Privacy Policy

Last updated: 12/8/2025

This Privacy Policy explains how Subbix collects, uses, stores, and protects your personal data when you use our AI-powered transcription platform. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and Google API Services User Data Policy.

1. Data Controller

The personal data collected on Subbix is processed by:

Dany Vanmuylder

Freelance

Belgium

Email: support@subbix.io

For any questions about this privacy policy or to exercise your rights, please contact us at the email address above.

2. Google Sign-In Data

When you choose to sign in with Google, we access the following data from your Google account:

Data Accessed:

Email address - Used to create and identify your account
Profile information (name, profile picture) - Used to personalize your experience

How We Use Google Data:

Account creation and authentication
Display your name and profile picture in the application
Send service-related emails (transcription completed, quota warnings)

Scope Limitations:

We only request the minimum necessary permissions (email and basic profile). We do not access your Google Drive, Gmail, Calendar, or any other Google services.

Data Retention:

Your Google account data (email, name, profile picture) is retained until you delete your Subbix account. You can disconnect your Google account at any time from your account settings.

Data Sharing:

Your Google account data is never sold or shared with third parties for advertising or marketing purposes. It is only used within our platform for the purposes described above.

3. Data We Collect

We collect the following types of personal data:

Account Data

Email address (from Google Sign-In or email/password registration)
Full name (from Google profile or user-provided)
Profile picture (from Google profile, optional)
Encrypted password (for email/password accounts only, never stored in plain text)

Media Files

Video and audio files you upload for transcription
File name, file size, duration, media type (video/audio)

⚠️ Media files are automatically deleted from our servers 24 hours after upload

Transcription Data

Raw transcript generated by AI
Enhanced transcript corrected by AI
Your manually edited version of the transcript
Timestamps, confidence scores, word-level data

Usage Data

Minutes of transcription used per month
Processing logs (transcription start/end times, status)
Error messages for troubleshooting

Payment Data

Payment information is processed by Stripe (our payment provider)
We only store: Stripe Customer ID, Subscription ID, plan type
We never store credit card numbers or full payment details

4. How We Use Your Data

We process your personal data for the following purposes:

Authentication & Account Management

Create and manage your account
Authenticate your identity
Enable Google Sign-In
Password reset (email/password accounts)

Service Delivery

Process your video/audio files for transcription
Generate transcripts using AI models
Store transcripts for your access
Enable transcript editing and export

Billing & Quota Management

Track your monthly usage quota
Process subscription payments via Stripe
Send invoices and payment receipts
Manage plan upgrades/downgrades

Service Communications

Send transcription completion notifications
Alert you when approaching quota limits
Notify you of service updates or issues
Respond to your support requests

Service Improvement

Analyze usage patterns to improve our service
Debug errors and fix technical issues
Optimize transcription accuracy
Monitor system performance

Legal Basis (GDPR)

• Contract: Processing necessary to provide our service (transcription)
• Consent: Google Sign-In, optional marketing emails
• Legitimate Interest: Service improvement, fraud prevention, security

5. Data Sharing & Third Parties

We share your data with the following third-party service providers:

Supabase (PostgreSQL Database, Authentication, File Storage)

Purpose: Store account data, transcripts, and media files

Location: EU and USA servers

Security: SOC 2 Type II certified, GDPR compliant

Stripe (Payment Processing)

Purpose: Process subscription payments and manage billing

Location: USA (PCI-DSS Level 1 certified)

Security: Industry-leading payment security, GDPR compliant

Replicate API (AI Services)

Purpose: Process video/audio files for transcription and transcript enhancement

Data Shared: Your uploaded media files and transcripts are sent to Replicate's AI models

Retention: Replicate does not retain your data after processing

Location: USA

We Never Sell Your Data

We do not sell, rent, or trade your personal data to third parties for advertising or marketing purposes.

Legal Disclosures

We may disclose your data if required by law, court order, or to protect our rights, property, or safety.

6. Data Storage & Security

We implement industry-standard security measures to protect your data:

Encryption

All data transmitted between your device and our servers is encrypted using HTTPS/TLS 1.3
Data at rest (database, file storage) is encrypted using AES-256 encryption

Secure Authentication

JWT tokens with secure signing algorithms
OAuth 2.0 with PKCE for Google Sign-In
Passwords are hashed using bcrypt (never stored in plain text)

Access Controls

Row-Level Security (RLS) ensures users can only access their own data
Principle of least privilege for database and API access
Regular security audits and dependency updates

Infrastructure Security

Hosted on Vercel (SOC 2 certified) and Supabase (SOC 2 certified)
Real-time monitoring and alerting for security incidents
Daily automated backups with 7-day retention

While we implement strong security measures, no system is 100% secure. Please use a strong, unique password and enable two-factor authentication when available.

7. Data Retention

We retain your data for different periods depending on the type:

Media Files (Video/Audio)

24 hours after upload

Automatically deleted from our storage to save costs and protect your privacy

Transcripts

Retained indefinitely until you delete them

You can delete individual transcripts or your entire account at any time

Account Data

Retained until you delete your account

Upon account deletion, all your data (transcripts, usage logs) is permanently deleted within 30 days

Usage Logs

1 year

Retained for billing, support, and regulatory compliance purposes

Backups

7 days

Automated backups are retained for disaster recovery, then permanently deleted

8. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

Right to Access

Request a copy of all personal data we hold about you

Right to Rectification

Correct inaccurate or incomplete personal data

Right to Erasure ('Right to be Forgotten')

Request deletion of your personal data (account deletion)

Right to Data Portability

Receive your data in a structured, machine-readable format (JSON export)

Right to Restriction of Processing

Limit how we use your data in certain circumstances

Right to Object

Object to processing based on legitimate interest or direct marketing

Right to Withdraw Consent

Withdraw consent for data processing (e.g., disconnect Google Sign-In)

Right to Lodge a Complaint

File a complaint with your national data protection authority if you believe your rights have been violated

How to Exercise Your Rights

• Email us at support@subbix.io with your request
• We will respond within 30 days (GDPR requirement)
• We may request identity verification to prevent unauthorized access

9. Cross-Border Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA):

EU Servers

Provider: Supabase (primary database and storage)

Data primarily stored in EU data centers

USA Servers

Providers: Stripe (payments), Replicate (AI processing), Vercel (hosting)

Safeguards: These providers comply with GDPR through Standard Contractual Clauses (SCCs) and adequate security measures

Adequacy Decisions

We only transfer data to countries with adequate data protection standards or use approved safeguards (SCCs, Privacy Shield frameworks where applicable).

10. Cookies & Tracking

We use cookies for essential functionality only:

Authentication Cookies

Purpose: Maintain your login session

Duration: Session-based (deleted when you close your browser)

Strictly necessary for the service to function

Preference Cookies

Purpose: Remember your language preference

Duration: 1 year

Optional but improve user experience

No Tracking or Advertising Cookies

We do not use cookies for advertising, analytics, or third-party tracking. We respect your privacy.

11. Children's Privacy

Our service is not intended for children under 16 years old.

We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately at support@subbix.io, and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

How We Notify You:

• Material changes will be communicated via email
• Updated policy will be posted on this page with a new 'Last Updated' date
• Continued use of our service after changes indicates acceptance of the updated policy

We recommend reviewing this policy periodically to stay informed about how we protect your data.

13. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data:

Contact Information

Email: support@subbix.io
We will respond to all inquiries within 30 days
Data Protection Officer: Dany Vanmuylder

Supervisory Authority (Belgium)

Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données)

https://www.autoriteprotectiondonnees.be/

You have the right to lodge a complaint with this authority if you believe your data protection rights have been violated.