Privacy Policy

1. Data Controller

The data controller responsible for the processing of personal data described in this policy is Xordas ("we", "us", or "our"). If you have questions about data processing, you may contact us at transcribe@xordas.me.

2. Definitions

For the purposes of this policy:

• "Personal data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Data subject" means the identified or identifiable natural person whose personal data is processed.
• "Controller" means the natural or legal person who determines the purposes and means of processing personal data.
• "Processor" means a natural or legal person who processes personal data on behalf of the controller.

3. Categories of Personal Data Processed

We process the following categories of personal data:

• Audio content. Voice message audio attachments are downloaded from Discord for the sole purpose of producing a text transcript. Audio is converted to a standard format, transcribed, and deleted immediately. Audio is not stored, logged, or shared beyond what is strictly necessary to complete the transcription.
• Transcript text. The text output of the transcription is returned to Discord as a message in the originating channel. Transcript text is not stored on any server, database, or log file. The transcript footer includes your Discord display name and user ID to attribute the original voice message.
• Discord user identifier. Your Discord user ID is processed in real time to enforce per-user rate limits. This identifier is held only in volatile memory and is automatically discarded when the rate-limit window expires (within seconds to minutes).
• Discord guild (server) identifier. The server ID is processed in real time to enforce per-server rate limits. This identifier is held only in volatile memory and is automatically discarded when the rate-limit window expires.
• Discord message identifier. Message IDs may be recorded in operational log files for the limited purpose of diagnosing failed transcriptions. Log entries do not contain audio content, transcript text, or user identification beyond what Discord's API associates with messages.

4. Purposes and Legal Basis for Processing

We process personal data under the following legal bases as defined in Article 6 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

Processing of audio content.
Purpose: To produce a text transcript of a Discord voice message when you explicitly request one.
Legal basis: Consent (Article 6(1)(a) GDPR). You provide consent by actively triggering a transcription via the context menu, the ephemeral context menu, or by replying to a voice message with an @mention of the application. You may withdraw consent at any time by simply not triggering the transcription feature.

Processing of user and server identifiers for rate limiting.
Purpose: To enforce fair-use rate limits and prevent abuse of the service.
Legal basis: Legitimate interest (Article 6(1)(f) GDPR). We have a legitimate interest in protecting the availability and stability of the service for all users. Rate-limit data is held ephemerally in memory only and does not persist beyond the sliding window.

Processing of message identifiers in log files.
Purpose: To diagnose and resolve transcription failures.
Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Operational logging is necessary to maintain and improve the reliability of the service. Log files are rotated and deleted periodically.

5. Data Recipients and Third-Party Services

Your personal data may be disclosed to the following recipients or categories of recipients:

• Discord Inc. Transcripts are delivered as Discord messages. Audio content originates from and transcripts are returned to Discord's infrastructure. Your use of Discord is governed by Discord's Privacy Policy.

We do not sell, rent, or trade personal data to any third party.

6. International Data Transfers

Discord's infrastructure may be located outside the European Economic Area (EEA). When you use Transcribe, your data may be transferred to and processed in countries that do not provide the same level of data protection as the EEA.

Such transfers are protected by the standard contractual clauses or other appropriate safeguards provided by Discord.

You may request a copy of the applicable safeguards by contacting us at transcribe@xordas.me.

7. Data Retention

We retain personal data only for as long as strictly necessary:

• Audio files: Deleted immediately (within the same request cycle) after the transcript is produced. Retention period: seconds.
• Transcript text: Never stored by us. Returned only as Discord messages, which are governed by Discord's own retention and deletion policies.
• User and server identifiers (rate limiting): Held in volatile memory only. Automatically discarded when the sliding window expires. Retention period: up to 60 seconds.
• Log entries: Retained for operational purposes and rotated periodically. Log files do not contain audio content or transcript text. Retention period: up to 30 days before rotation or deletion.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or damage. Specifically:

• Audio is processed entirely on our server, located in the United States, and is never transmitted to external APIs or cloud services for processing.
• Rate-limit data is stored exclusively in volatile memory (RAM) and does not persist to disk.
• Log files are stored on the server with appropriate file-system permissions.

However, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of data.

9. Automated Decision-Making

Transcribe uses a machine-learning model to produce text transcripts from audio. This constitutes automated processing of personal data. However, the transcription does not produce legal or similarly significant effects on you as defined in Article 22 GDPR. The output is an informational text transcript that you may review, correct, or discard at your discretion.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Since Transcribe's output is informational only and does not produce such effects, this right does not apply to the current processing. If this changes in the future, we will update this policy accordingly.

10. Your Rights Under GDPR

You have the following rights with respect to your personal data:

• Right of access (Article 15): You may request confirmation of whether we process your personal data and obtain a copy of that data.
• Right to rectification (Article 16): You may request correction of inaccurate personal data. Since transcript text is returned to you as a Discord message, you may correct it directly in Discord.
• Right to erasure (Article 17): You may request deletion of your personal data. Given that audio is deleted immediately after transcription and rate-limit data expires within seconds, personal data is almost always erased automatically. You may request confirmation of erasure at any time.
• Right to restriction of processing (Article 18): You may request that we restrict processing of your personal data in certain circumstances.
• Right to data portability (Article 20): You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
• Right to object (Article 21): You may object to processing based on legitimate interests. Since we process rate-limit and log data on the basis of legitimate interest, you may object to this processing, and we will cease unless we demonstrate compelling legitimate grounds.

To exercise any of these rights, contact us at transcribe@xordas.me. We will respond to your request within 30 days.

11. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In particular, you may lodge a complaint with the supervisory authority in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement.

12. Children's Privacy

Transcribe is not directed at children under 13 years of age (or the applicable minimum age in your jurisdiction). We do not knowingly process personal data from children. If we become aware that a child has used the application, we will take steps to delete the relevant data without undue delay.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities or legal requirements. Changes take effect when the updated policy is posted on this page. The "Effective date" at the top of this page indicates when this policy was last updated. We encourage you to review this policy periodically.

14. Contact

For any questions about this Privacy Policy, to exercise your data subject rights, or to reach us regarding data protection, contact us at transcribe@xordas.me.