Privacy Policy
Last Updated: August 18, 2025
1. Introduction and Applicability of This Policy
1.1 Our Commitment to Your Privacy
eScribAI ("we," "us," "our") is unequivocally committed to protecting and respecting your privacy. This Privacy Policy outlines our practices concerning the collection, use, processing, and disclosure of your information. Our approach to data protection is built upon the foundational principles of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.1 We are dedicated to processing personal data in a manner that is not only compliant with the law but also transparent and fair to you, our user.
This policy is designed to provide you with clear, easily accessible, and understandable information about who we are, how and why we collect and use your personal data, and how you can exercise your rights concerning that data.
1.2 Scope of This Policy: The Controller vs. Processor Distinction
It is critically important to understand the different types of data associated with the eScribAI service and our respective roles and responsibilities under data protection law. This distinction is fundamental to how we manage data and defines the scope of this Privacy Policy.4 The structure of our data governance is a deliberate legal framework designed to manage risk and ensure operational feasibility under regulations like the GDPR.
2.2 Information We Collect Automatically As you navigate and interact with our Services, we may use automatic data collection technologies to gather certain information about your equipment, browsing actions, and patterns.
2.3 Information from Other Sources We may also obtain information about you from third-party sources.
- Service Data: This refers to the personal data that eScribAI collects or generates during your registration, account administration, and use of our services. This includes information such as your name, email address, billing details, and service usage metrics. For the purposes of this "Service Data," eScribAI is the Data Controller as defined in Article 4 of the GDPR.5 This means we determine the purposes and means of processing this data. This Privacy Policy governs our collection and use of Service Data.
- Customer Content: This refers to any text, documents, data, or other materials that you or your authorized users submit, upload, or process using the eScribAI platform ("Services"). Customer Content may contain personal data of various individuals, the nature of which is determined and controlled by you. For the purposes of "Customer Content," you (or your organization) are the Data Controller, and eScribAI is the Data Processor.5 We process this data solely on your behalf and in accordance with your instructions.
- The processing of Customer Content is not governed by this Privacy Policy. Instead, it is governed by the Customer Agreement, Terms of Service, or a separate Data Processing Agreement (DPA) that you enter into with us. This clear separation of roles is a cornerstone of our compliance strategy. It ensures that you, as the controller of your content, maintain primary responsibility for the lawful processing of that data, while we, as the processor, are bound by contractual obligations to protect it and process it only as you direct. This framework prevents legal ambiguity and ensures that the party with the direct relationship to the individuals whose data is in the content (i.e., you) bears the primary compliance responsibility for it. 2. Personal Data We Collect and Process (as Data Controller) In our capacity as a Data Controller, we collect and process Service Data necessary to provide, maintain, and improve our Services. Our collection practices are guided by the principle of Data Minimization, meaning we strive to collect only the personal data that is adequate, relevant, and limited to what is necessary for the specified purposes. This structured approach to categorizing data collection is a direct implementation of our transparency obligations under GDPR Articles 13 and 14, ensuring you are fully informed about what data we collect and from which sources. 2.1 Information You Provide Directly When you interact with our Services, you may provide us with certain information directly. This includes: Account and Profile Information: When you register for an account, we collect essential information such as your full name, email address, a secure password, and optionally, your company name and job title. This information is necessary for us to create, secure, and manage your account, and to communicate with you about it. Payment and Billing Information: If you subscribe to a paid plan, we require billing information, such as your billing address and payment details. To ensure the highest level of security, we do not store your full credit card information on our servers. Instead, this information is collected and processed by our third-party payment processors who are compliant with the Payment Card Industry Data Security Standard (PCI-DSS). We only receive a tokenized identifier and confirmation of payment. Communications with Us: When you contact our customer support team, participate in a survey, provide feedback, or otherwise communicate with us, we collect the information you provide in your communications, such as the content of your support tickets, emails, and survey responses.
2.2 Information We Collect Automatically As you navigate and interact with our Services, we may use automatic data collection technologies to gather certain information about your equipment, browsing actions, and patterns.
- Service Usage Data: We collect metadata and analytics information about how you use and interact with our Services. This may include the features you use, the pages you visit, the frequency and duration of your activities, the types of queries you make, and performance data. This information is vital for us to understand service usage, diagnose technical issues, and improve the functionality and user experience of our platform.
