, or mobile phone) when you visit our website. They help us recognize your device, remember your preferences, and analyze how you use our services. Cookies enable essential functionality like keeping you logged in and help us improve your experience.

Similar technologies include local storage, session storage, and other browser-based storage mechanisms that serve comparable purposes.

9.2 Types of Cookies We Use

We use the following categories of cookies on PrismaScribe:

Essential/Strictly Necessary Cookies

These cookies are required for the basic operation of our platform. They enable core functionality such as:

• Authentication and session management (via Clerk)
• Security features and fraud prevention
• Load balancing and service delivery
• Cookie consent preferences

You cannot opt out of essential cookies as they are necessary for the platform to function. Without these cookies, services you have requested (such as accessing your account) cannot be provided.

Analytics Cookies

These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously:

• Google Analytics: Tracks page views, user behavior, traffic sources, and performance metrics
• Purpose: Improve user experience, identify technical issues, understand feature usage

Functional Cookies

These cookies enable enhanced functionality and personalization:

• User preferences: Language settings, UI preferences
• Feature settings: Transcript display options, playback preferences
• Accessibility settings: Text size, contrast preferences

You may disable functional cookies, but this may affect certain features and your overall experience.

Cookies We Do NOT Use

We currently do NOT use:

• Advertising/Marketing cookies: No tracking for targeted advertising
• Social media cookies: No social media platform integrations that set cookies
• Cross-site tracking cookies: No tracking across other websites

9.3 Cookie Details Table

Note: Cookie names and durations may be updated by third-party providers. For the most current information about Clerk cookies, see Clerk's Cookie Policy.

9.4 Your Cookie Choices

You have several options to control cookies on PrismaScribe:

Browser Settings

All modern browsers allow you to manage cookie preferences:

• Chrome: Settings > Privacy and Security > Cookies and other site data
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Cookies and website data
• Edge: Settings > Cookies and site permissions > Cookies and site data

You can:

• Block all cookies (may prevent login and essential features)
• Block third-party cookies only (blocks Google Analytics but preserves core functionality)
• Delete existing cookies
• Set cookies to expire when you close your browser

Impact of Blocking Cookies:

• Essential cookies blocked: You will not be able to log in or use the platform
• Analytics cookies blocked: No impact on functionality; we simply cannot track usage patterns
• Functional cookies blocked: Some personalization features may not work; settings may not persist

Google Analytics Opt-Out

Google provides a browser add-on to opt out of Google Analytics tracking across all websites:

• Download: Google Analytics Opt-Out Browser Add-On
• Effect: Prevents Google Analytics JavaScript from sharing information about your visit
• Compatibility: Available for Chrome, Firefox, Safari, Edge, Opera

9.5 Do Not Track (DNT) Signals

Some browsers offer a "Do Not Track" (DNT) signal that can be sent to websites you visit. However:

• There is no universal standard for interpreting or responding to DNT signals
• Different browsers implement DNT differently
• Many websites do not recognize or honor DNT signals

Our Position: We currently do not respond to DNT signals due to the lack of industry consensus and technical standards. However, we respect your privacy choices through:

• Browser cookie controls (Section 9.4)
• Google Analytics opt-out (Section 9.4)

We monitor developments in DNT standards and will update our practices if universal standards are established.

9.6 Local Storage and Similar Technologies

In addition to cookies, we use HTML5 local storage and session storage for:

• Cookie consent preferences: Stores your consent choices locally
• Temporary session data: Improves performance by caching non-sensitive data
• UI state: Remembers expanded/collapsed sections, active tabs
• Draft content: Temporarily saves unsaved work (automatically cleared)

Data Stored:

• Local storage data remains until explicitly deleted
• Session storage data is cleared when you close your browser tab
• No personal data is stored in local storage without your consent

Managing Local Storage:

• Most browsers allow you to clear local storage via privacy settings
• Clearing local storage may reset your preferences and unsaved work
• Essential functionality does not depend on local storage

10. Third-Party Services and Links

10.1 Third-Party Services Overview

PrismaScribe integrates with carefully selected third-party service providers to deliver our AI-powered transcription platform. These providers are data processors who process personal data on our behalf under strict contractual terms.

