Skip to content

Privacy Policy

Last updated: February 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

2. Overview of Data Processing

We process personal data only to the extent necessary to provide a functional website, our content, and our services. The processing of personal data takes place only with the user’s consent or where processing is permitted by law. We do not sell your personal data to third parties.

3. Data We Collect and Legal Basis

a) Account Data

When you create an account, we collect your email address and password (stored in hashed form). If you sign in via Google OAuth or Apple OAuth, we receive your email address and name from the respective provider. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

b) Usage Data

When you use Scrivi, we store the video URLs you submit, the resulting transcripts, AI-generated summaries, collections, research reports, and your usage preferences (language settings). Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

c) Payment Data

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription ID but never your credit card details. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

d) Analytics Data

We use PostHog for product analytics to understand how users interact with the service. This includes page views, feature usage events, and technical metadata (browser type, screen size). Analytics data is only collected after you give your explicit consent via the cookie consent banner displayed on your first visit. Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time by clicking “Cookie settings” in the website footer and selecting “Decline.”

e) Server Log Data

When you access our website, your browser automatically transmits certain data including IP address, date and time of access, browser type and version, and operating system. This data is used for ensuring the security and stability of the service. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and stability).

4. Google User Data

If you choose to sign in with Google, Scrivi accesses your Google account data through Google OAuth 2.0 with the following scopes: openid, email, and profile. This section describes how we handle Google user data in compliance with Google’s API Services User Data Policy, including the Limited Use requirements.

a) Data We Receive from Google

When you sign in with Google, we receive only your email address and display name. We do not request access to your Google Drive, contacts, calendar, or any other Google service.

b) How We Use Google User Data

Your Google email address and name are used solely for the purpose of creating and identifying your Scrivi user account. We do not use Google user data for advertising, retargeting, or any purpose unrelated to providing and improving the Scrivi service.

c) How We Store Google User Data

Your email address and name are stored in our Supabase-hosted PostgreSQL database with row-level security enabled. Authentication tokens are managed by Supabase Auth and stored as encrypted, HTTP-only session cookies in your browser.

d) Sharing of Google User Data

We do not sell, rent, or trade your Google user data to any third party, including advertising platforms, data brokers, or information resellers. Your Google user data is shared only with Supabase Inc. (our database and authentication provider) as necessary to operate the service.

e) Retention and Deletion of Google User Data

Your Google user data is retained for the duration of your Scrivi account. When you delete your account (available at any time via the Settings page), all associated data — including the email and name received from Google — is permanently deleted from our systems. You may also request deletion by contacting us at support@scrivi.app.

f) Limited Use Disclosure

Scrivi’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide and improve user-facing features of Scrivi (account authentication).
  • We do not transfer Google user data to third parties except as necessary to provide the service, to comply with applicable laws, or as part of a merger/acquisition with prior user notice.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and anonymized for internal operations.

5. Chrome Extension

Scrivi offers a Chrome browser extension that allows you to transcribe videos directly from supported platforms. This section describes how the extension handles your data.

a) Permissions and Their Purpose

  • activeTab — Used to detect the URL of the page you are currently viewing to determine if it contains a supported video.
  • tabs — Used to open new tabs for the OAuth sign-in flow (Google/Apple) and to query the current tab for video detection.
  • storage — Used to store your authentication tokens, theme preference, and transcription button setting locally in your browser via chrome.storage.local.
  • sidePanel — Used to open the Chrome Side Panel where you can view full transcripts, summaries, and use the Ask AI feature.
  • cookies — Used to read your existing Scrivi session cookie from scrivi.app so the extension can authenticate without requiring a separate login if you are already signed in on the website.
  • scripting — Used to inject a small script into scrivi.app tabs to securely extract your authentication session during the OAuth sign-in flow.

b) Host Permissions

The extension requests access to scrivi.app only. This is used to make authenticated API calls to the Scrivi backend and to read session cookies for authentication. The extension does not read, collect, or transmit any content from the video platforms you visit — it only detects the page URL to identify supported videos.

c) Content Scripts

The extension injects a content script on YouTube, Instagram, TikTok, X (Twitter), and Facebook pages. This script reads only the page URL to detect if a supported video is present and displays a floating “Transcribe” button. It does not read page content, form data, or any other information from these websites.

d) Data Stored Locally

The extension stores the following data locally in your browser using chrome.storage.local: authentication tokens (access and refresh tokens), your email address (for display in the popup), theme preference (light/dark), and the transcribe button visibility setting. This data never leaves your browser except when authentication tokens are sent to scrivi.app for API requests.

e) Data Transmitted

When you click “Transcribe,” the extension sends only the video URL to the Scrivi API at scrivi.app. All transcription processing happens server-side. The extension does not transmit browsing history, page content, or any data to third parties. All communication is encrypted via HTTPS.

6. Third-Party Processors

We use the following third-party services to operate Scrivi:

  • Supabase Inc. (USA) — Database hosting and authentication. Data is stored on Supabase-managed PostgreSQL servers with row-level security.
  • Stripe Inc. (USA) — Payment processing. Stripe processes all payment information. See Stripe’s privacy policy.
  • OpenRouter / Google (USA) — AI summarization via Gemini. Transcript text is sent to generate summaries. No personal data beyond transcript content is shared.
  • Supadata — Video caption extraction. Video URLs are sent to retrieve publicly available captions.
  • PostHog Inc. (USA) — Product analytics. Anonymous usage events are collected to improve the service.
  • Vercel Inc. (USA) — Website hosting and delivery.

7. International Data Transfers

Some of our third-party processors are based in the United States. Data transfers to the US are carried out on the basis of the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. You may request a copy of the applicable safeguards by contacting us.

8. Cookies and Local Storage

Scrivi uses technically necessary cookies for authentication (Supabase session cookies). These are essential for the service to function and are set on the basis of Art. 6(1)(b) GDPR. We also use localStorage for user preferences such as theme selection and onboarding state. Analytics cookies (PostHog) are only set after you give explicit consent via our cookie consent banner. Your consent choice is stored in localStorage under the key scrivi_analytics_consent and can be changed at any time via the “Cookie settings” link in the footer. The Chrome extension uses chrome.storage.local for authentication tokens and user preferences (see Section 5). We do not use advertising or tracking cookies.

9. Data Retention

Your account data and transcriptions are retained for the duration of your account. When you delete your account, all personal data including transcriptions, summaries, collections, research reports, and profile information are permanently deleted. Payment records may be retained as required by tax and commercial law (typically 6–10 years under German law, § 147 AO, § 257 HGB).

10. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — You can request information about what personal data we store about you.
  • Right to rectification (Art. 16 GDPR) — You can request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) — You can request deletion of your data. You can also delete your account at any time from the Settings page.
  • Right to restriction of processing (Art. 18 GDPR) — You can request that processing of your data be restricted under certain conditions.
  • Right to data portability (Art. 20 GDPR) — You can request to receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR) — You can object to data processing based on legitimate interest at any time.
  • Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@scrivi.app.

11. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR).

12. Account Deletion

You can delete your account at any time from the Settings page. This permanently removes all your data including transcriptions, summaries, collections, research reports, and profile information. Active Stripe subscriptions are cancelled automatically upon account deletion.

13. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. We encourage you to review this policy periodically.

14. Contact

For privacy-related questions or to exercise your rights, contact us at support@scrivi.app.