Legal

Privacy Policy

Last Updated: May 1, 2026

1. Controller

The controller responsible for processing your personal data within the meaning of the General Data Protection Regulation ("GDPR") is:

Kribe, operated by Evaldas Matulevičius under a certificate for individual activity (Individuali veikla) in the Republic of Lithuania.

Vilnius, Postal code 03217
Lithuania
Certificate No.: 582900

Email: evaldas@trykribe.com

Our guiding principle is to collect only what is necessary and to process personal data solely to provide you with the service you expect from us.

2. What Is Personal Data?

Personal data is any information relating to an identified or identifiable natural person. This includes details such as your name, email address, IP address, or device identifiers. Information that cannot reasonably be linked to a specific individual — for example, fully anonymised aggregated statistics — does not constitute personal data. Any processing of personal data (collection, storage, use, transmission, etc.) requires a legal basis under the GDPR.

3. Data We Collect

A. Account Data

When you create an account we collect your email address and, if you sign in via a third-party provider (Google), the basic profile details that provider shares with us.

When an account is deleted, we retain a record of the associated email address for the purpose of preventing abuse of the free-tier usage quota (preventing re-registration to obtain new free usage). This processing is based on our legitimate interests under Art. 6(1)(f) GDPR. The record is retained for a maximum of 3 years from account deletion. You may request removal of this record by contacting us; we will assess such requests against our legitimate interest in abuse prevention on a case-by-case basis.

B. Technical Log Data

When you access our website or web app, your browser automatically transmits the following data, which is temporarily stored in log files:

  • IP address of the requesting device
  • Date and time of access
  • URL and name of the file requested
  • Referring URL (the page you navigated from)
  • Browser type and version, operating system, access provider

C. Audio & Transcript Content

Our desktop application records audio locally on your device. Your original uncompressed audio file remains on your machine. Before upload, a compressed version of the audio is created and securely uploaded to our cloud storage (Supabase Storage, Frankfurt, EU) solely for transcription. The compressed audio is forwarded to our speech-to-text provider (ElevenLabs) and deleted from our storage after transcription is complete. ElevenLabs may retain your audio data on its own servers in accordance with its privacy policy and retention schedule. The resulting text transcript is then processed by our AI sub-processor (Anthropic) to generate a meeting summary. We process this content solely to deliver the service to you; it is never used to train any third-party AI model.

D. Usage & Interaction Data

We may collect information about how you interact with our services, such as features used, session duration, and performance metrics.

E. Payment Data

When you subscribe to a paid plan, our payment processor Stripe collects and processes your billing details. We never see or store your full card number.

4. Purpose & Legal Basis

We process personal data for the following purposes and on the following legal grounds:

  • Providing the service (Art. 6(1)(b) GDPR — performance of a contract): Creating and managing your account, processing transcriptions and AI summaries, handling your subscription.
  • Security & IT operations (Art. 6(1)(f) GDPR — legitimate interests): Ensuring stable, secure operation of the platform; detecting and resolving technical errors; preventing misuse.
  • Legal compliance (Art. 6(1)(c) GDPR — legal obligation): Retaining records as required by tax and accounting law.
  • Analytics & product improvement (Art. 6(1)(f) GDPR — legitimate interests or Art. 6(1)(a) — consent, where applicable): Understanding how users interact with the service to improve it.

5. Hosting & Infrastructure

Vercel

Our website and web application are hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. Our serverless backend functions are configured to run in the Frankfurt, Germany (EU) region, keeping request processing within the EU. Vercel processes your IP address, request metadata, and browser information to serve pages and run our application. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in operating our service). Vercel is certified under the EU–U.S. Data Privacy Framework (Art. 45 GDPR), and a data processing agreement is in place. For more information: vercel.com/legal/privacy-policy.

Audio Storage (Supabase)

When using the desktop application, a compressed audio file is uploaded to our secure cloud storage (Supabase Storage, hosted in Frankfurt, Germany, EU). The file is stored there until it is retrieved by our transcription backend and forwarded to ElevenLabs, after which it is deleted from our storage. See Section 7 and Section 14 for details on retention.

6. Authentication

We use Supabase (Supabase, Inc., 3500 S Dupont Hwy, Dover, DE 19901, USA) to manage user accounts and authentication. Your account data — including your email address and authentication tokens — is stored in a Supabase Postgres database hosted in Frankfurt, Germany (EU), so your data remains within the European Economic Area under normal operation. Standard Contractual Clauses (Art. 46(2)(c) GDPR) are in place for any incidental processing outside the EU. The legal basis is Art. 6(1)(b) GDPR. For more information: supabase.com/privacy.

