Security & Data

Transept is a translation workspace. When you submit text, we send it to an AI provider to translate, store the result in our database, and let you edit it. This page explains everything around that — where the data lives, who can see it, and what we promise not to do with it. The full legal text lives on the Privacy Policy; this page is the plain-English version.

• We do not use your content to train AI models — not ours, not our providers’.
• Your data lives in the EU — application and database hosted in Germany (Hetzner).
• Encrypted in transit and at rest — TLS 1.2+ on every connection, AES-256 on disk.
• You own your content — we hold a narrow processing license, no ownership claim. Delete your account and your data goes with it.
• DPA available on request — for business customers, we sign a Data Processing Agreement covering GDPR Article 28 obligations.

When you submit text for translation, three things happen:

1. Your text is stored in our database as part of your document.
2. For each translation request, the relevant block is sent to an AI provider over an encrypted connection. The provider returns the translation, which we store as a new block version.
3. Your text stays in your document until you delete it (or delete your account). It is never used to train any AI model.

What we do not do:

• We do not sell your data.
• We do not use your content to train models — ours or anyone else’s.
• We do not share your content with advertisers or third-party marketing platforms.
• We do not scan your connected Google Drive or Notion workspace. We only see files you explicitly pick to import.
• We do not run our own foundation models or fine-tune on customer data.

Transept’s application servers and database run on Hetzner Online GmbH, a European hosting provider with data centers in Germany. Your account, your documents, your translations, your glossaries and styleguides — all of it sits on EU infrastructure.

When you translate, the relevant block of text is sent to an AI provider for the duration of that request. Most AI providers (Anthropic, OpenAI, Google) process requests in the US under contractual data-protection commitments and, where applicable, the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs). Once the translation is returned, no copy of your content remains with the provider beyond their short-term operational logging — see each provider’s privacy policy for specifics.

• In transit — TLS 1.2 or higher on every connection between your browser, our servers, and AI providers. HTTPS-only; HTTP is redirected.
• At rest — database and disk storage encrypted with AES-256.
• Backups — encrypted at rest, retained 30 days, then overwritten.
• Authentication — passwordless sign-in via short-lived email one-time codes or Google OAuth. We do not store passwords. Session tokens are stored in your browser’s local storage.

Production access is restricted to a small number of named operators (currently the two co-founders), authenticated via SSH keys with audit logging. Customer content is not accessed in routine operations.

To investigate a translation issue or other support request, we ask permission and the specific document before opening it. Admin-panel access to user accounts is logged and auditable; sensitive actions (role changes, impersonation, credit adjustments) write permanent audit-log entries.

Translation requests are sent to one of the following providers, depending on the model you choose:

• Anthropic — Claude family models, via Anthropic API. Anthropic’s commercial API does not train on customer inputs or outputs.
• OpenAI — GPT family models, via OpenAI API. OpenAI API data is not used to train models by default for API customers.
• Google — Gemini family models, via Vertex AI / Gemini API. Customer data submitted through these APIs is not used to train Google’s foundation models.
• Groq — Llama-family and other models hosted on Groq for fast inference. Groq’s API does not train on customer data.
• OpenRouter — gateway to additional models. Underlying provider terms vary by model. For workloads where the training-opt-out matters, pin your translations to a known provider (Anthropic, OpenAI, or Google).

None of these providers train on your content under the API tiers we use. Transept itself does not run foundation models, does not fine-tune on customer data, and does not retain prompts or outputs for any training purpose.

The full list of third parties that may process your data on our behalf — names, region, role, and last DPA review date — lives at /subprocessors. Summary:

• AI translation — Anthropic (US), OpenAI (US), Google / Vertex AI (US, EU regions available), Groq (US), OpenRouter (US). See above.
• Hetzner Online GmbH (Germany, EU) — application and database hosting.
• Stripe, Inc. (US / Ireland) — subscription billing and one-time purchases. We never see or store full card numbers; Stripe handles all card data under PCI DSS Level 1.
• PostHog (EU-hosted) — optional product analytics, only loaded with your explicit analytics consent (opt-in for every visitor).
• Customer.io (EU workspace) — transactional email (sign-in codes, account notifications, billing receipts) and — only with your explicit marketing consent — product-update emails.
• Google Tag Manager + Google Ads (US) — analytics and ad-conversion measurement, loaded only with your explicit consent and gated via Consent Mode v2.
• Meta Platforms (US) — Pixel + Conversions API for ad-conversion measurement, loaded only with your explicit marketing consent.

Material changes to this list (new sub-processor, change of region) will be flagged on this page and at /subprocessors before they take effect for new processing.

Transept is a young company. We follow the substantive obligations of the frameworks below but do not yet hold third-party certifications. We are transparent about what we have and what we don’t.

• GDPR (EU) and UK GDPR — yes. We comply as a data controller for account and usage data, and as a data processor for content you submit. We offer the full set of data-subject rights, EU data residency for stored content, breach notification within 72 hours, and a DPA on request.
• CCPA / CPRA (California) and other US state privacy laws — yes. We honor right-to-know, right-to-delete, right-to-correct, and right to opt out of sale or sharing for all US residents (we do not sell personal data).
• SOC 2 — not yet. We follow SOC 2-aligned practices for access control, encryption, change management, and incident response, but have not undergone a Type 1 or Type 2 audit.
• ISO 27001 — not certified.
• HIPAA — Transept is not a HIPAA-compliant platform. Do not submit Protected Health Information.
• PCI DSS — payment data is handled by Stripe (PCI DSS Level 1). We never see or store full card details.

For business customers, we make a Data Processing Agreement available on request. It covers our obligations as a processor under GDPR Article 28 — including sub-processor disclosures, security measures, data-subject requests, and breach notification.

Email [email protected] with your account email and company details to request a DPA.

If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will:

• Notify affected users without undue delay, and within 72 hours where the severity warrants under GDPR Art. 33.
• Notify the relevant supervisory authority where required.
• Share what we know about the nature of the breach, the data affected, the likely consequences, and the steps we are taking to contain and remediate.

For service-affecting incidents that are not data breaches (outages, degraded performance), updates are posted via in-app banner and email to active users.

If you find a vulnerability in Transept, please email [email protected] with details. We ask that you:

• Give us a reasonable window to investigate and fix before public disclosure.
• Avoid privacy violations, data destruction, or service disruption while testing.
• Only test against your own account or accounts you have permission to access.

We do not currently run a paid bug-bounty program, but we will acknowledge credible reports and — if you wish — credit the reporter publicly once a fix is shipped.

For the full legal text, see our Privacy Policy and Terms of Service. For anything not covered here, email [email protected].