Privacy Policy

This Privacy Policy describes how Vitalii Sosin PR Beograd, trading as "Loonix" ("Company," "we," "us," or "our"), collects, uses, and protects your information when you use the Transcribe | AI services, which include the Transcribe | AI mobile application for iOS and Android (the "Mobile App") and the Transcribe | AI web application accessible through our website (the "Web App"). The Mobile App and the Web App together are referred to as the "Application" or the "Services." Where iOS and Android differ in the data they process or the SDKs they embed, those differences are noted explicitly throughout this Policy. By using the Application, you acknowledge that you have read and understood this Privacy Policy.

The Data Controller is Vitalii Sosin PR Beograd, a sole proprietor (preduzetnik) registered in the Republic of Serbia and trading under the name "Loonix". Full registration details are provided in Section 11.

We value your privacy and are committed to protecting your personal data by adhering to strict information processing standards, including the EU General Data Protection Regulation (GDPR) where applicable, the Serbian Law on Personal Data Protection ("Zakon o zaštiti podataka o ličnosti"), and other applicable data-protection laws.

1. What Information We Collect

Information You Provide:

• Account Data: When you create an account, we collect your email address. If you sign in through a third-party provider, we receive your email and basic profile information from that provider via Firebase Authentication (see Section 3). The available providers depend on the platform: iOS Mobile App and Web App — Apple, Google or email; Android Mobile App — Google or email (Sign in with Apple is not available on Android).
• Audio Recordings (Mobile App): When you use the transcription feature in the Mobile App, your audio recordings are temporarily transmitted to third-party AI services for processing (see Section 3). The Mobile App does not store your audio recordings on our servers (see Section 5).
• Audio Recordings (Web App): When you upload an audio or video file to the Web App, the file is uploaded to our object storage (Cloudflare R2) for processing and is automatically deleted after seven (7) days. See Section 5 for details.
• Generated Text Content: In the Mobile App, transcriptions, translations and summaries are processed in real-time and are not stored on our servers. In the Web App, the generated transcription text is stored on our servers alongside the source file for the same seven (7) day retention window so that you can view, download, or delete it.
• Payment Data: When you purchase a subscription or minutes pack on the Web App, payment is processed by our payment partners (Polar Software, Inc. for cards / Apple Pay / Google Pay; OxaPay for cryptocurrency). We do not see or store your full card number or wallet credentials. We receive only a transaction identifier, the product purchased and the result of the transaction. See Section 3.

Information Collected Automatically:

• Usage Data: We may collect anonymous information about your interaction with the Application, such as the features you use and the time and duration of your sessions, to analyze and improve our Services.
• Technical Information: We may collect information about your device, including its model, operating system, and unique device identifiers, to ensure the stable performance of the Application.
• Anonymous Device Identifier (Web App): The Web App generates a random anonymous identifier (UUID v4) on your first visit and stores it in your browser's localStorage under the key tr_anon_id. This identifier is used to route your requests to the correct backend shard and to link a guest session to your account if you sign in later. It does not contain personal data and is not used for advertising or cross-site tracking.
• Functional Browser Storage (Web App): The Web App stores authentication tokens, your selected language and theme preferences, and similar functional values in your browser's localStorage. These values are strictly necessary for the Web App to function and are not used for analytics or advertising. The Web App does not set marketing cookies or use third-party analytics, advertising or tracking tools.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide and Maintain the Services: To process your audio recordings, generate transcriptions, provide translations, summaries, title generation, Q&A, and other AI-powered features in real-time.
• Communication: To send you service notifications, information about updates, and to respond to your support inquiries. We will use your email address for this purpose.
• To Improve the Application: To analyze anonymous usage trends and optimize our algorithms and user interface.
• Security: To protect our Services and users from fraudulent or illegal activity.

3. Data Transfer to Third-Party Service Providers

To deliver the Services, we use the following third-party processors. Each one acts on our behalf under a data-processing arrangement and is permitted to use your data only for the purposes described below.

3.1 AI processors (Mobile App and Web App)

• ElevenLabs, Inc. — speech recognition and transcription. Your audio recordings are transmitted to ElevenLabs servers for processing into text. See ElevenLabs Privacy Policy.
• Google LLC (Google Gemini) — AI assistant features, translation, and summaries. Your transcribed text is sent to Google Gemini to provide AI-powered analysis, translation, title generation, Q&A, custom prompts, and summary features. See Google Gemini API Terms.

