Privacy Policy

Transept is operated by Mariia Ivakhnenko, sole proprietor, registered at Uralská 689/7, 160 00 Prague 6, Czech Republic. See our Imprint for the full legal notice. Throughout this policy “we”, “our”, and “us” refer to Mariia Ivakhnenko operating as Transept.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered translation service.

For a plain-English summary of how we handle data — where it is stored, what we send to AI providers, our training opt-out, and the sub-processors involved — see our Security & Data page. The full sub-processor list lives at /subprocessors; the cookie catalog at /cookies.

Personal information

When you create an account, we collect:

• Email address.
• Name (if provided via Google OAuth).
• Profile picture (if provided via Google OAuth).

Billing information

When you subscribe to a paid plan or buy a credit pack, billing is handled by Stripe. We receive transaction metadata (amount, currency, plan, last four digits of your card, billing country) but never see or store full card numbers, CVCs, or bank account details — those go directly to Stripe under PCI DSS Level 1.

Third-party integrations

When you connect third-party services, we may collect:

• Google Drive — OAuth tokens to access documents you select for import/export.
• Notion — OAuth tokens and workspace information (workspace name, workspace ID) to access pages you select for import/export.

We only access content you explicitly choose to import or export. We do not scan or access your entire connected account.

Usage data

We automatically collect certain information about your device and how you interact with our service:

• Browser type and version.
• IP address.
• Pages visited and time spent on pages.
• Translation history and preferences.

Translation content

We process the text you submit for translation. This content is:

• Sent to AI providers (Anthropic, OpenAI, Google, Groq, OpenRouter) for translation processing.
• Stored in our database as part of your document.
• Retained for registered users until deleted.
• Deleted after 30 days for non-registered users.
• Never used to train AI models — see “AI provider data sharing” below.

We use the information we collect to:

• Provide and maintain our translation service.
• Process your translations using AI models.
• Send you authentication codes and service notifications.
• Process payments and manage subscriptions.
• Improve our service and develop new features.
• Analyze aggregated usage patterns and optimize performance.
• Detect and prevent fraud or abuse.
• Comply with legal obligations.

If you are in the European Union, European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Performance of a contract — to provide the translation service you signed up for: account creation, translation processing, billing, exports, and integrations.
• Consent — for optional product analytics (PostHog) and any future marketing communications. You can withdraw consent at any time without affecting prior lawful processing.
• Legitimate interest — for security, abuse prevention, debugging, and service improvement, balanced against your rights and reasonable expectations.
• Legal obligation — to comply with tax, accounting, and law-enforcement requirements where they apply.

When you submit text for translation, we send your content to third-party AI providers to generate translations. These providers are:

• Anthropic (Claude models) — see their privacy policy at anthropic.com/privacy.
• OpenAI (GPT models) — see their privacy policy at openai.com/privacy.
• Google (Gemini models, via Vertex AI / Gemini API) — see their privacy policy at policies.google.com/privacy.
• Groq — see their privacy policy at groq.com/privacy.
• OpenRouter — see their privacy policy at openrouter.ai/privacy.

We do not use your content to train AI models. We use the standard commercial API tiers from these providers, which contractually exclude customer inputs and outputs from being used to train foundation models (Anthropic API, OpenAI API, Google Vertex AI, Groq). Your text is sent only for the specific translation request and is not retained by the provider for training. Provider-side operational logging may apply for short windows per their own policies.

OpenRouter is a gateway to additional models, and underlying provider terms vary by model. For workloads where the training-opt-out matters, pin your translations to a known provider (Anthropic, OpenAI, or Google).

Even with the no-training guarantee, do not submit content you are not legally permitted to share with third-party processors — for example, content covered by NDA, attorney-client privilege, or regulations such as HIPAA (we are not a HIPAA-compliant platform).

To run the service we share strictly necessary data with the following providers. Each is bound by its own privacy policy and, where applicable, a data-processing agreement. The canonical, always-current list lives at /subprocessors.

• AI translation — Anthropic (US), OpenAI (US), Google / Vertex AI (US, EU regions available), Groq (US), OpenRouter (US). Receive only the text submitted for translation; none train on your content under the API tiers we use.
• Hosting and database — Hetzner Online GmbH (Germany, EU). Stores the application, your account data, and your documents. EU data residency.
• Payments — Stripe, Inc. (US / Ireland). Processes subscription billing and one-time purchases under PCI DSS Level 1.
• Product analytics — PostHog (EU-hosted). Loaded only with your explicit analytics consent — opt-in for every visitor, off by default.
• Transactional and marketing email — Customer.io (EU workspace,api-eu.customer.io). Sends sign-in codes, account notifications, the double opt-in confirmation, and (only with your explicit marketing consent) product updates.
• Ads measurement — Google (Tag Manager + Google Ads conversion tracking) and Meta Platforms (Pixel + Conversions API). Loaded only with your explicit marketing-cookies consent. We send hashed email + the click identifier from the original ad click so the campaign owner can attribute a signup to the right ad. We do not share your translation content with ad platforms.
• Search-engine visibility — Bing Webmaster Tools, Google Search Console, IndexNow (Bing, Yandex, Seznam, Naver, Yep). Receive your site URL on content changes; no personal data passes through.

