Privacy Policy
Pursuant to Art. 13 and 14 of the General Data Protection Regulation (GDPR)
1. Controller
Gökhan Sagir
Erdbergstraße 121/9
1030 Vienna, Austria
Email: datenschutz@scryp.at
2. Our principles for handling your data
scryp is built on client-side encryption. This means your transcripts, audio files and file names are encrypted in your browser and stored on our servers exclusively in encrypted form. Without your personal key, this data is readable by no one - not even us.
No AI training with your data
Your audio files and transcripts are never used to train our or third-party language models. This is part of our security architecture, not just a statement of intent: your stored content exists only in encrypted form.
No employee access to your content
Stored audio files and transcripts are not accessible to our staff or third parties. As we do not hold your personal decryption key, we cannot hand over readable copies of your stored content - not even on official order.
Processing exclusively in Germany and Austria
Speech processing - the transcription of your audio files - takes place exclusively in our own data centre in Vienna. Your encrypted files are stored at Hetzner Online GmbH in Nuremberg (ISO 27001 certified). Your encrypted content (audio, transcripts, file names) never leaves Germany and Austria.
What remains visible to us (metadata): email address, file size, file type, audio duration, creation time, processing status and subscription plan. Your actual content (audio, transcripts, file names) is stored on our servers in encrypted form only.
3. What data we process
3.1 Registration & account
At registration we store: your email address (for login and communication), a password hash (Argon2id - the plaintext password is not stored), and the encrypted Master Encryption Key (MEK) with its initialisation vector (IV) and KDF salt.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Providing this data is necessary to perform the contract; without it no account can be created.
3.2 Audio & video uploads
Uploaded files are encrypted in your browser before they reach our servers. On our servers your files are stored in encrypted form only and accessible solely with your personal key. After transcription the original file is deleted and replaced by an encrypted playback version (MP3).
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
3.2a URL-based uploads
When using the URL upload feature, the audio/video file is downloaded directly from the specified source to our processing server. In this case the audio material is not encrypted client-side. The downloaded material is processed exclusively in RAM and deleted immediately after transcription. The resulting transcript and playback file are stored client-side encrypted as usual. No cookies, tokens or credentials of the source platform are stored or transmitted.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
3.3 Transcripts
Transcripts are secured with your personal file key immediately after creation and stored on our media in encrypted form only. We cannot view this content. Your transcripts are not used to train language models - neither by us nor by third parties. Our encryption architecture ensures this: the key to your content exists only in your browser.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
3.4 Email communication
We use Mailjet (Sinch Germany GmbH, ISO 27001 certified, servers in France) to send emails. Only your email address and technical delivery metadata are processed. All data remains within the EU. We send transactional emails (verification, password reset, scheduled maintenance) and product-related notifications (service updates, price changes, new features).
You can unsubscribe from product-related notifications at any time via the unsubscribe link in the respective email. Transactional emails are required to operate the service and cannot be unsubscribed. Invoices and payment confirmations are sent directly by Stripe.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) for transactional email; legitimate interest (Art. 6(1)(f) GDPR) for product-related notifications
3.5 Payment data
Payments are processed by Stripe (Stripe Payments Europe, Ltd., Dublin, Ireland). We only store your Stripe customer ID, the chosen plan and the subscription status. Card numbers or bank details are processed exclusively by Stripe and are not visible to us. Stripe is PCI-DSS certified.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and statutory retention (Art. 6(1)(c) GDPR with § 132 Austrian BAO)
3.6 Customer support
We use Microsoft 365 (Microsoft Ireland Operations Ltd., Ireland) to receive and handle support requests. Where data is transferred to the USA, this is based on the EU-US Data Privacy Framework (DPF). We process your email address and the content of your request.
Legal basis: legitimate interest in answering customer requests (Art. 6(1)(f) GDPR)
4. Sharing transcripts
scryp lets you share individual transcripts via a password-protected link. The file key (FEK) is encrypted with a key derived from the sharing password (PBKDF2) and stored on our servers together with a cryptographic salt. Neither the password nor the unencrypted file key is transmitted to our servers. Recipients decrypt the transcript exclusively in their own browser.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
5. Local storage in the browser (localStorage)
scryp uses no cookies. Instead we use your browser's localStorage exclusively for technically necessary data: the authentication token (JWT) for your active session, the encryption key (MEK) for client-side decryption of your content, and your plan information to control upload limits.
This data is strictly necessary to use the service. We use no tracking, analytics or advertising technologies - no Google Analytics or other analysis tools. On logout or account deletion, all localStorage data is removed.
6. Hosting & data location
Our infrastructure operates exclusively in Germany and Austria. Web application, backend and encrypted data storage (S3 object storage) run in Hetzner Online GmbH data centres in Nuremberg, Germany (ISO 27001 certified); all content stored there is encrypted. Transcription and speech processing take place exclusively in our own data centre in Vienna, where encrypted audio is temporarily decrypted in RAM, processed and securely deleted immediately. No unencrypted content is ever stored permanently.
