Privacy Policy

Effective: May 10, 2026 | Last updated: May 10, 2026

1. Data Controller

Hájas Gábor (sole entrepreneur / egyéni vállalkozó)
Registered address: H-8900 Zalaegerszeg, Táncoslapi út 38a, Hungary
Tax number: 66123710-2-40
Individual entrepreneur registration number: 31900683
Email: [email protected]

The service provider has not appointed a separate Data Protection Officer (DPO) as the activity does not meet the GDPR Article 37 thresholds. All data-protection inquiries can be addressed to the email above.

2. Personal Data We Process

Data	Purpose	Legal Basis	Retention
Email address (registered users)	Account creation, login, transactional email (receipts, password resets)	Performance of contract — GDPR Art. 6(1)(b)	While account exists; after deletion: 8 years for billing-related records (Hungarian Accounting Act § 169(2))
Password (stored as bcrypt hash, never in plaintext)	Authentication	Performance of contract — GDPR Art. 6(1)(b)	While account exists
Credit balance & top-up history	Service delivery and billing reconciliation	Performance of contract — GDPR Art. 6(1)(b); legal obligation — GDPR Art. 6(1)(c) (accounting)	8 years from issue of receipt
IP address	Free-trial limitation, abuse prevention, rate-limiting, captcha verification	Legitimate interest — GDPR Art. 6(1)(f)	30 days for trial/security; longer if associated with a paid transaction (then under accounting retention)
YouTube video URL submitted	Subtitle extraction and translation	Performance of contract — GDPR Art. 6(1)(b)	Not stored after the request completes (transient processing only)
Submitted & translated subtitle text	Delivery of the translation result	Performance of contract — GDPR Art. 6(1)(b)	Not stored on our servers after delivery; AI provider retention is governed by their privacy policy (see §3)
Stripe payment metadata (transaction id, amount, status — never card numbers)	Payment reconciliation, refunds, accounting	Performance of contract; legal obligation	8 years

We do not process special-category personal data (Art. 9 GDPR) and we do not knowingly collect data from children under 16.

3. Data Processors and Sub-Processors

The following third parties process personal data on our behalf or are essential to the service. All transfers outside the EEA are made under either an adequacy decision (where applicable) or the EU Standard Contractual Clauses (SCCs).

• Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (USA) — payment processing. Card details are entered directly into Stripe's environment and never reach our servers. Stripe Privacy Policy.
• Resend, Inc. (USA) — transactional email delivery (receipts, password resets, welcome messages). The recipient address and email body are processed for the duration of delivery. Resend Privacy Policy.
• Google LLC (USA) — AI translation via the Gemini API. Submitted subtitle text is processed during translation. Per Google's API terms, prompt content is not used to train Gemini models. Google Privacy Policy.
• Anthropic, PBC (USA) — AI translation via the Claude API, when active as a fallback provider. Per Anthropic's API terms, prompt content is not used to train Claude models. Anthropic Privacy Policy.
• OpenAI, L.L.C. (USA) — AI translation via the OpenAI API, when active as a fallback provider. Per OpenAI's API terms, prompt content is not used to train models. OpenAI Privacy Policy.
• X.AI Corp. (USA) — AI translation via the Grok API, when active as a fallback provider. xAI Privacy Policy.
• Cloudflare, Inc. (USA) — bot-detection captcha (Turnstile) on the signup form. Cloudflare receives the user's IP address, browser User-Agent, and a brief interaction signal during signup challenges. Cloudflare Privacy Policy.
• Hetzner Online GmbH (Germany) — server hosting infrastructure. Servers are located in the EU; no transfer outside the EEA is involved for this processing.
• Webshare Software Company (USA) — outbound proxy used by the YouTube subtitle fetcher (yt-dlp) to avoid datacenter-IP blocks. Only the public YouTube video URL traverses this proxy; no personal user data is sent. Webshare Privacy Policy.

4. Your Rights

Under the GDPR you have the right to:

• Access — receive a copy of the personal data we hold about you (Art. 15)
• Rectification — have inaccurate data corrected (Art. 16)
• Erasure — request deletion of your data, subject to legal-retention obligations (Art. 17)
• Restriction — request restriction of processing in specific cases (Art. 18)
• Data portability — receive your data in a structured, machine-readable format (Art. 20)
• Object — object to processing based on legitimate interest (Art. 21)
• Withdraw consent — at any time, where processing is based on consent (Art. 7)

To exercise any of these rights, write to [email protected]. We will respond within 30 days. We may ask for proof of identity to prevent disclosure to unauthorized parties. Account-level requests (e.g. delete my account) can also be made directly through the app where supported.

5. Data Security

All traffic between your browser and our servers is encrypted via HTTPS/TLS. Passwords are stored as bcrypt hashes (never in plaintext). Provider API keys, payment credentials, and Turnstile secrets stored in our configuration are encrypted at rest using AES-256-GCM with a master key kept separately on the server file system. We do not store card numbers — Stripe handles all card data in compliance with PCI DSS.

While we apply commercially reasonable safeguards, no system is perfectly secure. If you become aware of a security issue affecting your account, please notify us immediately.

6. International Data Transfers

Several of our processors are located in the United States. These transfers rely on either the EU-US Data Privacy Framework (where the processor is certified) or the European Commission's Standard Contractual Clauses (SCCs), supplemented by additional measures such as transport encryption and data minimisation.

7. Cookies

For details on the cookies and similar technologies we use, see our Cookie Policy.

8. Complaints

If you believe your data-protection rights have been violated, you may lodge a complaint with the Hungarian Data Protection Authority:

Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
1055 Budapest, Falk Miksa utca 9-11., Hungary
Phone: +36 1 391 1400
Email: [email protected]
Web: naih.hu

You may also lodge a complaint with the supervisory authority of the EU Member State where you reside.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified on the website at least 14 days before they take effect. The current version date is shown at the top of this page.