Privacy Policy – Website
Last updated: 18 May 2026
This is a translation provided for convenience. In case of discrepancies, the German version prevails.
Scope: This policy describes the data processing on the public marketing website deepscript.com including the free tool, cookies and the Google-based reach measurement (only after explicit consent). For the data processing in the logged-in area of the app (account, transcription, billing, support) the separate app privacy policy applies – it works without Google and without tracking.
1. Controller
The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) and other data protection provisions is:
Aliru GmbH
Julius-Hatry-Straße 1
68163 Mannheim
Germany
Managing Director: Julian Kissel
Phone: +49 621 49088670
Email: datenschutz@deepscript.com
We operate the transcription service under the DeepScript brand (hereinafter also “the service" or “the platform"). This privacy policy applies to the websitedeepscript.com (including all subdomains) and the associated interfaces (REST API, MCP server).
2. Data protection officer
We are currently not legally required to appoint a data protection officer (Art. 37 GDPR in conjunction with § 38 BDSG). For all data protection matters, please contact: datenschutz@deepscript.com.
3. General principles
Personal data is any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). We process your data exclusively on the basis of the statutory provisions (GDPR, BDSG, TDDDG). In this policy we inform you about the nature, scope and purpose of the processing within the scope of our offering.
The legal bases relied upon for the processing are in particular:
- Art. 6(1)(a) GDPR – consent (e.g. express waiver of the right of withdrawal for the Pro subscription).
- Art. 6(1)(b) GDPR – performance of a contract and pre-contractual measures (creating an account, transcription, billing).
- Art. 6(1)(c) GDPR – legal obligation (in particular commercial and tax retention obligations pursuant to § 257 HGB, § 147 AO).
- Art. 6(1)(f) GDPR – legitimate interest (security, abuse prevention, server logs, audit logs).
4. Processing when accessing the website (server logs)
When you access deepscript.com, our reverse proxy (Caddy) automatically collects the following information transmitted by your device's browser:
- IP address (truncated or pseudonymised)
- Date and time of access (UTC)
- Requested URL / HTTP method / response status code
- Referrer URL (if the browser sends one)
- User agent identifier (browser and operating system type)
This data is stored for a maximum of 14 days for security and stability purposes (detection and prevention of attacks, error analysis) and is then automatically deleted. The data is not merged with other data sources, nor is any profiling carried out.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in secure and stable operation.
5. Registration and account
To use the service (beyond the first three free transcriptions) you must create an account. We process:
- Name (freely chosen / display name)
- Email address (verified)
- Password (stored exclusively as a bcrypt hash, never in plain text)
- Optional: company name, billing address, VAT ID (for B2B invoices)
- With two-factor authentication enabled: encrypted TOTP secret + encrypted backup codes
- Language setting, preferred appearance (theme), data retention setting
Legal basis: Art. 6(1)(b) GDPR – performance of a contract. Without this information we cannot grant access to the service.
Retention period: until you delete the account. You can delete your account at any time in the settings – all associated data (except the accounting records to be retained by law as set out below) is then removed immediately and completely.
6. Sign-in via third-party providers (OAuth)
Optionally, you can sign in via the OAuth procedures of Google or Microsoft. In this case only the profile information required to create the account (name, email address, profile picture URL) is transmitted. We do not receive access to any other content of your Google or Microsoft account.
The respective OAuth provider (Google Ireland Limited or Microsoft Ireland Operations Limited) is a separate controller within the meaning of the GDPR for the processing during the sign-in process. You can find the privacy policies at:
Legal basis: Art. 6(1)(b) GDPR.
7. Audio/video uploads and transcriptions
The core of our service is converting audio or video files into text. In doing so we process:
- The uploaded file (audio/video)
- Metadata (file name, size, duration, MIME type, selected model, selected language)
- The transcription result (text, word timestamps, speaker assignment, detected language)
- Optional custom vocabulary you have provided
The processing runs entirely on our own server infrastructure at Hetzner Online GmbH in Germany. The audio/video file is at no point passed on to external speech-processing services (e.g. OpenAI, Google, AWS).
Retention period: Without an active Pro subscription we automatically delete transcriptions and the underlying audio files 30 days after creation. With a Pro subscription we store the data permanently until your cancellation or express deletion. You can delete any transcription manually at any time.
No use for AI training: We never use your audio/video data and the transcriptions to train or improve our models or those of third parties. The processing is carried out exclusively for the purpose of the contractually agreed transcription service.
Legal basis: Art. 6(1)(b) GDPR. For business customers who have personal data of third parties processed (e.g. recordings of interviews), we conclude a data processing agreement under Art. 28 GDPR on request; see Trust Center.