3.2 Authentication (Web App)

• Google LLC (Firebase Authentication) — sign-in and account management for the Web App. When you sign in with Apple, Google, or email, Firebase Authentication processes your email address, account identifier, and (for OAuth flows) a token returned by the identity provider. Firebase stores authentication-related cookies on its own auth domain. See Firebase Privacy and Security.

3.3 File storage (Web App)

• Cloudflare, Inc. (Cloudflare R2) — object storage for audio and video files uploaded to the Web App, and for the resulting transcription text. Files are uploaded directly from your browser to R2 via short-lived pre-signed URLs and are automatically deleted seven (7) days after upload. Cloudflare also provides our content delivery and edge security layer. See Cloudflare Privacy Policy.

3.4 Payment processors (Web App)

• Polar Software, Inc. — processing of card, Apple Pay and Google Pay payments for subscriptions and one-time minutes packs. Polar acts as Merchant of Record, which means that Polar is responsible for processing the payment, charging and remitting any applicable VAT or sales tax, and issuing invoices. Polar receives the information necessary to process the payment (card data entered on the Polar checkout, billing email, billing country and amount). We receive only the transaction identifier, the product purchased and the transaction status. See Polar Privacy Policy.
• OxaPay — processing of cryptocurrency payments (BTC, USDT, USDC and others) for one-time minute packs. OxaPay receives the data necessary to generate and verify the on-chain payment. We receive only the invoice identifier, the product purchased and the payment status. See OxaPay Privacy Policy.

3.5 Analytics, attribution, crash reporting and push notifications (Mobile App only)

The Mobile App embeds the following SDKs to measure product performance, diagnose crashes, attribute installs to marketing campaigns, and deliver push notifications. These SDKs are not present in the Web App. Some SDKs are present on one platform only; the per-platform availability is indicated in each entry.

• Google Firebase Analytics (Google LLC) — collects first-party product-usage events (screens viewed, features used, session duration) keyed to a Firebase Installation ID, so that we can understand how the Mobile App is used. Data is sent to Google's app-measurement.com and firebaseinstallations.googleapis.com endpoints. See Firebase Privacy and Security.
• Google Firebase Crashlytics (Google LLC) — collects crash reports and stack traces when the Mobile App terminates unexpectedly, so that we can identify and fix bugs. Present on both iOS and Android. See Firebase Privacy and Security.
• Sentry (Functional Software, Inc.) — collects non-fatal error reports, performance traces and stack traces from the Mobile App to help us diagnose runtime issues. See Sentry Privacy Policy.
• Amplitude (Amplitude, Inc.) — first-party product-analytics events (feature adoption, funnels) used to improve the user experience. See Amplitude Privacy Policy.
• AppsFlyer (AppsFlyer Ltd.) — mobile attribution on both iOS and Android. We use AppsFlyer in a restricted mode on both platforms: the SDK is configured to not read device-level advertising identifiers (the iOS Advertising Identifier "IDFA" on iOS, the Google Advertising ID "GAID" on Android) and not perform device fingerprinting. On Android, the com.google.android.gms.permission.AD_ID permission that the AppsFlyer SDK would otherwise add to the manifest is explicitly removed. Attribution relies exclusively on (a) Apple's SKAdNetwork on iOS and the Google Play Install Referrer API on Android — both of which provide aggregated or anonymous install signals without identifying individual users — and (b) OneLink deferred deep links, which match an install to a clicked marketing URL using the link's own parameters. Post-install events such as purchases are reported to AppsFlyer keyed only to your account identifier, not to a device identifier. See AppsFlyer Privacy Policy.
• Google Ads On-Device Conversion Measurement (Google LLC) — iOS only. Measures conversions from Google Ads campaigns in a privacy-preserving way: matching is performed on the device and only aggregate signals are reported. See Google Privacy Policy.
• Firebase Cloud Messaging (Google LLC) — Android only. Receives push notifications dispatched by our backend (for example, service notifications, weekly digest, and product announcements). The SDK obtains a per-installation FCM registration token, which our backend stores so that it can target the device. The token is rotated by Google and contains no personal data; it is invalidated when you uninstall the Mobile App or sign out. On iOS, push notifications are delivered directly via Apple's APNs from our backend, without Firebase Messaging. See Firebase Privacy and Security.

The iOS Mobile App does not request the App Tracking Transparency permission and does not access the iOS Advertising Identifier (IDFA); its privacy manifest declares NSPrivacyTracking = false. The Android Mobile App does not declare the com.google.android.gms.permission.AD_ID permission and does not access the Google Advertising ID (GAID); the corresponding Google Play Data Safety declaration reflects this. None of the analytics, attribution, crash-reporting or messaging SDKs listed above link your data with data collected from other companies' apps or websites for advertising.