7. Retention periods
Account data (email, password hash, encrypted MEK)
Until you delete your account; after cancellation without account deletion, the account remains for up to 90 days for reactivation
Encrypted content (audio playback & transcripts)
Until deleted by you or up to 90 days after a subscription ends; original audio files are deleted automatically after processing
Invoice data (stored at Stripe)
7 years (statutory retention under § 132 Austrian BAO); Stripe may apply its own retention periods
8. Your rights
Under the GDPR you have the following rights:
Access (Art. 15 GDPR)
You may request confirmation as to whether we process personal data about you and obtain access to that data.
Rectification (Art. 16 GDPR)
You may request the correction of inaccurate data or the completion of incomplete data.
Erasure (Art. 17 GDPR)
You may request the deletion of your personal data, provided there is no statutory retention obligation.
Restriction of processing (Art. 18 GDPR)
You may request the restriction of processing, e.g. if you contest the accuracy of the data.
Data portability (Art. 20 GDPR)
You may request your data in a structured, commonly used and machine-readable format.
Objection (Art. 21 GDPR)
You may object to processing that is based on legitimate interest (Art. 6(1)(f)).
Withdrawal of consent (Art. 7(3) GDPR)
Where processing is based on consent, you may withdraw it at any time with effect for the future.
To exercise your rights, please contact: datenschutz@scryp.at
We will process your request without undue delay and at the latest within one month of receipt (Art. 12(3) GDPR).
Note on the encryption architecture: As transcripts, audio files and file names are encrypted client-side and we have no access to the plaintext, we cannot provide content-level information about this data. You can decrypt, export (PDF, DOCX, TXT, SRT, VTT) and delete your content yourself in the browser at any time. We can of course provide information on all non-encrypted personal data (email address, metadata, subscription data).
9. Password reset & data loss
As your encryption key (MEK) is derived from your password, a password reset means the existing MEK can no longer be decrypted. All encrypted data (transcripts, audio files, file names) is automatically and irrevocably deleted on password reset, and a new MEK is generated. Your content is decryptable only with your personal MEK - without it, access to existing data is impossible.
10. Account deletion
When you delete your account, all personal data and all encrypted content (audio files, transcripts, file names) is irrevocably deleted. Excepted is invoice data we must retain due to statutory obligations (§ 132 Austrian BAO: 7 years) and payment data stored at Stripe, which is subject to Stripe's privacy policy.
If you merely cancel your subscription without deleting your account, your dashboard and existing content remain available for up to 90 days so you can reactivate or export your data yourself. After that, the stored product data is deleted automatically.
11. Technical and organisational measures
We apply comprehensive technical and organisational measures pursuant to Art. 32 GDPR to protect your personal data: client-side AES-256-GCM encryption, RSA-4096 key exchange, PBKDF2-SHA256 (600,000 iterations) for password derivation, Argon2id password hashing, TLS 1.2/1.3, key-based server access following the least-privilege principle, isolated network zones, login protection, a highly available 3-node cluster with synchronous replication, DDoS protection, zero-downtime deployments, daily encrypted backups with point-in-time recovery, and data minimisation (no IP storage, no tracking, automatic deletion of original files and keys after processing).
Our hosting infrastructure (Hetzner Online GmbH, Nuremberg) is certified to ISO/IEC 27001:2022 and holds a BSI C5 Type 2 attestation.
Despite all precautions, no data transmission over the internet can be guaranteed to be completely secure. We continuously review and improve our security measures.
12. Right to lodge a complaint
Without prejudice to any other remedy, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for Austria is:
Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
www.dsb.gv.at
We kindly ask you to contact us first at datenschutz@scryp.at so we can resolve your concern.
13. Processors
The following providers process personal data on our behalf:
Website, API, encrypted data storage (K3s cluster, S3 object storage) · Germany (EU)
Provider's privacy policyGPU-based transcription, audio processing · Vienna, Austria (EU)
Email verification, password reset, system notifications · France (EU)
Provider's privacy policyPayment processing, subscription management, invoicing · Ireland (EU)*
Provider's privacy policyReceiving and handling support requests via Microsoft 365 · Ireland (EU)*
Provider's privacy policy* The contracting party is the respective European entity (Ireland). Where data is transferred to the USA in the course of providing the service, this is based on the EU-US Data Privacy Framework (DPF) and EU Standard Contractual Clauses (SCCs).
Data processing agreements pursuant to Art. 28 GDPR are in place with all processors.
14. Changes to this Privacy Policy
We may adapt this Privacy Policy when needed, e.g. for changes to our services or the legal situation. The current version is always available on this page. For material changes affecting your rights, we will notify you by email to the address stored in your account.
Last updated: 16 March 2026