Privacy Policy

1. Data controller

{{COMPANY_LEGAL_NAME}} ([Şirket bilgileri — şirket kurulumu tamamlandığında doldurulacak]) is the data controller (KVKK "veri sorumlusu" / GDPR "controller") for personal data processed through audiototextonline.com. Legal name: {{COMPANY_LEGAL_NAME}} Tax ID: {{COMPANY_TAX_ID}} Registered address: {{COMPANY_ADDRESS}} Data Protection contact: {{COMPANY_DPO}} (or contact@audiototextonline.com if no DPO is appointed)

2. What we collect

We deliberately collect as little as possible. The categories below are the complete list:

• Audio files you upload, plus the resulting transcript text and word-level timestamps.
• File metadata: filename, size, MIME type, content hash, duration.
• Account data: email address, hashed password (argon2id — we never see the plain password), optional display name.
• Session metadata: an HTTP-only cookie (`atto.sid`), IP address, user-agent string, last-seen timestamp.
• Usage telemetry: monthly minute counter, job count, payment intents, terms-acceptance trail (IP, UA, timestamp).
• Analytics: Google Analytics 4 events on a pseudonymous client ID basis.

3. Why we process it (purposes)

Each category above is processed only for the purposes that make sense for it:

• Audio + transcripts: produce and deliver the transcription you requested.
• Account data: identify you across devices, secure your sign-in, send service emails.
• Session metadata: keep you signed in, prevent abuse, troubleshoot.
• Usage telemetry: enforce free-tier quotas, generate invoices, evidence of consent for tax / consumer-law purposes.
• Analytics: understand which features are used and detect outages.

4. Legal basis

Under KVKK Article 5/2 and GDPR Article 6 we rely on the following legal grounds:

• Performance of the contract you have with us — turning your audio into a transcript and managing your account.
• Compliance with a legal obligation — keeping invoices and accounting records (Vergi Usul Kanunu Article 253).
• Legitimate interest — fraud prevention, abuse detection, basic product analytics, kept to the minimum necessary.
• Explicit consent — only where the law specifically requires it (e.g. non-essential cookies).

5. Where the data goes (sub-processors)

We share the minimum data needed with the following sub-processors. Each operates as a "veri işleyen" (KVKK) / "processor" (GDPR) under contract:

• Google Cloud Storage (europe-west4, Netherlands) — stores the uploaded audio and the generated transcript.
• Google Cloud Speech-to-Text v2 (EU multi-region) — turns audio into text.
• PayTR Ödeme Hizmetleri A.Ş. (Türkiye) — processes Pro subscription payments. We never see your card data.
• Google Analytics 4 (Google LLC) — pseudonymous usage analytics.
• Hostinger (server hosting in Türkiye / EU) — runs our application code and database.

6. International transfers

Audio and transcripts are kept in the EU (europe-west4, Netherlands). Payment processing happens entirely within Türkiye. Google Analytics may transfer pseudonymous identifiers to the United States under the EU–US Data Privacy Framework. Where transfers leave the European Economic Area or Türkiye, the recipient is bound by Standard Contractual Clauses or an equivalent safeguard.

7. How long we keep things (retention)

Different categories of data have different lifespans:

• Free-tier audio + transcript: deleted automatically 7 days after upload (GCS lifecycle rule).
• Pro-tier audio + transcript: deleted on delivery by default; retained only if you opt in.
• Account record: kept for as long as the account is active; deleted within 30 days of an account-deletion request, except for fields we are required to keep.
• Invoices, payment records, terms-acceptance evidence: kept for 10 years (Vergi Usul Kanunu Article 253) regardless of account deletion. We minimise what we keep — typically the order ID, amount, currency, taxpayer info, and a hash of the consent log.
• Server logs: 30 days for diagnostic logs, 12 months for security logs.

8. Your rights

Under KVKK Article 11 and GDPR Articles 15–22 you can ask us to:

• Confirm whether we are processing your data, and ask for a copy.
• Correct inaccurate data.
• Delete data, subject to the legal-retention exceptions in section 7.
• Restrict or object to certain processing.
• Receive your data in a portable format.
• Not be subject to a decision based solely on automated processing that produces legal effects (we do not currently take such decisions about you).

9. AI transparency (EU AI Act Article 50)

Transcripts on this service are generated by an AI speech model. We mark every machine-generated text as such — see the disclosure on the transcript page and the marker line at the top of every exported file. The AI does not make decisions about you; it only converts speech to text.

10. Cookies and similar technologies

We use a small number of cookies. None of them are needed for advertising:

• atto.sid — HTTP-only, secure, SameSite=Lax. Keeps you signed in. Lifetime: 90 days. Strictly necessary.
• atto.actor — HTTP-only, secure. Anonymous browser-bound identifier so that a guest's transcripts persist between visits. Lifetime: 365 days. Strictly necessary for the service to work.
• _ga, _ga_GYN8JVNE8W — Google Analytics 4 pseudonymous identifiers. Lifetime: 13 months. Optional analytics.

11. Security

We use TLS 1.2+ for every connection, encrypt data at rest in cloud storage, hash passwords with argon2id, scope signed URLs to short lifetimes, run server-side in Türkiye / EU regions, and apply the OWASP top-10 defences in the application code. No system is bullet-proof — please report a security concern to contact@audiototextonline.com.

12. Children

The service is not designed for children under 13 (or under 16 where local law sets that age higher). We do not knowingly collect data from minors; if you believe a minor has provided us with data, please contact us and we'll delete it.

13. Contact and complaints

Questions, access requests, deletion requests, complaints — all go to contact@audiototextonline.com. We respond within 30 days as required by KVKK and GDPR; we usually respond within 7. If you are not satisfied, you can lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu, kvkk.gov.tr) or, in the EU, with your local supervisory authority.

14. Changes

We may update this policy. Material changes are announced by email to logged-in users and the change date is shown at the bottom of this page. Old versions are kept on file in case you need to refer to them.