DeepScript

Privacy Policy – DeepScript App

Last updated: 18 May 2026

This is a translation provided for convenience. In case of discrepancies, the German version prevails.

Scope: This policy describes the data processing in the logged-in area of the DeepScript app (dashboard, upload, transcription, editor, billing, support, API/MCP). For the public marketing website – that is, everything before login, including cookies, Google Tag Manager and reach measurement – the separate website privacy policy applies.

1. Controller

Aliru GmbH
Julius-Hatry-Straße 1
68163 Mannheim, Germany
Managing Director: Julian Kissel
Phone: +49 621 49088670
Email: datenschutz@deepscript.com

We are currently not legally required to appoint a data protection officer (Art. 37 GDPR in conjunction with § 38 BDSG). For all data protection matters, please contact the email address above.

2. Account and authentication data

To use the app we require the following data:

  • Name (display name, freely chosen)
  • Email address (verified)
  • Password – stored exclusively as a bcrypt hash, never in plain text
  • Optional: company name, billing address, VAT ID (B2B invoices)
  • With two-factor authentication enabled: encrypted TOTP secret + encrypted backup codes
  • App settings: language, theme, data retention preference

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Retention period: until you delete the account. Deletion is available directly in the settings; all associated data (except the invoice and accounting records to be retained by law) is then removed immediately and completely.

3. Sign-in via third-party providers (optional)

Optionally, you can sign in via Google or Microsoft OAuth. In this case only the profile information required to create the account (name, email, profile picture URL) is transmitted. We do not receive access to any other content of your Google or Microsoft account, nor do we transmit any telemetry to the providers as long as the login is not actively carried out.

Legal basis: Art. 6(1)(b) GDPR. Providers' privacy policies: Google, Microsoft.

4. Audio/video uploads and transcriptions

The core of the platform. In doing so we process:

  • The uploaded file (audio/video)
  • Metadata: file name, size, duration, MIME type, selected model, selected language
  • The result: text, word timestamps, speaker assignment, detected language
  • Optional custom vocabulary you have provided

Where processed: The entire processing runs on our own server infrastructure in the data centres of Hetzner Online GmbH in Nuremberg and Falkenstein (Germany). Audio and transcripts at no point leave the EU. No external speech-processing services (e.g. OpenAI, Anthropic, Google Cloud Speech, AWS Transcribe) are integrated.

No use for AI training: We never use your audio/video data and the transcriptions to train our own or third-party models. The processing is carried out exclusively for the purpose of the contractually agreed transcription service.

Retention period: Without an active Pro subscription, transcriptions and the underlying audio files are automatically deleted after 30 days (default value; individually adjustable in the settings to 7, 90, 180 or 365 days). With an active Pro subscription the data remains stored until manual deletion. You can remove any transcription manually at any time.

Legal basis: Art. 6(1)(b) GDPR. For business customers who have personal data of third parties processed (e.g. interview recordings), we conclude a data processing agreement under Art. 28 GDPR – digitally signable in the Trust Center.

5. Payment processing (Stripe)

For balance top-ups (pay-per-use) and the Pro subscription we use Stripe. When you access the Stripe checkout page or the customer portal, you are redirected to a Stripe-owned interface. You enter card, bank and wallet data exclusively directly with Stripe – it is never transmitted to us or stored by us.

Stripe transmits back to us:

  • Stripe customer ID (pseudonym)
  • Status of the payment or subscription
  • Billing address + VAT ID where applicable (if provided at checkout)
  • For the Pro subscription: contract start, next billing date, cancellation status

Provider: Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Dublin, Ireland. Stripe is a separate controller for payment processing; privacy policy at stripe.com/de/privacy.

Third-country transfer: A transfer to the USA takes place in the context of individual payment transactions to Stripe's US group company. Basis: Stripe's certification under the EU-US Data Privacy Framework as well as, additionally, EU standard contractual clauses (Art. 46(2)(c) GDPR).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (retention of invoice records pursuant to § 147 AO, 10 years).

Privacy Policy App – DeepScript | DeepScript