- Log Data and Device Information: Like most websites and technology services, our servers automatically collect information when you access or use our Services and record it in log files. This log data may include your Internet Protocol (IP) address, browser type and settings, the date and time of your request, operating system, device identifiers, and error data (crash reports).
- Cookies and Similar Technologies: We use cookies and similar tracking technologies (e.g., web beacons, pixels) to operate and administer our Services, gather usage data, and support our marketing efforts. We categorize our cookies into essential (strictly necessary for service operation), performance and analytics, functional, and marketing/advertising. In compliance with the GDPR and the ePrivacy Directive, we will only place non-essential cookies on your device with your explicit, freely given, and unambiguous opt-in consent.8 You can manage your cookie preferences at any time through our cookie management tool. For more detailed information, please refer to our separate Cookie Policy.
2.3 Information from Other Sources We may also obtain information about you from third-party sources.
- Third-Party Services: If you choose to register or log in to our Services using a third-party account (such as Google or Microsoft), we will receive certain profile information about you from that service. The information we receive depends on your privacy settings with that third-party service but typically includes your name and email address. We use this information for authentication and to pre-populate your account profile.
- Marketing and Analytics Partners: We may receive information from third-party marketing and advertising partners, such as lead generation services or data enrichment providers. We only engage with partners who provide assurances that they have a legal basis to collect and share this information with us.
Purpose of Processing | Categories of Personal Data Involved | Lawful Basis under GDPR (Article 6) | Explanation of Lawful Basis |
To provide, operate, and maintain the eScribAI service, including account creation, authentication, and billing. | Account and Profile Information, Payment and Billing Information, Service Usage Data | Performance of a Contract | We process this data to fulfill our contractual obligation to provide you with the services you have requested and paid for. This processing is essential for the core functionality of the platform. |
To communicate with you about your account, transactions, and critical service updates (e.g., security alerts, changes to our terms). | Account and Profile Information, Communications with Us | Performance of a Contract | These transactional and administrative communications are an essential part of the service we are contracted to provide and are necessary for the proper administration of your account.
|
To provide customer support, respond to your inquiries, and resolve technical issues. | Account and Profile Information, Communications with Us, Service Usage Data | Performance of a Contract | Fulfilling your support requests and ensuring the service functions correctly are integral parts of our service delivery under our agreement with you.
|
To improve our platform, develop new features, conduct research, and analyze trends to enhance the user experience. | Anonymized or Aggregated Service Usage Data, Log Data | Legitimate Interests | We have a legitimate business interest in understanding how our Services are used so we can improve them for all users. We take protective measures, such as anonymization and aggregation, to minimize the impact on your privacy.
|
To ensure the security of our platform, prevent fraudulent or illegal activity, and enforce our terms of service. | Account and Profile Information, Service Usage Data, IP Address, Device Information | Legitimate Interests | We have a compelling legitimate interest in protecting the security and integrity of our Services, our users' data, and our intellectual property. This processing is necessary to detect and prevent security threats and abuse.
|
To send you marketing communications about our products, services, and events that may be of interest to you. | Account and Profile Information, Communications with Us | Consent | We will only send you marketing materials if you have explicitly consented to receive them (e.g., by ticking a box on a registration form). You can withdraw this consent at any time without detriment by using the "unsubscribe" link in our emails.
|
To comply with applicable laws, regulations, court orders, or other binding legal processes. | Account and Profile Information, Payment and Billing Information, Communications with Us | Legal Obligation | We may be required by law to process or disclose your data in certain circumstances, such as for tax and accounting purposes or in response to a lawful request from a law enforcement agency. |
4. How We Share and Disclose Personal Data
We are committed to the principles of Purpose Limitation and Accountability in how we handle your data. We do not sell your personal data to third parties. We only share your personal data with the categories of recipients listed below and for the legitimate purposes described.