We update this list when sub-processors change. Material additions are flagged on this page, on the Security & Data page, and on /subprocessors before they take effect for new processing.

We send two kinds of email:

• Transactional emails — sign-in codes, account confirmations, billing receipts, security notifications. These are sent on the legal basis of contract performance and cannot be unsubscribed from without deleting the account.
• Marketing emails — product updates, release notes, occasional notes from the team. These are sent on the legal basis of explicit, double opt-in consent. After signup, we ask whether you’d like to receive product emails in an in-app dialog. If you accept, we send a confirmation email; you must click the link in that email before we add you to any campaign. Until you confirm, we send no marketing emails — only transactional ones.

You can withdraw marketing consent at any time from Settings → Email preferences inside the app. Each marketing email also contains a clearly visible unsubscribe link. We keep a record of each consent decision — when it was given, where, and the version of the wording you accepted — to comply with GDPR Article 7(1) (demonstrability of consent).

Transept integrates with third-party services to enhance your workflow. When you connect these services:

Google Drive

• We use OAuth 2.0 to securely connect to your Google account.
• We only access documents you explicitly select for import.
• Exported documents are created in your Google Drive.
• You can disconnect Google Drive at any time from Settings.
• See Google’s privacy policy at policies.google.com/privacy.

Notion

• We use Notion’s OAuth 2.0 to securely connect to your workspace.
• We store your Notion access token, workspace name, and workspace ID.
• We only access pages and databases you explicitly select for import/export.
• When importing, we read page content and convert it for translation.
• When exporting, we create new pages in your chosen location with translated content.
• Comments from your documents can optionally be exported as Notion page comments.
• You can disconnect Notion at any time from Settings, which removes all stored tokens.
• See Notion’s privacy policy at notion.so/privacy.

You can revoke access to these integrations at any time through Settings or directly from the third-party service’s account settings.

Cookies (and equivalent local-storage entries) are opt-in for every visitor. Without your explicit consent we set only essential cookies — the minimum needed to remember your cookie preference, keep you signed in, and protect the site from abuse. The full cookie list with names, durations, and purposes lives at /cookies.

On your first visit the cookie banner is shown. You can pick Accept all, Reject all, or open Customize preferences to toggle Analytics and Marketing categories independently. Silence is not consent — until you make an explicit choice (or accept), no analytics and no marketing cookies fire.

You can change your mind at any time via the Manage cookies link in the footer. Every change is recorded in our consent audit log against the anonymoustransept_anon browser identifier and (after signup) against your account, so we can demonstrate the timeline of your consent if asked.

Essential

Required for the service to work. Always on; no consent needed under GDPR.

• transept_cc — remembers your cookie preference so we don’t ask again on every visit. 1 year.
• transept_anon — anonymous browser identifier used only for our consent-decision audit log. 2 years.
• transept_token / local storage auth token — keeps you signed in. Session-scoped.
• Theme preference (light/dark).
• Security and abuse-prevention cookies set by our infrastructure.

Analytics (off by default)

With your consent, we load PostHog (EU-hosted) and Google Analytics 4 via Google Tag Manager. These track page views, feature usage, and aggregate behavior so we know what to build next. Turn it off any time via Manage cookies; once off, the scripts stop firing and no events are sent.

Marketing (off by default)

With your consent, we load Meta Pixel (via the Conversions API + cookie), Google Ads conversion linker, and LinkedIn Insight Tag — all delivered via Google Tag Manager. These let us attribute paid-ad clicks to signups so the team can see which campaigns actually help. We also set our own first-party transept_attr cookie to retain that first-touch attribution across visits.

Without marketing consent we still capture the utm parameters from a paid-ad landing URL into your tab’s sessionStorage — a first-party, in-tab record that dies when you close the tab — so we can attribute the conversion if you sign up in the same session. No third-party cookies, no cross-session tracking.

Google Consent Mode v2

We use Google Consent Mode v2 so the tags inside Google Tag Manager respect your decision automatically. With consent denied, tags run in “basic” mode (cookieless pings only). With consent granted, full measurement resumes.

