Back to Home

Privacy Policy

Effective date: 2026.07.06.
Version: 1.0

1. Introduction — Our EU-sovereign approach

Secure Academic Studio's data processing is built on the principle of "data protection by design and by default" set out in Article 25 GDPR. What distinguishes us from many of our competitors is that user data is processed within the territory of the European Union, with European providers:

Payment for premium features and invoicing are handled by Creem (Armitage Labs OÜ, Estonia), which acts as Merchant of Record (reseller). Creem is established within the European Union, so its data processing is directly subject to the EU GDPR (for the jurisdictional details, see Section 6).

Here we highlight a key fact that lies at the heart of our payment architecture: we ourselves do not transfer any personal data to Creem. The customer enters their payment and billing details directly on Creem's interface, and only a single anonymous transaction identifier is returned into our system — we never receive or store a name, e-mail address, billing address or card details (see Section 4.8). The only genuinely US-based processor in the chain is Google LLC, whose services performed in the EU region are strictly limited at the contractual, technical and architectural levels alike (see Section 6).

A significant portion of our tools runs exclusively in your browser, locally. Even for our AI-based premium tools, we use an architecture designed to minimise the transfer of user data. We do not use tracking, we do not create profiles, and we do not share data with third parties for marketing purposes. Our own server handles the processed user content on a storage-free basis, acting solely as a network intermediary and metadata handler.

2. Identification of the Data Controller

Under Article 37 GDPR we are not required to appoint a Data Protection Officer (DPO), as our activities do not involve large-scale processing of special categories of data or regular and systematic monitoring. For data protection matters, we are available at the e-mail address above.

3. Principles of Data Processing

We process your data in accordance with the principles set out in Article 5 GDPR: lawfully, fairly and transparently. We request only the data strictly necessary for the specified purposes (data minimisation), and we store it only for as long as necessary to achieve the purpose or as required by legal provisions (storage limitation). We do not use automated decision-making or profiling that would produce legal or similarly significant effects on you.

4. Categories of Data Processed

4.1. Visiting the website (Hosting)

4.2. Use of local (client-side) tools

A significant portion of our tools (e.g. PDF Merger, PDF Splitter, Image/EXIF Metadata Remover, Document Metadata Cleaner, Secure PDF Redactor) runs entirely in your browser. The files and texts to be processed do not leave your device, are not transmitted to our servers, and are not transmitted to any processor.

4.3. Bank Statement Converter (Stateless RAM architecture)

The Bank Statement Converter tool operates in a hybrid manner, with two privacy-enhancing layers:

4.4. Academic Proofreader (Stateless RAM architecture)

For the Proofreader tool, the text of the uploaded document (.docx or .pdf) is extracted in your browser, and the extracted text is then transmitted to the Google Cloud Gemini Enterprise Agent Platform for grammatical, spelling and stylistic analysis using the same Stateless RAM mechanism described for the Bank Statement Converter. The text data is never written to our server's physical storage.

Please note that this means: the textual content of the document is transmitted for processing. Before uploading a sensitive, unpublished or confidential document, we recommend that you consider what content you share. If it concerns particularly sensitive material (e.g. unpublished research results), we recommend removing personally identifying parts (name, institution, references) in advance.

4.5. Transcriber application (audio transcription)

The Transcriber is the most complex application in our portfolio and the one designed with the greatest care from a data protection standpoint. It provides text transcription of audio files with the help of the Google Cloud Gemini 3.5 Flash Multimodal model. The architecture ensures that not a single byte of user content is written to the physical storage of our own Hetzner server, either on the input (audio) or the output (transcript) side.

Technical parameters and supported formats:

Pre-flight Check (advance notice): Before uploading, a user interface modal shows the expected credit cost, the available balance, information regarding content filtering, and the conditions for credit refunds. In accordance with Article 13 GDPR, this feature provides specific, contextualised information at the very moment immediately before processing begins.

4.5.1. The Transcriber data flow: four phases

A) Input upload (direct, bypassing our server): The audio file uploaded by the user is transferred directly from your browser to the "pending/" folder of Google Cloud Storage using a short-lived GCS Signed URL access code. The file NEVER passes through the memory or file system of our Hetzner server. The original file name is replaced by the frontend with a random identifier before the file leaves the browser.

B) AI processing: The Google Cloud Gemini Multimodal model performs the transcription and returns the text in JSON format, broken down by speaker (diarized).

C) Output handling (Stateless RAM-to-Bucket): The JSON transcript arriving from Gemini returns to our Hetzner server. This is an unavoidable architectural step for three reasons: (1) the API call must be authenticated with our private Service Account key, which cannot be present in the user's browser; (2) our server must see the result of the processing for the purpose of credit accounting and the automatic refund applicable in the event of content filtering; (3) Google Gemini's synchronous API architecturally does not support direct bucket writes to a live user interface.

We solve this step with the Stateless RAM-to-Bucket pattern: the server receives the transcript solely in its memory (RAM) and, within a fraction of a millisecond, uploads it to the "results/" folder of Google Cloud Storage. The transcript is NEVER written to the server's physical storage (HDD/SSD). Only a sterile status update is recorded in the database (status: 'done'); the transcript itself is NOT. The Node.js Garbage Collector immediately overwrites the memory area. The entire transfer takes place under TLS 1.3 encryption.

D) Download and On-Demand Erasure: The user interface downloads the transcript directly from Google Cloud Storage to your device using another 1-hour Signed URL. After a successful download, the frontend automatically calls our On-Demand Erasure endpoint, which immediately destroys the transcript file from GCS. If the download is interrupted, the same file is available again with a new Signed URL, as long as the file physically exists under the 24-hour Bucket Lifecycle Rule.

4.5.2. Three-level destruction protocol

Both the input (audio) and the output (transcript) are subject to the same symmetric three-level destruction protocol. The protocol operates uniformly within the Google Cloud Storage bucket, regardless of folder type.

4.5.3. Force Delete — the self-service implementation of Article 17 GDPR

An extended Force Delete button is available in the Transcriber user interface. With a single click, both the input audio and the output transcript file are immediately and irreversibly deleted from Google Cloud Storage, along with the corresponding entry in the gcs_lifecycle_tracking table. This feature is a direct, real-time, user self-service implementation of Article 17 GDPR (the right to erasure).

4.5.4. Internal database tables (anonymous metadata)

For the operation of the Transcriber, two strictly minimised internal technical database tables exist on our Hetzner server:

a) gcs_lifecycle_tracking — used solely to operate the three-level destruction protocol. It contains exactly four fields:

The table EXPLICITLY does NOT contain: IP address, browser data, device identifier, original file name, e-mail address, name, physical address, or any direct or indirect identifier that would identify you as a natural person. Under normal operation (in 99.9% of processing runs), the entry is automatically deleted when processing is completed (typically within 1–5 minutes). In the event of an exceptional error, the maximum theoretical retention time is ~3–4 hours.

b) transcription_jobs — anonymous accounting and settlement metadata. The table does NOT contain any transcript content (the former result_json field has been physically removed from the database). Its content:

The transcription_jobs table is retained for the accounting retention period (8 years) pursuant to Section 169(2) of Hungarian Act C of 2000 on Accounting. Since the table contains only anonymous metadata, this long retention does not pose a problem from a data protection standpoint.

4.5.5. Content filtering (content_blocked)

The Google Cloud Gemini Enterprise Agent Platform has built-in safety filters (Safety Settings) that automatically refuse to process unlawful content (in particular content related to the sexual abuse of children) or content that violates Google's terms of service. In such cases, the user receives a clear, sterilised error code, and the credits used for the process are refunded.

Please note that, under the relevant international and national laws, in the event of the detection of such content the providers concerned may have a reporting obligation towards the competent authorities, regardless of the fact that we ourselves operate on a Zero File Retention principle. This reporting obligation applies to every technology provider worldwide and does not stem from Secure Academic Studio's data processing practice.

We ourselves do not have access to the content of the file, and we cannot modify Google's filter settings. We do not provide a manual review option, since the content filter is operated by Google Cloud and the information required for this is technically not available to us. In the event of a suspected false positive, we recommend splitting the recording into shorter segments with our Audio Splitter local application.

4.5.6. Notice regarding special categories of data

The Transcriber processes audio content which, by its very nature, may also contain special categories of data (Article 9 GDPR: health status, religious or philosophical beliefs, political opinion, sex life, etc.). Use of the service for such a purpose constitutes the user's explicit consent within the meaning of Article 9(2)(a) GDPR. If the user processes recordings that also contain the voices of third parties, it is your responsibility to ensure that the data subjects are informed and have given their consent.

4.6. UI Preferences (Language and Theme)

4.7. Anonymous Feedback

Messages received via the "Anonymous feedback" function available in the footer arrive exclusively on our own server operated at Hetzner. We do not use a third-party form service.

4.8. Purchase and Payment (Creem)

The purchase of premium credits is handled by Creem, which acts as Merchant of Record (reseller). This means that, in legal terms, Creem is the seller towards the customer: Creem processes the payment, it charges and remits the applicable tax (VAT/sales tax), and it issues the invoice to the customer in its own name. During the payment process, the customer is taken to an interface operated by Creem, where they enter their payment details. We do not see or store the card details, the name, the e-mail address or the billing address — these are handled solely by Creem, as an independent controller, in accordance with its own privacy policy.

