verbato
PricingHow It WorksFeaturesFAQ

Privacy Policy

Last updated: March 18, 2026

1. Who We Are

Verbato.io ("Verbato," "we," "us," or "our") is an audio and video transcription service operated by Francisco J. Gallucci. We are the data controller for your personal data.

For privacy inquiries, contact us at: privacy@verbato.io

2. What Data We Collect

We collect the following categories of personal data:

Data You Provide Directly

  • Account information: Your email address and, optionally, your name and profile picture (if you sign up with Google or GitHub). We use this to create and manage your account.
  • Audio and video files: Files you upload or URLs you submit for transcription. These are the files we transcribe for you.
  • Channel links: If you use Verbato via Telegram, WhatsApp, or email, we store the identifier needed to deliver transcriptions back to you (Telegram user ID, WhatsApp phone number, or email address).
  • NPS feedback: If you choose to rate our service, we store your score and any optional comment.
  • Payment information: When you subscribe to a paid plan, your payment details are collected and processed by Stripe, our payment processor. We store only your subscription status, plan type, and Stripe customer ID — never your credit card number or full payment details.

Data Collected Automatically

  • Usage data: We record how you use Verbato — transcription counts, duration processed, formats downloaded, and the method you used (web upload, URL, API, Telegram, WhatsApp, or email). This helps us enforce plan limits and improve the product.
  • Analytics data: With your consent, we collect page views, feature usage events, and device information through PostHog, our analytics provider. Your IP address is anonymized. You can opt out at any time via the cookie settings.
  • Error reports: We use Sentry to collect error reports that help us identify and fix bugs. These may include browser information, request context, and your user ID. Sensitive data (authorization headers, request bodies) is automatically stripped before transmission.
  • Cookies: See Section 8 below for details on the cookies we use.

3. How We Use Your Data

PurposeData UsedLegal Basis (GDPR)
Providing the transcription serviceAccount info, audio/video files, channel linksContract performance (Art. 6(1)(b))
Delivering transcription resultsTranscription outputs, email, channel identifiersContract performance (Art. 6(1)(b))
Managing your account and subscriptionAccount info, payment metadataContract performance (Art. 6(1)(b))
Processing paymentsPayment details (via Stripe)Contract performance (Art. 6(1)(b))
Sending transactional emailsEmail addressContract performance (Art. 6(1)(b))
Enforcing plan limitsUsage recordsContract performance (Art. 6(1)(b))
Product analytics and improvementAnalytics events, usage dataLegitimate interest (Art. 6(1)(f))
Error tracking and reliabilityError reports, diagnostic dataLegitimate interest (Art. 6(1)(f))
Preventing payment fraudStripe session cookiesLegitimate interest (Art. 6(1)(f))
Marketing emails and product updatesEmail addressConsent (Art. 6(1)(a))

We do not use your audio files, video files, or transcription content for any purpose other than providing the transcription you requested. We do not use your content to train AI models.

4. Who We Share Your Data With

We share your data only with the third-party service providers ("subprocessors") necessary to deliver the service. We do not sell your personal data to anyone.

Service ProviderPurposeData SharedLocation
ClerkAuthentication and user managementEmail, name, session dataUS
StripePayment processingPayment details, email, billing addressUS
OpenAIAI transcription (Pro and Business plans)Audio file content (not retained by OpenAI)US
GroqAI transcription (Free plan)Audio file content (not retained by Groq)US
CloudflareDNS, CDN, and file storage (R2)Audio files, transcript filesGlobal
SupabaseDatabase hostingAll stored application dataUS
RailwayBackend compute hostingApplication data in memoryUS
VercelFrontend hostingRequest logs, IP addressesGlobal
PostHogProduct analytics (basic: always; enhanced: with consent)Anonymous usage events (basic) or pseudonymized user events (enhanced)US
SentryError trackingError reports, request contextUS
ResendEmail deliveryEmail address, email contentUS

5. Where Your Data Is Processed

All of our primary infrastructure is located in the United States. If you are located in the European Union, European Economic Area, the United Kingdom, or another jurisdiction with data transfer restrictions, your data — including your audio files — is transferred to and processed in the US.

International transfer safeguards: We rely on Standard Contractual Clauses (SCCs) and our subprocessors' own compliance frameworks for lawful international data transfers. Clerk, Stripe, Supabase, Cloudflare, Vercel, PostHog, Sentry, and Resend each maintain their own SCCs and/or participate in recognized data transfer mechanisms. OpenAI and Groq process data under their respective API data processing terms.

6. How Long We Keep Your Data

Data CategoryRetention PeriodDeletion Trigger
Account dataUntil you delete your accountAccount deletion request
Audio/video filesFree: 7 days, Pro: 30 days, Business: 90 daysAutomatic cleanup or manual deletion
Transcription outputsSame as audio files (7/30/90 days)Automatic cleanup or manual deletion
Payment records (Stripe)7 years (tax/legal requirement)Automatic (managed by Stripe)
Analytics events (PostHog)1 yearAutomatic (PostHog retention)
Error reports (Sentry)90 daysAutomatic (Sentry retention)

After your plan's retention period expires, your audio files and transcriptions are permanently deleted — first from our database, then from file storage. We cannot recover deleted files.