Service Providers (Sub-processors): We engage trusted third-party companies and individuals to perform services on our behalf, such as cloud hosting, payment processing, data analytics, customer support services, and email delivery. These third parties are our "sub-processors." We share your personal data with them only to the extent necessary for them to perform these services for us. We have legally binding Data Processing Agreements (DPAs) in place with all our sub-processors, which require them to safeguard your data, restrict their use of it to the purposes for which it was shared, and maintain security standards compliant with the GDPR.18
Corporate Affiliates: We may share your personal data with our parent companies, subsidiaries, and other affiliates within our corporate group for operational purposes, such as providing centralized administrative services, security, and support. All our affiliates are required to adhere to the privacy and security standards described in this policy.
Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such deal and inform you of any choices you may have regarding your information.
Legal Requirements and Protection of Rights: We may disclose your personal data if we believe in good faith that it is necessary to: (a) comply with a legal obligation, subpoena, court order, or other lawful request from public authorities; (b) protect and defend our rights, property, or safety, or that of our users or the public; (c) prevent or investigate possible wrongdoing in connection with the Services; or (d) protect the personal safety of users of the Services or the public. We will make reasonable efforts to verify the legality of any such request and to narrow the scope of disclosure as much as possible.
5. Data Security
We take our responsibility to protect your personal data very seriously. In accordance with the principle of Integrity and Confidentiality and the requirements of Article 32 of the GDPR, we have implemented and maintain appropriate technical and organizational measures designed to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.2
Our security measures include, but are not limited to:
Encryption: We use industry-standard encryption protocols (such as TLS/SSL) to protect data in transit between your device and our servers. Data at rest, stored in our databases and storage systems, is also encrypted.
Access Controls: We enforce strict access controls to ensure that only authorized personnel have access to your personal data. We adhere to the principle of least privilege, meaning employees are only granted access to the data necessary to perform their job functions.
Security Audits and Assessments: We regularly conduct security assessments, vulnerability scanning, and penetration testing on our systems and applications to identify and remediate potential security weaknesses.
Personnel Training: All our employees and contractors undergo regular data protection and information security training to ensure they are aware of their responsibilities in protecting your data.
Incident Response Plan: We have a comprehensive incident response plan in place to promptly detect, respond to, and mitigate the impact of any potential data breach. In the event of a personal data breach, we are prepared to notify the relevant supervisory authority and affected individuals in accordance with our obligations under GDPR Articles 33 and 34.18
While we implement robust security measures, it is important to remember that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.
6. International Data Transfers
eScribAI operates on a global scale, and as such, your personal data may be transferred to, and processed in, countries other than the one in which you reside. These countries, including the United States where our primary infrastructure may be located, may have data protection laws that are different from the laws of your country.
When we transfer personal data of individuals in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to countries outside of these regions, we take specific steps to ensure that your data is protected and that the transfer complies with the requirements of Chapter 5 of the GDPR.21 We rely on the following legal mechanisms to ensure an adequate level of data protection:
Adequacy Decisions: We may transfer personal data to countries that the European Commission has deemed to provide an adequate level of data protection.
Standard Contractual Clauses (SCCs): For transfers to countries not covered by an adequacy decision, we rely on the Standard Contractual Clauses approved by the European Commission. These are legally binding contracts that impose EU-level data protection obligations on the data recipient. We have incorporated these SCCs into our Data Processing Agreements with our non-EEA sub-processors.
Supplementary Measures: In line with guidance from European data protection authorities and relevant case law, we conduct transfer impact assessments and implement supplementary measures where necessary to ensure that the data transferred is afforded a level of protection that is essentially equivalent to that guaranteed within the EU.
By using our Services, you understand that your personal data may be transferred to our facilities and the third parties with whom we share it as described in this Privacy Policy.
7. Data Retention
In accordance with the GDPR principle of Storage Limitation, we retain your personal data only for as long as is necessary to fulfill the purposes for which we collected it.2 The criteria we use to determine the appropriate retention periods for your personal data include:
The Duration of Your Relationship with Us: We will retain your account information for as long as your account is active or as needed to provide you with the Services.
Our Legal and Regulatory Obligations: We are required to retain certain information to comply with our legal obligations. For example, tax and accounting laws may require us to keep billing and transaction records for a specific number of years.
Resolution of Disputes and Enforcement of Agreements: We may retain certain data for a reasonable period after your relationship with us has ended in order to resolve potential disputes, enforce our terms of service, or defend against legal claims.