Data minimisation at the architectural level: For a successful payment, Creem sends a digitally signed (HMAC-SHA256) webhook notification to our server. From this notification, our system reads only two pieces of data: the transaction identifier and the price identifier of the purchased product. The price identifier is translated by a server-side dictionary into the amount of credits to be credited. Apart from these two pieces of data, we do not process or store any field of the message arriving from Creem — we do not link any name, e-mail, address, country or amount to the user.

The "vanishing bridge": When the payment is approved, our system generates a random, anonymous Credit Pack Code, credits the credits to it, and, in a temporary delivery queue, temporarily links the transaction identifier to this anonymous code — solely so that, after a successful purchase, your browser can retrieve the code. As soon as you secure the code (copy it, download it, or return to the applications), your browser sends a signal to our server, which immediately and permanently deletes this delivery queue entry. This permanently severs the link between the transaction identifier and the anonymous credit balance.

After deletion, the transaction identifier is retained solely in a separate register against repeated redemption (replay protection), without any connection to any wallet or credit balance. A Creem transaction identifier in our hands is not, on its own, suitable for identifying you — the person behind it can be identified only by Creem, in its own system.

4.9. Account-free credit system (Credit Pack Code)

Premium features are managed on the basis of anonymous codes (Credit Pack Code), without registration. We do not ask you for an e-mail address, password, or any identifier. The credit balance assigned to the code received at purchase is stored in your browser and in the corresponding database record on our server.

4.10. Customer support communication (Tuta e-mail)

4.11. Supporting our work

If you would like to support the work of Secure Academic Studio, you can do so via the "Support" buttons. Technically this is entirely identical to a standard credit-pack purchase: the support packages contain a symbolic amount of credits, and the purchase takes place through the same Creem process, with the same data protection safeguards described in Section 4.8. Support therefore does not involve a separate, standalone data processing operation.

5. Processors and Third Parties

The technical infrastructure of the service (hosting, e-mail and AI processing) operates with European processors. We do not use Google Analytics or Google Fonts (we serve our fonts from our own server), we do not use external CDNs, and we have no third-party advertising or tracking scripts. We display our Mozilla Observatory A+ and SSL Labs A+ ratings in a static image format (WebP) served from our own server, without click-to-load or any other external request.

Provider Function Status Registered seat Jurisdiction
Hetzner Online GmbH Hosting (VPS, Nuremberg) Processor Germany EU
Armitage Labs OÜ (Creem) Payment and billing (Merchant of Record / reseller) Independent controller Estonia EU
Google Cloud EMEA Limited — Vertex AI / Agent Platform AI processing (Gemini 3.5 Flash Multimodal, EU multi-region) Processor (Zero File Retention, with no-training contract, CMEK activated) Ireland (legal entity) / USA (parent company) EU/EEA (see Section 6)
Google Cloud EMEA Limited — Cloud Storage Temporary storage of audio/transcript files (max. 24 hours, EU multi-region) Processor (three-level destruction protocol, CMEK activated) Ireland (legal entity) / USA (parent company) EU/EEA (see Section 6)
Tuta (Tutao GmbH) Customer e-mail (privacy@, support@) Processor Germany EU

Our Google Cloud contract includes the official Cloud Data Processing Addendum, which provides contractual safeguards meeting the requirements of Article 28 GDPR and expressly excludes the use of user data for training AI models.

6. Data transfers within and outside the European Union

6.1. Processing within the EU

User data is processed both physically and legally within the European Union in the case of Hetzner (Germany) and Tuta (Germany). With these providers, there is neither a physical data transfer nor a jurisdictional risk outside the EU.

6.2. Google Cloud (Vertex AI and Cloud Storage) and the CLOUD Act issue

With our privacy-conscious readers, we address the following fact with complete honesty: Google LLC is a US-based company, and the parent organisation is in principle subject to the US CLOUD Act, even though the European subsidiary of Google Cloud (Google Cloud EMEA Limited, Ireland) provides the service rendered to us, and the physical data centers are located exclusively within the territory of the EU.

