Privacy Policy

Last updated: May 2026

Note: This is a convenience translation of the German privacy policy. In case of any discrepancy, the German version shall prevail. View German version →

1. Privacy at a Glance

This website does not use analytics or advertising tracking. All fonts are hosted locally — no connections to Google Fonts or other CDN services are established. Technically necessary connections are made for hosting, payment processing, and licence delivery via the service providers listed below.

2. Data Controller

LokalSkribe UG (haftungsbeschränkt)
Managing Director: Martin Schmid
Zirler Straße 4
82194 Gröbenzell
Germany
Email: [email protected]

3. Hosting

This website is hosted by Hostinger International Ltd., 61 Lordou Vironos str., 6023 Larnaca, Cyprus. When you visit the website, information (e.g. IP address, time of access) is automatically stored in server log files. This serves to ensure smooth operation and IT security. Legal basis under Art. 6(1)(f) GDPR (legitimate interests).

4. Payment Processing (Stripe)

For checkout and payment processing, we use Stripe (Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA). When you make a purchase, the following data is transmitted to Stripe: name, email address, billing address, payment details (credit card data etc.) and session/transaction identifiers. Stripe processes this data to execute the payment and prevent fraud. As Stripe is based in the USA, personal data may be transferred to the USA. Stripe is certified under the EU–U.S. Data Privacy Framework. Legal basis under Art. 6(1)(b) GDPR (performance of a contract). Stripe's privacy policy: stripe.com/privacy.

5. Order Processing & Licence Management (Cloudflare Worker)

For checkout creation, licence assignment, download delivery, and confirmation email dispatch, we use Cloudflare Workers (Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA). Data processed includes: email address, session and order identifiers, licence data, IP address, and the consent to waive the right of withdrawal. As Cloudflare is based in the USA, personal data may be transferred to the USA. The transfer is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Legal basis under Art. 6(1)(b) GDPR (performance of a contract).

Licence validation and updates (api.lokalskribe.eu). During use, the LokalSkribe software contacts our licence server at api.lokalskribe.eu (Cloudflare Workers; Anycast routing, EU-preferred — third-country transfer possible as described in section 5 above) via the following endpoints:

  • /api/validate — periodic licence verification (every 30 days, see Terms § 6b)
  • /api/revoked/check — check for revoked licences
  • /api/version — check for available software updates
  • /api/seats — manage device activations ("Team" and "Office" plans)
  • /api/customer-portal — redirect to the Stripe customer portal (invoices, cancellation)
  • /api/deactivate — release a device activation for a device change
  • /api/diarization/token, /api/diarization/download — short-lived token retrieval and download of the speaker diarization component (optional, when setting up speaker diarization for the first time)

Only the following data is transmitted: licence key, anonymous hardware hash (HWID, see section 9), IP address, and software version number. No audio content, transcripts, file names, or client or project data are transmitted. Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Automatic update checks are enabled by default and can be disabled in the software settings. Manual updates remain possible at any time.

6. Email Delivery (Resend)

For sending the purchase confirmation and licence key, we use the email service Resend (Resend Inc., USA). Your email address and the content of the confirmation email are transmitted to Resend. As Resend is based in the USA, personal data may be transferred to the USA. The transfer is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Legal basis under Art. 6(1)(b) GDPR (performance of a contract). For more information: resend.com/privacy

7. No telemetry in AI components (pyannote, OpenTelemetry, HuggingFace)

LokalSkribe integrates several open-source AI libraries that, in their default configuration, may send usage and telemetry data to external servers (in particular pyannote for speaker diarization, OpenTelemetry, and the HuggingFace Hub for model downloads). This telemetry is technically fully disabled in LokalSkribe.

Deactivation is performed before these components are started, using the following environment variables that LokalSkribe sets itself at program startup:

  • OTEL_SDK_DISABLED=true — disables the OpenTelemetry interface
  • PYANNOTE_METRICS_ENABLED=false — disables pyannote telemetry
  • HF_HUB_DISABLE_TELEMETRY=1 — disables HuggingFace Hub telemetry
  • DO_NOT_TRACK=1 — de-facto standard respected by many open-source libraries

Full deactivation was confirmed by a Wireshark analysis of outgoing network traffic under production conditions: during recording, transcription, and speaker diarization, no data flows to pyannote, OpenTelemetry, or HuggingFace endpoints.

7a. Optional Model and Plugin Downloads

LokalSkribe allows optional components to be downloaded later — in particular alternative Whisper model sizes, the speaker diarization library, and future plugins. These downloads must be explicitly triggered by the user and are visibly shown in the software interface.

Downloads are obtained from two sources:

  • api.lokalskribe.eu (Cloudflare Workers; Anycast routing, EU-preferred) — for the speaker diarization component and our own plugin packages. Only the licence token (see section 5) and the component name are transmitted.
  • HuggingFace Hub (Hugging Face Inc., USA) — for AI models (e.g. Whisper Large-v3). Only the model ID and technical headers (user agent, library version) are transmitted. No user or account data is transmitted, as HuggingFace models can be downloaded anonymously (legal basis: Art. 6(1)(f) GDPR, legitimate interest in providing the requested AI models).

8. Newsletter (Hostinger Reach)

If you subscribe to our newsletter, we use the service Hostinger Reach (Hostinger International Ltd., Cyprus) as a technical data processor (Art. 28 GDPR). Registration uses a double opt-in process: after entering your email address, you will receive a confirmation email and must actively confirm your subscription. We only store your email address, the time of confirmation and a promo-code token (for the one-time welcome discount). We do not share your data for advertising purposes with third parties; technical processing is carried out exclusively by the listed data processors (Hostinger Reach for the dispatch, Resend for the confirmation email, Stripe for the promo code). You can unsubscribe from the newsletter at any time via the unsubscribe link in every email or by writing to [email protected]. Storage period: registration token 48 hours, confirmed newsletter address until withdrawal (max. 12 months inactivity), promo-code token until redemption or expiry on 30.06.2026. Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interest in spam protection for IP address and timestamp).

9. Licence Activation and Hardware Fingerprint (HWID)

When you activate your licence, an anonymised hardware hash (HWID) is generated and stored on our licence server. This hash is calculated using SHA-256 from non-personal system characteristics. No personal device data such as serial numbers, usernames or MAC addresses is stored in plain text. The HWID is used solely to associate the licence with a device and to prevent multiple activations. Legal basis: Art. 6(1)(b) GDPR (performance of contract).

10. Licence Blocking upon Refund

In the event of a refund, the licence status in our system is set to "blocked". The data associated with the licence (email address, hardware hash) is not deleted but retained for traceability and to prevent misuse. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing misuse).

10a. Online Withdrawal Form (§ 356a German Civil Code)

When you use our online withdrawal button "Withdraw contract" at cancel-purchase.html, we process the following data to handle your withdrawal:

Data collected: Name, order number / licence key, email address (mandatory form fields). For technical reasons we additionally process your IP address and the time of receipt (date + time) to issue the receipt confirmation.

Purpose: Fulfilment of the statutory obligation to provide an online withdrawal function and to confirm receipt pursuant to § 356a German Civil Code (implementation of EU Directive 2023/2673). Subsequent verification of the validity of your withdrawal and, where applicable, processing of the refund.

Legal basis: Art. 6(1)(c) GDPR (compliance with a legal obligation — § 356a German Civil Code) and Art. 6(1)(b) GDPR (contract performance — refund processing).

Recipients: Cloudflare (Workers + KV — backend worker), Resend (email dispatch of receipt confirmation and internal support notification), Stripe (to identify the customer by submitted email/order number — Customer/Subscription/Invoice lookup for refund processing).

Storage period: Data is retained in our KV store (Cloudflare) for 7 days as an audit trail and is then automatically deleted. The email (receipt confirmation to you + internal support notification) is additionally retained for the duration of statutory retention obligations (6 years under § 257 HGB for commercial letters, 10 years under § 147 AO for accounting-relevant documents in case of valid withdrawal).

Your rights: You have the right at any time to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR — to the extent that statutory retention obligations do not stand in the way), and to lodge a complaint with the competent supervisory authority (Art. 77 GDPR — BayLDA Ansbach).

10b. Cookies, local storage and external content

Cookies: We do not set any non-essential cookies on this website. Only strictly necessary session cookies of the hosting provider Hostinger are used; without them the website would not work (legal basis: § 25 para. 2 no. 2 TDDDG).

Local storage (LocalStorage / SessionStorage): We do not use local browser storage for tracking purposes. Any technically necessary storage occurs solely within the functionality of the requested page.

Analytics / tracking tools: We use no web analytics or advertising tracking whatsoever. There is no embedding of Google Analytics, Matomo, Hotjar, Plausible or similar services.