User-Configured Third-Party AI Providers

The Application allows you to optionally configure your own third-party AI provider for certain AI text-processing features (such as Smart Search, AI chat within transcriptions, auto-tags, auto-titles, weekly digest, and action cards). The currently supported user-configurable providers are:

• OpenAI (OpenAI, L.L.C.) — GPT-based language models. See OpenAI Privacy Policy.
• Anthropic Claude (Anthropic, PBC) — Claude language models. See Anthropic Privacy Policy.
• xAI Grok (xAI Corp.) — Grok language models. See xAI Privacy Policy.

When you configure a custom AI provider:

• What data is sent: Only transcribed text is sent to the selected provider. Audio recordings are never sent to user-configured providers.
• API Key Storage: Your API key is stored on our servers in encrypted form using AES-256-GCM encryption. The key is used solely to authenticate requests to the provider you selected and is never shared with any other party.
• Your Responsibility: You are responsible for providing a valid API key, monitoring your usage, and any costs charged by the third-party provider. We do not control the pricing, availability, or quality of service of user-configured providers.

Note: Transcription (speech-to-text), real-time text translation, real-time assistant responses, and audio indexing for Smart Search are always processed by the Application's built-in server infrastructure (ElevenLabs and Google Gemini), regardless of your custom provider settings.

Summary of data sent to third parties:

• What data is sent: Audio recordings (to ElevenLabs) and transcribed text (to Google Gemini, and optionally to your selected custom AI provider).
• Who receives the data: ElevenLabs, Inc., Google LLC, and optionally OpenAI, L.L.C., Anthropic, PBC, or xAI Corp. (depending on your configuration).
• Purpose: Solely to provide transcription, translation, and AI analysis features within the Application.

Your data is used solely to provide these services and is processed in accordance with each provider's privacy policy. Each third-party provider is required to protect your data in accordance with their published privacy policies. We do not sell, rent, or share your data with any other third parties for marketing or advertising purposes.

Important: Once your data is transmitted to third-party AI service providers, it is processed according to their respective privacy policies and terms of service. We do not control how these third parties process your data after transmission and are not responsible for their data handling practices. We encourage you to review their privacy policies.

We may also disclose your information if required by law or in response to a valid request from public authorities.

4. User Consent for Third-Party Data Processing

Before using transcription and AI features for the first time, the Application displays a consent dialog informing you about third-party data processing. The dialog provides the following information:

• What data is being sent (your audio recordings and transcribed text)
• Who the data is sent to (ElevenLabs for transcription, Google Gemini for AI features, and optionally your selected custom AI provider)
• The purpose of data processing (transcription, translation, and AI features)

You must provide your explicit consent before any data is sent to third-party AI services. You may choose to allow or decline third-party data processing. If you decline, the transcription and AI features will not be available, but you may change your decision at any time within the Application settings. Your consent preference is stored locally on your device.

By configuring a custom AI provider and providing your API key, you additionally consent to your transcribed text being sent to the selected third-party provider (OpenAI, Anthropic, or xAI) for processing. You may remove your custom provider configuration at any time within the Application settings, after which the Application will revert to using the built-in server infrastructure.

5. Data Storage and Security

Storage policies differ between the Mobile App and the Web App, which reflects the different end-to-end protections each version offers.

5.1 Mobile App — Zero-Storage Policy

The Mobile App applies a strict zero-storage policy for user content. Audio files and the text generated from them are transmitted for processing over a secure, encrypted connection (TLS) and are permanently deleted from our systems immediately after the analysis result has been provided to you in the Mobile App. The Mobile App additionally protects synced content with end-to-end AES-256-GCM encryption.

5.2 Web App — Limited 7-Day Retention

The Web App is a lighter, browser-based version of the Service that does not implement end-to-end encryption. To allow you to review, download and re-process your transcriptions, uploaded audio/video files and the corresponding generated transcription text are stored on Cloudflare R2 object storage (encrypted at rest) for up to seven (7) days from the moment of upload, after which they are automatically deleted. You may also delete an individual transcription manually at any time from within the Web App, which removes it from our systems immediately. The Web App displays a notice on the upload screen reminding you of this retention window.

5.3 Account-level data

Independently of the policies above, we store on our servers: your account information (email and account identifier), the anonymous device identifier (Mobile App and Web App), your minute balance and transaction history, and — if you configure a custom AI provider in the Mobile App — your encrypted API key (AES-256-GCM). We take all reasonable technical and organizational measures to ensure the security of this data during transmission, processing and storage.