Application data and your documents are stored in the EU (Hetzner, Germany). When you use the translation service, your content is processed by AI providers that may be located outside the EU/EEA — primarily in the United States.

Where such transfers occur, we rely on appropriate safeguards under GDPR Chapter V, including:

• European Commission adequacy decisions where they exist.
• Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.
• Vendor contractual commitments that customer content is not used for AI model training and is processed only for the specific request.

A copy of the SCCs we rely on for transfers is available on request — email [email protected].

• Account data — retained for as long as your account is active. Inactive accounts (no sign-in for 12+ months) may be deleted with prior email notice.
• Documents and translations — retained until you delete them or delete your account. Deletion is irreversible.
• Non-registered users — translation data is automatically deleted after 30 days.
• Server logs — retained for 90 days for security, debugging, and abuse prevention.
• Backups — encrypted at rest, retained 30 days then overwritten.
• Billing records — retained for at least 7 years to comply with tax and accounting obligations, even after account deletion. Billing records contain transaction metadata only (amount, date, plan), never your translation content.

After account deletion, residual copies of your content may persist in encrypted backups for up to 30 days before being overwritten. They are not accessible for any purpose other than disaster recovery.

EU / EEA / UK / Switzerland (GDPR and UK GDPR)

If you are in the EU, EEA, UK, or Switzerland, you have the following rights:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate personal data.
• Erasure — request deletion of your personal data (“right to be forgotten”).
• Portability — receive your data in a machine-readable format.
• Objection — object to processing of your personal data.
• Restriction — request restriction of processing.
• Withdraw consent — where processing is based on consent (e.g., analytics), withdraw at any time without affecting prior lawful processing.
• Lodge a complaint — file a complaint with your local supervisory authority (your country’s data protection regulator). Contact details for EU authorities are listed at edpb.europa.eu.

California (CCPA and CPRA)

If you are a California resident, you have the following rights:

• Right to know — what personal information we collect, where we get it, why we use it, and who we share it with.
• Right to delete — request deletion of personal information we have collected from you.
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell your personal information, and we do not share it for cross-context behavioral advertising.
• Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that would require this right.
• Right to non-discrimination — we will not deny service, charge a different price, or otherwise discriminate against you for exercising any of these rights.

Other US states

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other states with comparable privacy laws have substantially similar rights — including access, deletion, correction, portability, and opt-out of targeted advertising or sale of personal data. We honor the same set of rights for all US residents regardless of state of residence.

How to exercise your rights

Email [email protected] with your request and the email address associated with your account. We respond within 30 days (or up to 45 days for complex requests, with notice). We do not charge for the first request in any 12-month period. We may verify your identity before acting on requests, to protect your data from unauthorized disclosure.

We implement technical and organizational measures to protect your data:

• Encryption in transit — TLS 1.2 or higher on every connection between your browser, our servers, and third-party providers. HTTPS-only; HTTP is redirected.
• Encryption at rest — database and disk storage encrypted with AES-256.
• Hosting — application and database run on Hetzner Online GmbH infrastructure in Germany (EU). No customer documents are stored on US servers.
• Access controls — production access is restricted to a small number of named operators on a need-to-know basis, authenticated via SSH keys with audit logging. We do not access customer content unless you have raised a support request that requires it, or where compelled by valid legal process.
• Authentication — passwordless sign-in via short-lived email one-time codes or Google OAuth. We do not store passwords.
• Backups — encrypted at rest, retained 30 days, then overwritten.
• Vulnerability management — dependencies and infrastructure are kept patched on a regular cadence. Report suspected vulnerabilities to [email protected].
• Breach notification — in the event of a personal data breach likely to result in a high risk to your rights, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Art. 33–34.

No system is 100% secure. While we apply industry-standard safeguards, we cannot guarantee absolute security.

Where Transept acts as a data processor on your behalf — typically for paid plans where you submit business content for translation — we make a Data Processing Agreement available on request. The DPA covers our obligations under GDPR Article 28, including sub-processor disclosures, security measures, and breach-notification procedures.

Request a DPA by emailing [email protected] with your account email and company details.

Our service is not directed to children. You must be at least the minimum age in your jurisdiction to use Transept:

• European Economic Area (EEA), UK, Switzerland — at least 16, or the minimum age set by your country (some EU member states permit ages 13–15).
• Everywhere else — at least 13.

We do not knowingly collect personal information from children below these ages. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date. For material changes that affect your rights or expand processing, we will give prior notice by email and, where required, ask for fresh consent.

If you have questions about this Privacy Policy, please contact us:

• Email: [email protected]