When we no longer have a legitimate business need or legal reason to process your personal data, we will either securely delete it or anonymize it. If deletion is not immediately possible (for example, because your data is stored in backup archives), we will securely store your data and isolate it from any further processing until deletion is possible.
8. Your Data Protection Rights under GDPR
If you are an individual located in the EEA, UK, or Switzerland, you have a comprehensive set of rights regarding your personal data under the GDPR. We are committed to facilitating the exercise of these rights. You can exercise most of these rights through your account settings or by contacting us directly.
The Right to be Informed (Articles 13 & 14): You have the right to be provided with clear, transparent, and easily understandable information about how we use your personal data. This Privacy Policy is our primary means of fulfilling this right.7
The Right of Access (Article 15): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and supplementary information (such as the purposes of processing, categories of data, and recipients).13
The Right to Rectification (Article 16): You have the right to have any inaccurate or incomplete personal data we hold about you corrected without undue delay.12
The Right to Erasure ('Right to be Forgotten') (Article 17): You have the right to request the deletion or removal of your personal data where there is no compelling reason for us to keep using it. This right is not absolute and only applies in certain circumstances, for example, where the data is no longer necessary for the purpose for which it was originally collected, or where you have withdrawn your consent.23 We may be legally required or have a legitimate reason to retain your data, which we will explain to you in our response.
The Right to Restrict Processing (Article 18): You have the right to 'block' or suppress further use of your personal data in certain circumstances, such as when you contest the accuracy of the data or have objected to our use of it.12
The Right to Data Portability (Article 20): You have the right to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy, or transfer your personal data easily from our IT environment to another in a safe and secure way. This right only applies to data you have provided to us where our processing is based on your consent or for the performance of a contract, and when processing is carried out by automated means.12
The Right to Object (Article 21): You have the right to object to processing based on our legitimate interests or for the performance of a task in the public interest. You also have an absolute right to object to the processing of your personal data for direct marketing purposes.12
Rights in Relation to Automated Decision-Making and Profiling (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. eScribAI does not currently engage in such automated decision-making with respect to its users.12
To exercise any of these rights, please contact us using the details provided in the "How to Contact Us" section. We will respond to your request within one month of receipt, as required by law.
You also have the right to lodge a complaint with a supervisory authority if you are not satisfied with our response to your concerns. You can lodge a complaint with the data protection authority in your country of residence, place of work, or the place of the alleged infringement.18
9. Information for Individuals in the European Economic Area (EEA), UK, and Switzerland
This section provides additional information relevant to individuals located in the EEA, UK, and Switzerland.
Data Controller: The Data Controller for the Service Data collected under this policy is:
[Legal Address]
EU Representative: As we are a company established outside of the EEA, we have appointed an EU Representative in accordance with Article 27 of the GDPR to act as our point of contact for data subjects and supervisory authorities. You can contact our EU Representative at:
Data Protection Officer (DPO): We have appointed a Data Protection Officer to oversee our data protection strategy and implementation. You can contact our DPO with any questions or concerns regarding our privacy practices at:
Lawful Bases and Rights: As detailed in Section 3, our processing of your personal data is based on lawful bases under the GDPR. As detailed in Section 8, you have specific rights that you can exercise in relation to your personal data.
10. Children’s Data
Our Services are not directed to or intended for use by individuals under the age of 16. In accordance with Article 8 of the GDPR, we do not knowingly collect personal data from children under 16.18 If we become aware that we have inadvertently collected personal data from a child under the age of 16 without verification of parental consent, we will take steps to delete that information from our systems as soon as possible. If you are a parent or guardian and you believe your child has provided us with personal data, please contact us immediately.
11. Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this policy. If we make a material change, we will provide you with notice, such as by sending an email to the address associated with your account or by posting a prominent notice within our Services. We encourage you to review this policy periodically to stay informed about our information practices and the choices available to you. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated policy.
12. How to Contact Us
If you have any questions, comments, or concerns about this Privacy Policy, our data handling practices, or if you wish to exercise any of your data protection rights, please do not hesitate to contact us.
You can reach our privacy team and Data Protection Officer via the following channels:
Email:
privacy@escribai.com
Mailing Address:
eScribAI Solutions S.L.
Attn: Privacy Department / DPO
[Mailing Address]