7. Your Rights

Depending on your location, you have the following rights regarding your personal data:

  • Right to access: View your account data in profile settings and download a complete export from Account Settings.
  • Right to correction: Update your name and email in profile settings. For other corrections, contact privacy@verbato.io.
  • Right to deletion ("right to be forgotten"): Delete your account at any time from Account Settings. This permanently deletes your account, all files, transcriptions, and processing history.
  • Right to data portability: Export all your data in machine-readable format (JSON) from Account Settings.
  • Right to restrict processing: Contact privacy@verbato.io.
  • Right to object: Opt out of analytics via cookie settings. Contact us to object to other processing.
  • Right to withdraw consent: Change cookie preferences at any time via the "Cookie Settings" link in the footer. Unsubscribe from marketing emails using the link in each email.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
  • California residents: We do not sell or share your personal information as defined under CCPA/CPRA. See our Do Not Sell My Personal Information page.

How to exercise your rights: Use the self-service options in your Account Settings, or email us at privacy@verbato.io. We will respond within 30 days.

Account Deletion

When you delete your account, we:

  1. Immediately cancel any active Stripe subscription
  2. Permanently delete all your audio and video files from Cloudflare R2
  3. Permanently delete all your transcription outputs from Cloudflare R2
  4. Delete all your data from our database (transcriptions, segments, usage records, channel links)
  5. Delete your user account from Clerk
  6. Request deletion of your person profile from PostHog
  7. Send you a confirmation email (the last email we will send you)

Stripe retains payment records as required by tax and financial regulations. Sentry error reports expire automatically after 90 days.

8. Cookies and Tracking

We use a two-tier analytics approach that lets us understand how Verbato is used while respecting your privacy preferences.

Essential Cookies (Always Active)

CookieSet ByPurpose
__client_uat, __session, __clerk_db_jwtClerkAuthentication and session management
__stripe_midStripeFraud prevention (merchant identification)
__stripe_sidStripeFraud prevention (session identification)

These cookies are necessary for the service to function. Authentication cookies keep you signed in. Stripe cookies protect against payment fraud.

Anonymous Analytics (Always Active — No Cookies)

We collect anonymous, aggregate analytics to understand how Verbato is used — for example, which pages are visited and which features are popular. This data is collected through PostHog in memory-only mode: no cookies are set on your device, no data is stored in your browser, and no tracking persists across page loads. Each page visit is treated as a separate, anonymous event. We cannot identify you from this data.

Legal basis: Legitimate interest (Art. 6(1)(f)) — we have a legitimate interest in understanding product usage to improve the service, and this anonymous, cookieless approach does not override your privacy rights.

Enhanced Analytics Cookies (Require Your Consent)

CookieSet ByPurpose
ph_* (various)PostHogCross-session tracking, user identification, personalized analytics

If you accept enhanced analytics, PostHog stores cookies and localStorage data on your device to track your activity across sessions, link your actions to your account, and provide us with insights like user journeys, retention cohorts, and UTM attribution. This data helps us understand how users like you interact with Verbato over time.

If you choose "Anonymous Only" or reject enhanced analytics, these cookies are never set. You still contribute to aggregate, anonymous analytics (as described above), but we cannot identify you or track you across sessions.

Global Privacy Control (GPC): We detect and honor the Global Privacy Control browser signal. If your browser sends a GPC signal, we disable enhanced analytics and operate in anonymous-only mode.

9. How We Handle Your Files

Your audio and video files are processed entirely on our servers. Here is exactly what happens:

  1. Upload: Your file is uploaded via encrypted connection (TLS) to Cloudflare R2 storage. The original filename is replaced with a random identifier.
  2. Processing: Our worker service sends the audio content to our AI transcription provider (OpenAI for Pro/Business plans, Groq for the Free plan) via encrypted connection. Per their API data policies, neither OpenAI nor Groq retains your audio after processing or uses it for model training.
  3. Storage: The transcript is stored in our database and as a file in Cloudflare R2. Your original audio file remains for the duration of your plan's retention period.
  4. Download: You can download your transcript in various formats. Download links are time-limited and tied to your authenticated session.
  5. Deletion: After your plan's retention period (7, 30, or 90 days), files are permanently deleted by our automated cleanup process. You can also delete any transcription manually at any time.

Files are encrypted at rest (Cloudflare R2 uses server-side encryption) and in transit (all connections use TLS 1.2+).

We do not use your files for any purpose other than providing the transcription you requested. We do not use your files to train AI models. We do not review, listen to, or access your files unless you specifically request technical support that requires it.

10. Children's Privacy

Verbato is not directed to children under the age of 16 (or 13 in jurisdictions where COPPA applies). We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@verbato.io.

11. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you by email (if you have an account) or by displaying a notice on the website. The "Last updated" date at the top will always reflect the most recent revision.

12. Contact Us

For any questions or requests regarding your privacy or this policy: