Privacy Policy

Last updated June 14, 2026

This policy explains how your personal data is collected, used, stored and protected when you use Instableep — the website at instableep.com and the application at app.instableep.com (together, the “Service”). Instableep lets you upload audio or video, have it transcribed by AI, choose which words to bleep, and download the censored result. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR).

1. Who is responsible for your data

The data controller for the Service is R. D. Bitenieks, a natural person based in Riga, Latvia, operating under the brand “Instableep”. There is no company; the Service is run by an individual.

You can reach us about anything in this policy, or to exercise any of your rights, at instableep@gmail.com.

2. What we collect

We collect only what we need to run the Service and your account:

  • Account data. Your email address and a username. If you sign in with Google, we receive your name, email address and profile picture (avatar) URL from your Google profile; your name and email are captured once at sign-up, and your avatar URL is refreshed from Google each time you log in. We support email-and-password and Google sign-in only.
  • Uploaded media. The audio and video files you upload. Be aware that these files contain voice recordings — your voice, and potentially the voices of other people — along with whatever is spoken in them. To provide the Service we have to process and store this media: we keep it so you can return to your library, and we send its audio to our transcription provider to generate a transcript. We do not listen to your media, and we do not use it to train any AI model.
  • Transcripts. The text transcript produced from your media, including per-word timestamps. Because it is a transcript of your recording, it contains whatever was spoken.
  • Billing and subscription data. Your plan, subscription status and billing period, plus the brand and last four digits of your payment card. Your full card details are entered directly with Stripe and held by Stripe — we never see or store your full card number.
  • Support messages. The subject and body of any message you send us, so we can reply and keep a record of the conversation.
  • Technical and usage data. Basic, aggregated and anonymous usage statistics collected through our cookieless analytics, plus standard server logs (such as the fact that a request happened and whether it succeeded or failed) needed to operate and secure the Service.

We do not collect your GPS or precise-location data, and the Service is not designed to gather any special-category data deliberately. Note, however, that voice recordings you upload may incidentally reveal sensitive information depending on what is said in them; you control what you upload.

3. Why we use your data, and our legal basis

For each purpose, the GDPR legal basis we rely on is named below.

PurposeLegal basis
Creating and running your account; storing your media; transcribing it; bleeping and exporting your files; providing your library and presets Performance of our contract with you (Art. 6(1)(b))
Taking payment and managing your subscription Performance of our contract with you (Art. 6(1)(b))
Sending account and transactional email (verification, password reset, receipts, support replies) Performance of our contract with you (Art. 6(1)(b))
Answering your support messages Performance of our contract, and our legitimate interest in supporting users (Art. 6(1)(f))
Keeping security and audit logs, preventing abuse, and keeping the Service reliable Our legitimate interest in operating and securing the Service (Art. 6(1)(f))
Measuring the effectiveness of our advertising by sending hashed sign-up and purchase events to Meta and Google (see Section 5) Your consent, given through the cookie banner (Art. 6(1)(a))
Sending marketing email about Instableep Our legitimate interest in promoting our own Service to our users, subject to your right to unsubscribe at any time (Art. 6(1)(f))
Setting Google Ads cookies on our website Your consent, given through the cookie banner (Art. 6(1)(a))

4. Who we share your data with

We do not sell your data. We use the following service providers (processors and, where they act for their own purposes, independent controllers) to run the Service. Each receives only the data it needs:

ProviderWhat it doesWhat it receives
AssemblyAI Speech-to-text transcription The audio extracted from your uploaded media, processed to produce a transcript.
Processed via AssemblyAI’s EU (Dublin, Ireland) endpoint. Your audio is contractually excluded from training their models.
Amazon Web Services (AWS S3) Media file storage Your uploaded audio and video files, including any thumbnails generated from them.
Stored in Amazon S3 in the EU (Paris, France — eu-west-3 region), under AWS’s GDPR Data Processing Addendum.
Stripe Payments and subscription billing Your name, email, billing address and card details, which you enter directly with Stripe. We never receive or store your full card number.
Stripe processes payments globally under its own privacy terms and applicable transfer safeguards.
Fly.io Application hosting and database Your account record, transcripts, presets and subscription state, held in our PostgreSQL database.
Our production database runs in Fly.io’s Paris (France) region.
Mailgun Email delivery Your email address and name, used to send account, billing and marketing email.
Email is processed by Mailgun in the United States under Standard Contractual Clauses; see the note on international transfers below.
Plausible Analytics Privacy-friendly website analytics Aggregated, anonymous usage statistics. Plausible is cookieless and does not track you across sites or build a profile of you.
Plausible is operated within the EU.
Meta (Facebook) Advertising measurement A SHA-256 hash of your email address plus the event name (sign-up or purchase), sent server-side via the Conversions API only if you accept advertising cookies.
Meta Platforms, Inc., a US company, under applicable transfer safeguards.
Google Advertising measurement and ad cookies A SHA-256 hash of your email address plus the event name (sign-up or purchase), sent server-side via Ads Data Manager only if you accept advertising cookies. Google Ads cookies likewise load only if you accept.
Google LLC / Google Ireland, under applicable transfer safeguards.

