Privacy & Cookie Policy

This Privacy & Cookie Policy (the “Policy”) explains how RecApp.Work ("RecApp", “we”, “us” or “our”) collects, uses, shares and protects personal data when you visit recapp.work (the “Site”) or use any RecApp desktop, mobile, API or web service (collectively, the “Services”). It also describes your legal rights and choices under:

the EU General Data Protection Regulation (GDPR);
the UK GDPR & Data Protection Act 2018;
the California Consumer Privacy Rights Act (CPRA, including CCPA 2018);
the Virginia Consumer Data Protection Act (VCDPA);
the Colorado Privacy Act (CPA) citeturn0search1;
the Connecticut Data Privacy Act (CTDPA) citeturn0news46;
the Utah Consumer Privacy Act (UCPA) citeturn0search9;
and similar U.S. state privacy laws that take effect after the date above.

By accessing or using our Services you acknowledge this Policy. You may print or download a copy for your records. If you do not agree, please discontinue use.

1. Key Definitions

Terms such as “personal data”, “controller”, “processor”, “sell” or “share” (as defined by CPRA) carry the meanings given in the applicable legislation. “User” means any natural person who visits the Site or creates an account to use the Services.

2. What Personal Data We Collect

We collect—and have collected during the past 12 months—the categories of data below. Some data is provided directly by you, some is collected automatically or from third parties.

Category (Cal. Civ. Code §1798.140)	Examples	Source	Business / Commercial Purpose
Identifiers	Name, email address, IP address, unique session & API tokens	User; automatic	Account creation, authentication, security, responding to requests
Commercial information	Credits purchased, Stripe payment IDs, invoices	User; Stripe	Process transactions, maintain accounting records, fraud prevention
Internet / electronic activity	Server logs, pages viewed, time stamps, error traces	Automatic	Site analytics, debugging, security monitoring
Audio content	Recordings you import or capture with RecApp	User	Transcription, AI summarisation, translation & other user‑requested features
Inferences	Aggregated usage patterns (e.g. active minutes per week)	Automatic	Improve product, develop new features
Geolocation (coarse)	City/region derived from IP at sign‑in	Automatic; ipapi.co lookup	Fraud prevention, localisation (UI language)

We do not process “sensitive personal information” (CPRA §1798.121) for the purpose of inferring characteristics about a consumer.

3. Legal Bases (EU/UK GDPR)

For users located in the EEA or UK we rely on the following lawful grounds:

Contract (Art. 6 (1)(b)). Processing necessary to provide the Services you request.
Legitimate interests (Art. 6 (1)(f)). E.g. detecting fraud, product analytics, protecting legal claims. We balance these interests against your privacy.
Consent (Art. 6 (1)(a)). For optional analytics cookies and marketing communications. You may withdraw at any time.
Legal obligation (Art. 6 (1)(c)). Tax records, Know‑Your‑Customer checks, responding to lawful requests.

4. How We Use Personal Data

To create and administer your account and authenticate you (session cookies, API keys).
To process payments and issue invoices/receipts via Stripe.
To transcribe, summarise, translate or otherwise transform audio content at your request using AI providers such as AssemblyAI and OpenAI.
To communicate with you about updates, security alerts or support inquiries.
To improve and secure the Services (debugging, analytics, abuse detection, rate‑limiting).
To comply with law, enforce our Terms of Service, or defend our legal rights.

6. Cookies & Similar Technologies

We use first‑party cookies to operate the Site and—only with your prior consent—analytics cookies to understand usage patterns. You can manage preferences via the banner or your browser settings.

Name	Purpose	Type	Lifespan
`session_token`	Maintain logged‑in session; security (SameSite=Lax; HttpOnly)	Strictly necessary	7 days
`csrf_token`	Prevents cross‑site request forgery attacks	Strictly necessary	2 hours
`cookie_consent`	Stores your banner choice (“yes”, “declined”)	Preference	12 months
Google Analytics (`_ga`, `_ga_*`)	Anonymous site statistics (if accepted)	Analytics	13 months (EU) / 24 months (US)

You may also send a browser “Do Not Track” or Global Privacy Control (GPC) signal. Where required by law (e.g. CPRA, CTDPA) we honour such signals as an opt‑out of sale/share and targeted advertising.

7. International Data Transfers

We are headquartered in the European Union (Italy) but rely on cloud vendors and subprocessors in the United States and other jurisdictions. Where personal data is transferred out of the EEA/UK we use Standard Contractual Clauses (SCCs) or another lawful mechanism, complemented by transfer impact assessments and technical safeguards (encryption in transit & at rest).

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined above, comply with our legal obligations, resolve disputes and enforce agreements. Audio files and derived transcripts are deleted automatically 30 days after you delete a project or upon account deletion (whichever occurs first), unless legal retention is required.

9. Security

We implement administrative, technical and organisational measures in line with ISO/IEC 27001 practices—including TLS 1.2+, strict transport security, CSP headers, rate‑limiting, encrypted databases (PostgreSQL) and least‑privilege IAM. No system is 100 % secure; you are responsible for safeguarding your password and API key.

10. Your Privacy Rights

10.1 EEA / UK Residents

You have the right to access, correct, erase, restrict or object to processing of your personal data, and to portability and not to be subject to automated decision‑making producing legal effects. You may lodge a complaint with your local supervisory authority (e.g. Garante in Italy, ICO in the UK).

10.2 California Residents (CCPA / CPRA)

You have the right to:

Know the categories and specific pieces of personal information we collected;
Request deletion (subject to exceptions);
Correct inaccurate data;
Opt‑out of “sale” or “sharing” of personal information;
Limit use/disclosure of sensitive personal information;
No retaliation for exercising your rights.

10.3 Virginia, Colorado, Connecticut & Utah Residents

You may:

Access and obtain a portable copy of your personal data;
Request deletion or correction;
Opt‑out of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects;
Appeal our refusal to act on a request within the timeframe required by local law.

We will respond within 30–45 days (extendable once) as the law permits.

11. Exercising Your Rights

You may submit a request by emailing Contact Us Page or via the in‑app Delete My Account button. To protect your data we will verify your identity (e.g. control of the account email or signed request through your session token). Authorized agents may submit requests on behalf of California residents by following CPRA §1798.105(c).

12. Children’s Privacy

The Services are not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect such data. If you believe we have, contact us and we will delete it as required by COPPA and GDPR.

13. Changes to This Policy

We may update this Policy periodically. If changes are material we will notify you (e‑mail or in‑app banner). Continued use after the effective date constitutes acceptance.

14. Contact

For any questions or concerns about this Policy or our privacy practices, please contact our Data Protection Officer via Contact Us Page.