We reduce this residual risk through multi-layered measures:

a) EU multi-region: The configuration of our Google Cloud project uses the "eu" (multiple regions in European Union) region for both Vertex AI / Agent Platform and Cloud Storage. According to Google's contractual commitment, for services configured in the EU region, customer data is processed exclusively within the European Union.

b) Customer-Managed Encryption Keys (CMEK) — activated: The keys used to encrypt data stored on or passing through Google Cloud are owned and managed by us, both for Vertex AI processing and for Cloud Storage. Google cannot decrypt the data on its own, without our keys. At the technical level too, this prevents unauthorised — including authority-based — access.

c) Zero File Retention and three-level destruction: For the Bank Statement Converter and the Proofreader, the processed data passes through via the Stateless RAM mechanism and is not physically stored. For the Transcriber, the three-level destruction protocol guarantees a maximum retention of 24 hours, and in normal operation on the order of seconds.

d) No-training clause: The Cloud Data Processing Addendum expressly excludes the training of Google AI models on our user data.

e) Data minimisation: For the Bank Statement Converter, we send the image anonymised and redacted by the user. For the Transcriber, the original file name does not even leave the user's device — the frontend replaces it with a random identifier.

f) Legal basis: The data transfer to Google Cloud takes place under the Standard Contractual Clauses (SCC) approved by the European Commission and the EU-US Data Privacy Framework (DPF), which Google provides in its official contractual documentation.

We will make the complete contractual documentation and safeguards available on request at the controller's e-mail address.

6.3. Creem (Estonia) and processing within the EU

Payment for premium features and invoicing are handled by Armitage Labs OÜ, trading as Creem (Estonia), with which we have a contractual relationship. As Creem is a company registered within the European Union, payment and billing data processed by Creem falls directly under the EU GDPR, without requiring any third-country adequacy assessment.

a) Architectural data minimisation — our data transfer footprint stays within the EU: From our standpoint, the most important point is that we ourselves do not transfer any personal data to Creem. The customer enters their payment and billing details directly on Creem's interface, and only a single anonymous transaction identifier is returned into our system (see Section 4.8). Consequently, on the part of our data processing there is no data transfer that would take the user's personal data out of the EU.

b) Creem's independent controller responsibility: The payment and billing data is handled by Creem as an independent controller, in accordance with its own privacy policy (https://www.creem.io/privacy). How Creem handles this data within its own organisation falls within Creem's own scope of responsibility and the scope of its own policy.

7. Data security measures

Pursuant to Article 32 GDPR, we apply the following technical and organisational measures:

No system provides absolute security — our goal is to ensure reasonable and proportionate protection in line with the nature and risks of the data processing.

8. Rights of Data Subjects

Under the GDPR you have the following rights:

We do not use automated decision-making or profiling that would produce legal or similarly significant effects on you (Article 22 GDPR).

Self-service deletion mechanism: The Force Delete function of the Transcriber application is a direct, real-time implementation of Article 17 GDPR — with a single click, both the input (audio) and the output (transcript) undergoing processing can be deleted immediately and irreversibly, without having to submit any request.

An important particularity: due to the account-free architecture (Credit Pack Code), we ourselves cannot identify you. For the exercise of certain rights (e.g. access to your credit balance), we therefore need your Credit Pack Code — this is the only key that leads to your credit balance. (In exceptional cases, if the generation of the code is delayed, the Creem transaction identifier may also help you reach support while the purchase is in the delivery queue.)

You may exercise your rights at privacy@secureacademic.com. We respond to requests within a maximum of 1 month pursuant to Article 12 GDPR; in the case of complex or numerous requests, this may be extended by a further 2 months, of which we will notify you.

9. Complaints and Remedies

If you feel that we have violated your data protection rights, please first contact us at the e-mail address above. In addition, you are entitled to lodge a complaint with the Hungarian supervisory authority and to seek a judicial remedy:

National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH)

Users in an EU Member State may also address their complaint to their own national data protection authority.

10. Processing of minors' data

Our service is not intended for users under the age of 16. We do not knowingly collect data from persons under the age of 16. If we become aware that we are processing the personal data of a child under the age of 16 without parental or guardian consent, we will delete the data concerned without delay. If you wish to contact us on behalf of your child, please write to privacy@secureacademic.com.

11. Cookies and local storage

On Secure Academic Studio's own domain we use exactly zero HTTP cookies. There are no tracking, analytics or third-party advertising cookies, and no "Cookie Consent" banner is required either. We manage user preferences using the localStorage technology built into the browser, the data of which is never automatically attached to network requests, unlike classic HTTP cookies.

For details, see our separate Cookie Policy. The local storage mechanisms we use:

Creem checkout cookies: when the purchase process redirects to Creem's payment interface, Creem may place its own cookies on its own domain. These do not fall within the scope of our data processing — Creem's privacy policy applies to them (https://www.creem.io/privacy). On Secure Academic Studio's own domains there are still zero HTTP cookies.

12. Amendments to this Policy

We update this policy as necessary (e.g. in the event of a change in legislation, the introduction of a new service, or a change of processor). The current version is always available by clicking the "Privacy" link in the footer of the page. In the event of significant changes, we place a separate notice on the site.