7. AI Processing

ElevenLabs — Speech-to-Text Transcription

We use ElevenLabs, Inc., 169 Madison Ave #2484, New York, NY 10016, USA for automatic speech recognition and speaker diarisation (identifying who is speaking). The following data is transmitted to ElevenLabs:

  • Compressed audio recording of the meeting
  • Diarisation settings (number of speakers)

ElevenLabs returns a text transcript with speaker labels. ElevenLabs may retain your audio data on its servers for a limited period in accordance with its own privacy policy; we do not use an Enterprise plan with Zero Retention Mode, and therefore cannot guarantee that your data is immediately deleted after processing or that processing occurs exclusively within the EU. ElevenLabs states that it does not use customer audio data to train its models. The legal basis is Art. 6(1)(b) GDPR. As ElevenLabs is based in the USA, data is transferred under the EU–U.S. Data Privacy Framework (Art. 45 GDPR) and Standard Contractual Clauses (Art. 46(2)(c) GDPR). For more information: elevenlabs.io/privacy.

Anthropic — Meeting Summary Generation

To generate meeting summaries, we use the Claude API provided by Anthropic Ireland, Limited, 6th Floor, South Bank House, Barrow Street, Dublin 4, D04 TR29, Ireland (the EU entity of Anthropic, PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA). The following data is transmitted to Anthropic:

  • The text transcript of your meeting
  • Summary template instructions (no personal audio data)

Anthropic does not use API customer data to train its models. API inputs and outputs are automatically deleted from Anthropic's servers within 30 days of receipt, unless a shorter retention period applies under Anthropic's then-current data retention policy. The legal basis is Art. 6(1)(b) GDPR. While Anthropic's EU entity is based in Ireland, processing may involve servers in the USA; data transfers to the USA are covered by the EU–U.S. Data Privacy Framework (Art. 45 GDPR) and Standard Contractual Clauses. For more information: anthropic.com/privacy.

8. Payment Processing

Paid subscriptions are processed by Stripe Technology Europe, Limited, 1 Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland (an EU entity of Stripe, Inc.). When you subscribe, Stripe collects your name, email address, billing address, and payment card details. We receive only a payment token and subscription status — we never store your full card number. The legal basis is Art. 6(1)(b) GDPR. As Stripe operates its EU business through an Irish entity, your payment data is primarily processed within the EU. Where data is transferred to the USA, Stripe is certified under the EU–U.S. Data Privacy Framework (Art. 45 GDPR). For more information: stripe.com/privacy.

9. Error Monitoring

We use Sentry (Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA) to monitor application errors and performance. Sentry may process the following data when an error occurs:

  • Error messages, stack traces, and error codes
  • Browser type, operating system, and device information
  • Timestamp and URL where the error occurred

Sentry does not capture your audio recordings or meeting transcripts. The legal basis is Art. 6(1)(f) GDPR (our legitimate interest in maintaining a stable and secure service). Error data is retained for 90 days. Data is transferred to the USA under Standard Contractual Clauses (Art. 46(2)(c) GDPR). For more information: sentry.io/privacy.

10. Analytics

Google Analytics

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics collects data about how visitors interact with our website, including:

  • Pages visited, navigation paths, and time spent on each page
  • Referring website or campaign source
  • Device type, browser, operating system, and screen resolution
  • Approximate geographic location (country/city level, derived from IP address)
  • Events such as button clicks and form interactions

IP addresses are anonymised by Google before storage. Google Analytics uses cookies (see Section 11) to distinguish visitors and analyse usage. Google may transfer this data to servers in the United States; such transfers are covered by the EU–U.S. Data Privacy Framework (Art. 45 GDPR) and Standard Contractual Clauses (Art. 46(2)(c) GDPR). The legal basis is Art. 6(1)(a) GDPR (your consent, collected via the Cookiebot banner) for EEA users, or Art. 6(1)(f) GDPR (our legitimate interest in understanding website usage) where consent is not required. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on. For more information: policies.google.com/privacy.

Hotjar (Session Recording)

We use Hotjar, a session recording and behavioral analytics service provided by Hotjar Ltd (part of Contentsquare Group, 4 Poidebard Street, Valletta VLT 1175, Malta / Contentsquare SAS, 7 Rue du Faubourg Poissonnière, 75009 Paris, France). The service collects data about how visitors interact with our website, including:

  • Mouse movements, clicks, taps, and scroll behavior
  • Pages visited and time spent on each page
  • Device type, browser, and approximate location (derived from IP address, which is anonymised before storage)

Hotjar does not capture the content of form fields marked as sensitive or any audio/transcript content. The legal basis is Art. 6(1)(a) GDPR (your consent via the Cookiebot banner) for EEA users, or Art. 6(1)(f) GDPR (our legitimate interest in improving the service) where consent is not required. You can opt out of Hotjar data collection at any time via hotjar.com/legal/compliance/opt-out. Data may be transferred to the USA; transfers are covered by Standard Contractual Clauses. For more information: hotjar.com/legal/policies/privacy.