Important Distinction:

• We remain the data controller: We determine purposes and means of processing your personal data
• Third parties are data processors: They process data according to our instructions and contractual obligations
• Data Processing Agreements (DPAs): We have executed GDPR-compliant DPAs with all processors (see Section 5)

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

10.2 Our Data Processors

As detailed in Section 5 (International Data Transfers), we work with the following processors:

Authentication and User Management

• Clerk: User authentication, session management, identity verification
• Data processed: Name, email, authentication credentials, session data
• Location: United States (Standard Contractual Clauses in place)

Payment Processing

• Stripe: Payment processing, subscription management, billing
• Data processed: Payment information, billing address, transaction history
• Location: United States (Standard Contractual Clauses in place)

AI Services

• ElevenLabs: AI voice generation for read-aloud features
• Data processed: Selected transcript text (not entire transcripts unless user-initiated)
• Location: United States (Standard Contractual Clauses in place)

• Google Gemini: AI-powered transcription and language processing
• Data processed: Audio files, transcripts, user prompts
• Location: United States (Google's data processing terms apply)

Storage Infrastructure

• Cloudflare R2: Object storage for audio files and transcripts
• Data processed: Uploaded audio files, generated transcripts, user content
• Location: Europe (EU data residency configured)

Analytics

• Google Analytics: Website usage analytics
• Data processed: IP addresses (anonymized), page views, user behavior, device information
• Location: United States (Google's privacy framework applies)

Processor Oversight: We conduct due diligence on all processors to ensure:

• GDPR compliance and appropriate technical/organizational measures
• Data Processing Agreements with GDPR-compliant terms
• Standard Contractual Clauses for international transfers
• Regular security assessments and compliance audits
• Commitment to data protection principles

10.3 Third-Party Terms and Policies

Each processor has its own terms of service and privacy policy governing their services. We encourage you to review these policies to understand how they handle data:

Our Obligations:

• We ensure all processors meet GDPR requirements before engagement
• We regularly review processor compliance and security practices
• We update this policy when processors change their terms materially
• We maintain copies of all executed DPAs (available upon request)

Your Rights: Your GDPR rights (Section 8) apply to data processed by our processors. We will facilitate the exercise of your rights, including coordinating with processors as necessary.

10.4 External Links

Our website and platform may contain links to third-party websites, resources, or services that are not operated by PrismaScribe. For example:

• Links to processor privacy policies (above)
• Links to industry resources or educational content
• Links to user-submitted content hosted elsewhere
• Links to regulatory authorities

We Are Not Responsible For:

• Privacy practices of third-party websites
• Content, accuracy, or availability of external sites
• Terms of service or policies of linked websites
• Security of data you provide to third-party sites

Recommendation: Before providing personal data to any third-party website, review their privacy policy and terms of service. We cannot control or be held responsible for third-party privacy practices.

Click Awareness: When you click an external link, you are leaving the PrismaScribe platform and are subject to the privacy and security policies of the destination website.

10.5 No Endorsement

The inclusion of third-party processors in this policy, or links to third-party websites, does not constitute:

• Endorsement of their other products or services
• Warranty or guarantee of their performance
• Liability for their actions or data practices
• Partnership or affiliation beyond the specific services described

We select processors based solely on their ability to meet our technical requirements and GDPR compliance standards for the specific services we use.

10.6 Changes to Processors

Adding or Changing Processors:

• We may add new processors or change existing ones as business needs evolve
• Before engaging a new processor, we conduct full due diligence and execute appropriate DPAs
• We will update this Privacy Policy (Section 11) when processors change

Notification of Material Changes:

• If we change a core processor (authentication, payment, AI transcription), we will notify you via email
• You will have the right to object (see Section 8.6)
• If you object and we cannot accommodate your objection, you may delete your account

Sub-Processors: Some processors may use their own sub-processors (e.g., Stripe uses banking partners). We ensure:

• Processors impose the same data protection obligations on sub-processors
• Appropriate DPAs exist throughout the processing chain
• We maintain a list of material sub-processors (available upon request)

Current Sub-Processor List: You may request a current list of all processors and sub-processors by emailing hello@prismascribe.ai.

11. Changes to This Privacy Policy

11.1 Right to Modify

We reserve the right to update, modify, or replace this Privacy Policy at any time to reflect:

• Changes to our data processing practices
• New features or services we offer
• Changes in legal or regulatory requirements
• Updates to third-party processors or technologies
• Improved clarity or transparency in our explanations
• User feedback or privacy best practices

All changes will be made in compliance with GDPR transparency requirements and your rights as a data subject.