8. Free tool / guest transcriptions
At /free-transcription we offer a free transcription option without registration. In the process, an anonymous session token (random string) is set in your browser as an HttpOnly cookie to allow you to access the result until completion.
No personal data is collected from you. The file and result are automatically deleted after 24 hours, unless you create an account in the meantime and assign the transcription to your account.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measure).
9. Payment processing (Stripe)
For processing balance top-ups (pay-per-use) and the Pro subscription we use the service provider Stripe. When you access the Stripe checkout page or the customer portal, you are redirected to a Stripe-owned interface; you enter payment data (card, bank, wallet data) exclusively directly with Stripe, and it is at no point transmitted to us or stored by us.
We receive the following information back from Stripe:
- Stripe customer ID (pseudonym)
- Status of the payment / subscription
- Billing address + VAT ID where applicable (if provided at checkout)
- For the Pro subscription: contract start, next billing date, cancellation status
The Stripe provider in the EU is Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Stripe is a separate controller for payment processing; you can find the privacy policy at stripe.com/de/privacy. A data transfer to the USA takes place in the context of individual payment transactions on the basis of Stripe's certification under the EU-US Data Privacy Framework as well as on the basis of the EU standard contractual clauses.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (retention of invoice records pursuant to § 147 AO, 10 years).
10. Email dispatch
For transactional emails (registration confirmation, password reset, notifications, invoices) we use Microsoft Graph of Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) via a shared mailbox access. The emails are sent via Microsoft 365 infrastructure in the EU.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in proper dispatch).
11. Support tickets
When you open a support ticket, we process the subject, description, category, priority, where applicable the reference to a transcription, and the subsequent message history. The data is used exclusively to handle your request and remains linked to the account until you delete the ticket or the account.
Legal basis: Art. 6(1)(b) GDPR.
12. Security/audit log
We log security-relevant events in your account (login, logout, change of the 2FA configuration, creation/revocation of API keys, data exports, account deletion) together with the IP address and user agent. These logs serve solely to make account access traceable and can be viewed by you at any time in the settings.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in the traceability and security of account access.
13. Cookies and comparable technologies
We use exclusively technically necessary cookies or local storage entries:
| Name | Purpose | Retention period |
|---|---|---|
authjs.session-token | Auth session (NextAuth) | 30 days / until logout |
authjs.csrf-token | CSRF protection | Session |
ds_guest_session | Anonymous token for /free-transcription | 24 hours |
ds_cookie_consent | Stores acknowledgement of the cookie banner | 12 months (local storage) |
ds_locale | Preferred language (UI) | 12 months (local storage) |
We set no marketing or profiling cookies and use no Meta Pixel, Hotjar, Mixpanel or similar. For the cookies listed above, consent within the meaning of § 25(2) TDDDG is not required because they are technically necessary.
Optional – Google Tag Manager / Google Analytics 4
On deepscript.com (production environment) we use the Google Tag Manager (container IDGTM-WJVPJMDT) after your explicit consent. The Tag Manager loads Google Analytics 4 (GA4) to evaluate usage anonymously (page views, click paths, technical stability). Activation occurs exclusively after clicking “Accept" in the cookie banner. Before that, no connection to Google takes place.
Upon acceptance, the following cookies are set by Google (examples; the exact list depends on the tags active in the Tag Manager):
_ga,_ga_*– pseudonymous device ID, retention 24 months_gid– pseudonymous session ID, retention 24 hours_gat– throttles the request rate against Google servers, retention 1 minute
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG. Recipient: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (EU contractual partner); subsidiary data transfer to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Basis of the third-country transfer: standard contractual clauses pursuant to Art. 46(2)(c) GDPR as well as Google's certification under the EU-US Data Privacy Framework.
Withdrawal of consent: possible at any time via the “Cookie settings" link in the footer. After withdrawal, no new data points are transferred to Google; data already collected at Google in the ongoing browser session remains subject to Google's own retention policies (default: 14 months). Ondev.deepscript.com the Google Tag Manager is not active at all – the container is deliberately not embedded in the build process.
14. Marketing attribution & conversion measurement
So that we can measure the effectiveness of our own paid marketing channels (in particular Google Ads), when you access the marketing website we record certain URL parameters that advertising platforms pass to us, as well as the referrer. No communication with Google or other advertising platforms takes place in this process – we merely read the transmitted values and store them in your browser (local storage).