11. Cookies & Consent Management

Cookies are small text files stored on your device when you visit our website. We use the following types:

  • Strictly necessary cookies: Required for the website and web app to function — for example, maintaining your login session (set by Supabase authentication). No consent is required for these cookies.
  • Analytics cookies: Set by Google Analytics (GA4) to measure website traffic, page performance, and visitor behaviour, and by Hotjar to record sessions and collect behavioural data (see Section 10). These cookies are only activated after you have given your consent via the Cookiebot banner.

You can configure your browser to refuse or delete cookies at any time. Note that disabling strictly necessary cookies will prevent you from signing in to the service.

Consent Management — Cookiebot

We use Cookiebot, a consent management service provided by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark, to manage cookie consent on our website. Cookiebot scans our site for cookies and trackers and presents the consent banner to visitors. Your consent preferences are stored and enforced by Cookiebot. The following data may be processed by Usercentrics A/S:

  • Your consent status and preferences
  • Timestamp of consent
  • IP address (anonymised) and browser type

Processing is necessary to meet our legal consent management obligations under Art. 6(1)(c) GDPR and our interest in demonstrating compliance under Art. 6(1)(f) GDPR. Usercentrics A/S is based within the EU and complies with the requirements of the GDPR. For more information: cookiebot.com/en/privacy-policy.

12. International Data Transfers

We store your account data and transcripts primarily within the European Union (Frankfurt, Germany via Supabase). Several of our service providers operate EU-based entities: Stripe Technology Europe (Ireland) and Anthropic Ireland (Ireland) process data within the EU wherever possible. Where data is nonetheless transferred to servers in the United States or other third countries, we ensure compliance with Chapter V of the GDPR through one or more of the following mechanisms:

  • EU–U.S. Data Privacy Framework (Art. 45 GDPR): Applies to Vercel, Stripe, Anthropic, ElevenLabs, and Google for any processing on US infrastructure.
  • Standard Contractual Clauses (Art. 46(2)(c) GDPR): Applies to Sentry, Supabase, and Hotjar/Contentsquare for any processing outside the EU.

We review the data protection standards of each service provider before engaging them and conclude data processing agreements wherever legally required.

13. Recipients of Personal Data

Within our operation, only we access your personal data, and only to the extent needed to provide the service. We disclose data to external parties only as described in this policy or where required by law. Recipients fall into the following categories:

  • Processors: External service providers acting strictly on our instructions — including Vercel (hosting), Supabase (authentication and database), ElevenLabs (speech-to-text transcription), Anthropic (AI summaries), Stripe (payments), Sentry (error monitoring), Google Ireland Limited (website analytics), Hotjar/Contentsquare (session recording and analytics), and Usercentrics/Cookiebot (consent management).
  • Public authorities: Tax authorities, courts, or law enforcement agencies when we are legally required to disclose data.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

We do not sell your personal data to third parties.

14. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

  • Account data: Retained for the duration of your account. After account deletion, residual data is purged within 30 days.
  • Compressed audio files: Uploaded to Supabase Storage (Frankfurt) for transcription and deleted from our storage after transcription is complete. ElevenLabs may retain a copy on its own servers for a limited period in accordance with its privacy policy. The original recording remains on your device under your control.
  • Transcripts and summaries: Stored locally on your device until you delete them. We do not retain transcript or summary content on our servers.
  • Technical log data: Retained for up to 30 days for security purposes.
  • Error monitoring data (Sentry): Automatically deleted after 90 days.
  • Payment records: Retained for the period required by Lithuanian accounting law (currently 10 years).
  • Deleted account email records: Retained for up to 3 years from account deletion, for the purpose of preventing free-tier abuse (see Section 3A).

15. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, or destruction. These include encryption in transit (TLS), encryption at rest, access controls, and Row-Level Security on our database.

No method of data transmission or storage is completely secure. In the event of a data breach that is likely to result in high risk to your rights and freedoms, we will notify you and the supervisory authority as required by Art. 33–34 GDPR.

16. Your Rights Under the GDPR

As a resident of the EU or EEA, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate data.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18): Request that we limit how we process your data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, contact us at evaldas@trykribe.com.

You also have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — VDAI): vdai.lrv.lt.

17. Children's Data

Our services are not directed at children. To use Kribe you must be at least 16 years old if you reside in the EU/EEA, or at least 13 years old elsewhere. We do not knowingly collect personal data from anyone below these ages. If you believe a child has provided us with personal data, please contact us at evaldas@trykribe.com and we will delete it promptly.

18. Changes to This Policy

We may update this Privacy Policy from time to time. The date at the top of the page will always reflect the most recent revision. If we make changes that materially reduce your rights or significantly affect how we process your data, we will notify you by email or via a prominent notice in the application at least 30 days before the change takes effect.

19. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please reach out to us:

Kribe
evaldas@trykribe.com
Lithuania

We will respond to all data protection enquiries within 30 days.