External content (third-party content): On individual pages we embed the professional liability insurance badge of Exali AG (https://www.exali.de) as an external image. When retrieving these pages, your browser therefore transmits your IP address and browser user agent to Exali. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in trust seals for insurance transparency). Exali's privacy policy is available at https://www.exali.de/datenschutzerklaerung.

10c. Overview of all data processors / recipients

The following table summarises all services used, their role, and the data flows (Art. 13(1)(e) GDPR):

Service Role Purpose Data categories Legal basis Transfer Storage
Hostinger
(Hostinger International Ltd., Cyprus)
Data processor (Art. 28 GDPR) Website hosting IP address, user agent, request data Art. 6(1)(f) GDPR EU (Cyprus), DPA in place 30 days (server logs)
Cloudflare
(Cloudflare Germany GmbH, Munich)
Data processor (Art. 28 GDPR) CDN, DDoS protection, Worker backend, KV store (licences) IP address, licence key, HWID hash, email Art. 6(1)(b) and (f) GDPR EU (Frankfurt + Munich), DPA+SCCs Licence data: until contract end + retention periods
Stripe
(Stripe Payments Europe Ltd., Ireland)
Own controller (PCI-DSS); processor for our accounting Payment processing, invoice generation, subscription management, customer portal Name, address, email, payment data (card/SEPA), invoice number Art. 6(1)(b) GDPR (contract) + Art. 6(1)(c) GDPR (accounting) EU (Ireland), USA (DPF-certified) 10 years (accounting: §§ 147 AO, 257 HGB)
Resend
(Resend Inc., USA)
Data processor (Art. 28 GDPR), SCCs Transactional emails (licence mail, withdrawal/cancellation confirmation, newsletter confirm) Email address, email content Art. 6(1)(b) and (f) GDPR USA, EU Standard Contractual Clauses (SCCs) Dispatch logs ~30 days; email content deleted after dispatch
Hostinger Reach
(Hostinger International Ltd., Cyprus)
Data processor (Art. 28 GDPR) Newsletter dispatch (only with active subscription) Email address, confirm token, opt-in timestamp Art. 6(1)(a) GDPR (consent) EU (Cyprus) Until unsubscribe (max. 12 months inactivity)
Exali AG
(Augsburg, Germany)
Third-party content provider (own controller) Display of professional liability insurance badge IP address, user agent when loading the badge Art. 6(1)(f) GDPR (insurance transparency) Germany Responsibility of Exali (see their privacy policy)

11. Retention Periods

Server logs (Hostinger): Access data is automatically deleted after 30 days.

Purchase data (Stripe): Transaction and payment data is retained for the duration of the statutory retention obligation (10 years under German tax law, § 147 AO, 257 HGB).

Licence data (Cloudflare KV): Licence keys, email addresses and associated activation data are retained for the duration of the contractual relationship and subsequently for the duration of the statutory retention obligations.

12. Locally Hosted Fonts

This website uses the "Inter" typeface, which is hosted locally on our server. No connections to external servers (such as Google Fonts) are established. No personal data is transmitted to third parties when fonts are loaded.

13. SSL Encryption

This website uses SSL encryption for security reasons. An encrypted connection can be identified by "https://" in your browser's address bar and the padlock symbol.

14. Your Rights under GDPR

You have the following rights as a data subject:

Access (Art. 15 GDPR): You may request information about your stored personal data.
Rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
Erasure (Art. 17 GDPR): You may request the deletion of your data.
Restriction (Art. 18 GDPR): You may request the restriction of processing.
Data portability (Art. 20 GDPR): You may receive your data in a machine-readable format.
Objection (Art. 21 GDPR): You may object to the processing of your data.
Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority.

The competent supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany, www.lda.bayern.de.

For users in the United Kingdom: The UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018) applies in addition. The rights described above apply equally under UK GDPR.

15. Liability Insurance Seal (Exali AG)

This website uses an embedded liability insurance seal from Exali AG. The graphic element of the seal is loaded from Exali AG's servers. Due to the technical design of the internet, your IP address is processed to deliver the graphic to your browser. If you click on this seal, you will leave our website and be redirected to Exali AG's servers.

More information can be found in the Exali privacy policy.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Purpose: To provide legally required information about professional liability insurance pursuant to the German DL-InfoV in a visually appealing manner.

16. Changes to this Privacy Policy

We reserve the right to update this privacy policy as necessary to reflect current legal requirements or changes to our services.