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee the absolute security of your data during transmission to third-party services.

6. Your Rights

Depending on your location, applicable data-protection law (such as the EU GDPR or the Serbian Law on Personal Data Protection) may grant you the following rights with respect to your personal data:

• the right of access — to obtain confirmation of whether we process your personal data and a copy of that data;
• the right to rectification — to have inaccurate or incomplete data corrected;
• the right to erasure ("right to be forgotten");
• the right to restriction of processing;
• the right to data portability — to receive your account data and Web App transcriptions in a structured, machine-readable format (the Web App also provides direct PDF / DOCX / CSV / TXT / Markdown export);
• the right to object to processing;
• the right to withdraw consent at any time, where processing is based on consent;
• the right to lodge a complaint with a supervisory authority. In Serbia, the supervisory authority is the Commissioner for Information of Public Importance and Personal Data Protection (poverenik.rs). EU residents may contact the data-protection authority in their country of residence.

To exercise any of these rights, please contact us at the email address in Section 11. We will respond within thirty (30) days and may need to verify your identity before fulfilling the request.

Mobile App: because we do not store audio recordings or generated text content, deletion requests apply only to your account data, anonymous usage data and any encrypted custom-provider API key. Web App: in addition to account data, you can delete individual uploaded files and transcriptions at any time from within the Web App; otherwise they are auto-deleted after seven (7) days as described in Section 5.

7. Children's Privacy

Our Application is not intended for use by individuals under the age of 13 (or another age as required by the law in your country). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under the applicable age, we will take steps to delete that information promptly.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence when sent to our third-party AI service providers (ElevenLabs, Google Gemini, and — if configured — OpenAI, Anthropic, or xAI). These countries may have data protection laws that differ from those in your jurisdiction. By using the Application and consenting to third-party data processing, you acknowledge and consent to such transfers.

9. Data Retention

• Account data (email, account identifier, anonymous device identifier, minute balance, transaction history) — retained for as long as your account is active, or as needed to provide the Services and comply with our legal obligations (such as tax and accounting record-keeping under Serbian law).
• Web App uploads and transcriptions — retained on Cloudflare R2 for up to seven (7) days from upload, then automatically deleted (see Section 5.2). You may delete individual items earlier from within the Web App.
• Mobile App audio and generated text — not retained (zero-storage policy; see Section 5.1).
• Custom AI provider API key (Mobile App, optional) — retained in encrypted form for as long as the configuration is active; deleted when you remove the configuration or delete your account.
• Anonymous usage data — may be retained indefinitely in aggregated form.
• Payment records — transaction identifiers and invoice metadata received from Polar and OxaPay are retained for the period required by applicable accounting and tax legislation in Serbia (typically up to ten (10) years).

10. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. The new version of the Policy becomes effective upon its publication within the Application or on our website. We recommend that you periodically review this Policy for any changes. Your continued use of the Application after changes are published constitutes your acceptance of the updated Privacy Policy.

11. MCP Integration (Model Context Protocol)

The Mobile App offers an optional Model Context Protocol (MCP) integration that lets you connect third-party AI assistants and agents to your recordings. MCP is an open standard, so this includes any MCP-compatible client — for example Claude, ChatGPT, and other AI tools or agents that support the protocol. This feature is turned off by default and is governed by the following terms:

• What is shared — when you enable MCP, encrypted copies of your transcriptions and their search indexes are uploaded to our cloud storage (Cloudflare R2). Your audio files are never uploaded for this feature.
• Retention — these copies are stored only while the MCP toggle remains enabled.
• Access — the copies become accessible, on a strictly read-only basis, to the third-party AI applications that you explicitly authorize through OAuth sign-in. You may revoke that access at any time.
• Deletion — when you disable MCP, the cloud copies are deleted within twenty-four (24) hours and all related access tokens are revoked immediately.

By enabling MCP you instruct us to make the above data available to the AI providers you choose to connect. We do not control how those third-party providers process data once you authorize them; please review their respective privacy policies before connecting.

12. Contact Information

If you have any questions about this Privacy Policy, or wish to exercise any of the rights described in Section 6, please contact us:

Data Controller: Vitalii Sosin PR Beograd (trading as "Loonix")

Legal form: Sole proprietor (preduzetnik)

Registered address: Kneza Miloša 15, 11167 Beograd (Vračar), Republic of Serbia

Registration number (Matični broj): 68444683

Tax ID (PIB): 115539784

Email: [email protected]

Website: loonix.dev