5. Advertising measurement

To measure how well our advertising performs, when you sign up and when you make a purchase we send a server-side event to Meta (via its Conversions API) and to Google (via Ads Data Manager). The event contains the action that occurred — a sign-up or a purchase — together with a SHA-256 hash of your email address. The hash lets these platforms match the event to an ad click without us sharing your email in readable form. These server-side events are sent only if you accept advertising cookies; if you reject or later withdraw that consent, no further events are sent. You can change your choice at any time from the cookie banner or the cookie settings controls described in Section 7, and you can also object using the contact details in Section 1.

6. Marketing email

When you create an account, we add your email address to our marketing list and send you a welcome email about an hour after sign-up. You may receive occasional further email about Instableep. You can unsubscribe at any time using the link in any marketing email; deleting your account also removes you from the list. Unsubscribing from marketing does not stop the transactional email you need to use the Service (such as receipts and password resets).

7. Cookies and analytics

Our analytics provider, Plausible, is cookieless and does not set any cookie or build a profile of you. Advertising cookies (Google Ads) load only after you accept them in the cookie banner; until then they are blocked. Your choice is remembered in a single cc_cookie consent cookie. The banner offers “Accept all” and “Reject all” with equal prominence, plus a preferences screen where you can toggle the advertising category on or off. You can reopen that screen at any time from the “Open cookie settings” button on our Cookie Policy page (and, in the app, from the “Cookie settings” button in your account’s Privacy settings) to change or withdraw your choice; that page also has the full detail on every cookie we use.

8. International transfers

We keep your data within the EU/EEA where we can. Specifically, your media files are stored in Amazon S3’s Paris (eu-west-3) region, transcription runs through AssemblyAI’s EU (Dublin) endpoint, and our database is hosted in Fly.io’s Paris region.

Some providers process data outside the EEA. Stripe, Meta, Google and Mailgun operate from or transfer data to the United States. These transfers rely on the European Commission’s Standard Contractual Clauses, which form part of each provider’s data processing terms, or another lawful safeguard under the GDPR.

9. How long we keep your data

  • Files you delete. When you delete a file, both the stored media in Amazon S3 and its transcript are deleted immediately.
  • Account deletion. When you delete your account, it enters a 30-day grace period (you can reactivate during this time). After 30 days, a daily job permanently deletes your media, transcripts, presets, subscription record and your user account.
  • Audit logs. We keep anonymized audit-log entries after account deletion: the link to your user account is removed and personal details (such as past usernames) are scrubbed, so the remaining records cannot be tied back to you. We retain these to keep a reliable operational and security history.
  • Billing records. Stripe retains its own billing and transaction records under its retention policy and applicable accounting and tax law, independently of our deletion of your account.

10. Your rights

Under the GDPR you have the right to:

  • Access. Ask for a copy of the personal data we hold about you.
  • Rectification. Have inaccurate or incomplete data corrected — your username is editable in your account settings; email us to change any other details.
  • Erasure. Have your data deleted, including by deleting your account (see Retention below).
  • Portability. Receive the data you provided to us in a structured, machine-readable format.
  • Restriction. Ask us to limit how we use your data while a concern is being resolved.
  • Objection. Object to processing we carry out on the basis of legitimate interest, including direct marketing.
  • Withdraw consent. Withdraw any consent you have given (such as for marketing cookies) at any time, without affecting processing already carried out.

To exercise these rights, email us at instableep@gmail.com and we will respond within the time the GDPR requires (normally one month). You can also delete your account, or edit your username, directly from your account settings at any time.

11. Complaints

If you are unhappy with how we handle your data, you can lodge a complaint with the Latvian supervisory authority, the Data State Inspectorate (Datu valsts inspekcija), at www.dvi.gov.lv. If you live in another EEA country, you may instead contact your local data protection authority. We would, of course, appreciate the chance to address your concern first.

12. Automated decision-making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you. Transcription is automated, but it only generates a transcript of your media — it makes no decision about you.

13. Security

We take reasonable technical and organizational measures to protect your data: traffic is encrypted in transit, access to stored media is granted only through short-lived signed URLs, payment card details are handled entirely by Stripe, and access to our systems is limited. No method of transmission or storage is ever completely secure, so we cannot guarantee absolute security, but we work to keep your data protected and to address any issue promptly.

14. Children

The Service is not directed at children. It is intended for users aged 16 and over, and we do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

15. Changes to this policy

We may update this policy from time to time. We revise it manually and update the “Last updated” date at the top whenever we do. If we make a significant change, we will take reasonable steps to let you know. Please check back occasionally to stay informed.

16. Contact

Questions about this policy or your data? Email instableep@gmail.com. We are based in Riga, Latvia.