The following parameters are recorded, if contained in the accessed URL:
- Google Ads:
gclid,gad_source,gbraid,wbraid(click IDs) - UTM parameters (campaign identification):
utm_source,utm_medium,utm_campaign,utm_term,utm_content - Other advertising networks:
msclkid(Microsoft Ads),fbclid(Meta),ttclid(TikTok),li_fat_id(LinkedIn) - Context: referrer (previous page), landing page, user agent (browser identifier)
Storage location: initially exclusively in your browser's local storage (keyds_attribution_v1, retention 30 days rolling). No cookies are set. Should you create an account after this period, the content is transferred once into our database and linked to your account (tableUserAttribution).
Manual conversion upload to Google Ads: To measure marketing success we periodically (on a weekly to monthly basis) upload a CSV file to the Google Ads interface containing the following fields: conversion name, conversion time (UTC), conversion value in €, click ID (gclid), SHA-256 hash of the email address. The email hash allows Google to anonymously match with the corresponding click (“Enhanced Conversions for Leads"). Google does not receive the unencrypted email address. This upload is carried out manually by our marketing team and not automatically by your browser.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in the economic management of our own paid marketing channels. The data is not used for profiling, retargeting or ad placement.
Right to object: You can object to the processing at any time informally by email to datenschutz@deepscript.com. On request, we will delete the attribution data assigned to your account and exclude you from future CSV uploads. You can remove the local storage in your browser yourself at any time via the browser settings → “Clear data for this website".
15. Overview of processors
The following service providers process personal data on our behalf on the basis of a data processing agreement (Art. 28 GDPR). An always up-to-date list can also be found in the Trust Center.
| Service provider | Registered office / processing location | Purpose |
|---|---|---|
| Hetzner Online GmbH | Nuremberg / Falkenstein, Germany | Server hosting, database, object storage, transcription engine |
| Stripe Payments Europe Ltd. | Dublin, Ireland (subcontractor in the USA) | Payment processing, invoicing, subscription management |
| Microsoft Ireland Operations Ltd. | Dublin, Ireland | Transactional email dispatch via Microsoft Graph |
| Google Ireland LimitedGTM only with consent | Dublin, Ireland (subcontractor in the USA) | (a) Google Tag Manager + Google Analytics 4 for reach measurement of the marketing site – only after explicit consent; (b) manual CSV upload of conversion events (gclid + SHA-256 hashed email) to Google Ads to measure the advertising effectiveness of our own paid campaigns – legal basis Art. 6(1)(f) GDPR (legitimate interest). |
16. Data transfer to third countries
Your data is generally processed exclusively within the European Union. A transfer to the USA takes place in the following two cases:
- Payment processing via Stripe (always, performance of a contract) – basis: Stripe's certification under the EU-US Data Privacy Framework as well as, additionally, EU standard contractual clauses pursuant to Art. 46(2)(c) GDPR.
- Reach measurement via Google Tag Manager / GA4 – only after your explicit consent (Art. 6(1)(a) GDPR). Basis: Google's DPF certification + SCCs. Without clicking “Accept" in the cookie banner, no transfer takes place.
17. Storage and retention periods
- Account master data: until you delete the account
- Transcriptions + audio files without Pro subscription: 30 days, then automatic deletion
- Transcriptions + audio files with Pro subscription: until manual deletion or account deletion
- Server logs: 14 days
- Audit logs: 12 months
- Invoice and accounting records: 10 years (§ 147 AO, § 257 HGB)
- Guest transcriptions (free tool without account): 24 hours
18. Your rights under the GDPR
- Art. 15 – Right of access: which data we process about you.
- Art. 16 – Rectification: correction of inaccurate or incomplete data.
- Art. 17 – Erasure (“right to be forgotten"). You can delete your account together with all associated data at any time in the settings.
- Art. 18 – Restriction of processing.
- Art. 20 – Data portability: a complete JSON export of your data is available at any time in the settings.
- Art. 21 – Objection to processing based on legitimate interests.
- Art. 7(3) – Withdrawal of consent given with effect for the future.
- Art. 77 – Complaint to a supervisory authority.
To exercise your rights, an informal email to datenschutz@deepscript.com is sufficient. We respond within the statutory period of one month (Art. 12(3) GDPR).
19. Supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority of your choice. The authority with local jurisdiction for Aliru GmbH is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
Phone: +49 711 615541-0
Web: baden-wuerttemberg.datenschutz.de
20. Automated decision-making
We do not use any automated processes within the meaning of Art. 22 GDPR that produce legal effects concerning you or similarly significantly affect you.
21. Changes to this privacy policy
We adapt this privacy policy when the technical or legal framework changes. The respective current version is available at this URL. In the event of substantial changes, we inform active users by email.
22. Data processing for business customers
Business customers who, under their own responsibility, transmit personal data of third parties (e.g. employees, interview partners) for transcription conclude a data processing agreement with us under Art. 28 GDPR. The DPA can be signed digitally in the Trust Center.