11.2 Notification of Changes

We categorize changes as either material or non-material and notify you accordingly:

Material Changes (Significant Impact on Your Rights)

For material changes that significantly affect your privacy rights or how we process your data:

1. Email notification to your registered email address
2. Prominent notice on our website and platform dashboard
3. 30-day advance notice before the changes take effect
4. Highlight of specific changes in the notification
5. Right to review old and new policy versions side-by-side

You will be notified at least 30 days before material changes take effect.

Non-Material Changes (Clarifications and Minor Updates)

For non-material changes that do not affect your rights:

1. Updated "Last Updated" date at the top and bottom of this policy
2. No email notification required
3. Immediate effect (no waiting period)
4. Changelog available upon request

Non-material changes take effect immediately upon posting.

11.3 Material vs. Non-Material Changes

To help you understand what constitutes a material change:

Material Changes Include:

• New data collection: Collecting new categories of personal data
• New processors: Adding third-party processors who handle your personal data
• Changes to international transfers: Transferring data to new countries or regions
• Changes to legal bases: Changing the legal basis for processing (e.g., consent to legitimate interest)
• Reduced retention periods: Keeping data for longer than previously stated
• New data uses: Using your data for purposes not previously disclosed
• Changes to your rights: Any reduction or limitation of your GDPR rights
• Security incidents: Significant changes to security practices following an incident

Non-Material Changes Include:

• Contact information updates: Changes to email addresses or postal addresses
• Clarifications: Rewording for clarity without changing meaning
• Formatting improvements: Better organization or readability
• Typo corrections: Fixing grammatical or spelling errors
• Link updates: Updating URLs to third-party policies (if content remains similar)
• Legal citations: Adding references to specific GDPR articles for clarity
• Example additions: Adding examples to clarify existing practices

Uncertain? If you're unsure whether a change is material, we will err on the side of treating it as material and providing full notice.

11.4 Acceptance of Changes

How Acceptance Works:

For Material Changes:

1. You will receive notification 30 days before changes take effect
2. During this 30-day period, the current policy remains in effect
3. After 30 days, continued use of PrismaScribe constitutes acceptance of the new policy
4. If you do not accept the changes, you may:
   • Stop using the service before changes take effect
   • Delete your account (see Section 8.4)
   • Exercise your right to object (see Section 8.6)

For Non-Material Changes:

• Changes take effect immediately upon posting
• Continued use constitutes acceptance

Your Options if You Disagree:

If you do not agree with material changes to this Privacy Policy:

1. Contact us (Section 12) within 30 days to discuss your concerns
2. Object to the changes (we will evaluate if we can accommodate your objection)
3. Export your data (see Section 8.3) before the changes take effect
4. Delete your account (see Section 8.4) to prevent processing under the new terms

Important: If you delete your account:

• We will process the deletion under the current policy (not the new one)
• You may lose access to paid subscription benefits without refund
• Deletion is permanent and cannot be reversed

We respect your right to withdraw consent and will make the process as clear and straightforward as possible.

11.5 Version History

Maintaining Policy Archives:

• We maintain an archive of all previous versions of this Privacy Policy
• Each version includes the date it was effective and the date it was replaced
• Version history is available upon request

Requesting Previous Versions:

• Email hello@prismascribe.ai with "Privacy Policy Version History Request"
• Specify the date range or version you're interested in
• We will provide previous versions within 7 business days

Changelog Documentation:

• We maintain an internal changelog documenting all changes between versions
• Summary of material changes is available upon request
• Detailed comparison between any two versions available upon request

Why Version History Matters:

• Allows you to understand how our practices have evolved
• Supports accountability and regulatory compliance
• Enables you to verify what policy was in effect at a specific time
• Useful for auditing or legal purposes

11.6 Effective Date of Changes

Timing of Effect:

Material Changes:

• Effective date is 30 days after notification is sent
• Example: Notification sent January 1st → Effective February 1st
• During the 30-day period, the current policy governs all processing
• After 30 days, new policy applies to all processing (past and future)

Non-Material Changes:

• Effective immediately upon posting
• "Last Updated" date at bottom of policy reflects posting date

Notification Date:

• For email notifications, the "notification date" is when we send the email
• Considered delivered within 24 hours of sending
• We will not change effective dates without additional notice

Retroactive Application:

• New policies apply to all data we hold, not just newly collected data
• Exception: If a change would violate your original consent, we will seek new consent
• You may object to processing under new terms (see Section 8.6)

Special Circumstances:

• Urgent security changes: May take effect immediately with post-implementation notice
• Legal requirement changes: May take effect when required by law, with immediate notice
• Processor changes: Take effect when new processor is engaged, with advance notice if possible

12. Contact Us

We are committed to addressing your privacy questions, concerns, and data subject rights requests promptly and transparently. Please use the following contact information:

12.1 General Privacy Inquiries

For questions about this Privacy Policy, our data practices, or privacy concerns:

Email: hello@prismascribe.ai

Subject Line: "Privacy Inquiry"

Appropriate for:

• Questions about how we collect or use your data
• Clarification on any section of this Privacy Policy
• General privacy or security questions
• Feedback on our privacy practices

12.2 Data Subject Rights Requests

To exercise your GDPR rights (see Section 8), including access, rectification, deletion, portability, restriction, or objection:

Email: hello@prismascribe.ai

Subject Line: "GDPR Rights Request - [Specific Right]"

Required Information (see Section 8.8 for detailed instructions):

• Your full name and registered email address
• Specific right(s) you wish to exercise
• Account details to verify your identity
• Any additional information relevant to your request

12.3 Data Protection Concerns or Complaints

If you have concerns about how we handle your personal data or wish to file a privacy complaint:

Email: hello@prismascribe.ai

Subject Line: "Data Protection Concern"

We take all complaints seriously and will:

1. Acknowledge receipt within 2 business days
2. Investigate the matter thoroughly
3. Respond with our findings and any remedial action within 30 days
4. Escalate to senior management if necessary

Informal Resolution: We encourage you to contact us first so we can attempt to resolve your concern directly.

12.4 Postal Address

For formal written correspondence, legal notices, or if you prefer postal communication:

Fuerte vision, MB

Data Protection Team

Ašmenėlės g. 102C, LT-11330 Vilnius, Lithuania

When to Use Postal Mail:

• Formal legal notices or demands
• Situations requiring certified mail or proof of delivery
• If you prefer written correspondence to email
• Submitting supporting documentation for rights requests

Note: Postal mail responses may take longer than email responses (up to 14 additional days for processing and reply delivery).

12.5 Response Time Commitments

We are committed to timely responses:

Acknowledgment:

• 2 business days for initial acknowledgment of receipt
• Confirms we received your inquiry and are reviewing it
• Provides reference number for tracking

Substantive Response:

• 30 calendar days for substantive response to GDPR rights requests (as required by GDPR Article 12)
• 14 business days for general privacy inquiries
• 7 business days for urgent security concerns

Extensions:

• For complex requests, we may extend response time by an additional 60 days (GDPR Article 12)
• We will inform you of any extension within the original 30-day period
• We will explain the reason for the delay

Business Days: Monday through Friday, excluding Lithuanian public holidays.

12.6 Supervisory Authority

If you are not satisfied with our response to your privacy concern or GDPR rights request, you have the right to lodge a complaint with the relevant supervisory authority.

For Lithuanian Residents or EEA Data Subjects:

State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)

• Website: https://vdai.lrv.lt/
• Email: ada@ada.lt
• Phone: +370 5 271 2804
• Address: L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania

For Other Jurisdictions:

• UK residents: Information Commissioner's Office (ICO) - https://ico.org.uk/
• Other EEA residents: Your local data protection authority - https://edpb.europa.eu/about-edpb/board/members_en

Your Right to Complain:

• You may lodge a complaint at any time, even while we are addressing your concern
• We encourage you to contact us first for faster resolution
• Lodging a complaint does not affect your legal rights or remedies

See Section 8.9 for additional information about supervisory authorities and complaint procedures.

12.7 Last Updated

This Privacy Policy was last updated on: January 21, 2026

Document Version: 1.0 (Initial Release)

12.8 Policy Review Schedule

We review this Privacy Policy:

• Annually as part of our compliance audit cycle
• Quarterly for processor and technology changes
• Immediately when legal requirements change
• As needed based on user feedback or privacy incidents