Privacy & GDPR.
Last updated 13 May 2026.
What we collect, why we collect it, how long we keep it, and the rights you have under the GDPR. Jump straight to your rights under the GDPR if that's what you came for.
1. Who we are
The data controller for personal data processed through Chuchotage is PRIVESC.EU WEB SRL, a Romanian company (Tax ID 28132460, Trade Register J2011/002562407, EUID ROONRC.J2011/002562407, incorporated 4 March 2011), with registered office at 14 Alexandru Lapusneanu Street, Sector 1, Bucharest, postal code 012867, Romania.
For any matter relating to your personal data, write to privacy@chuchotage.me.
2. Personal data we process
When you create an account and run events, we process:
- Account data — your email address, name, and (optional) organisation.
- Event metadata — event name, date, duration, source and target languages, and a listener access slug.
- Payment records — payment intent identifiers and amounts returned by Stripe. We never see your card number or CVV.
- Recordings — if you enable recording, the translated audio of each session is stored on our infrastructure until automatic deletion.
- Usage logs — request IP, path, timestamp, status code. Audio content is never logged.
3. Why we process it
- To provide the service (Art. 6(1)(b) GDPR — contract). Account data and event metadata are required to run events.
- To comply with law (Art. 6(1)(c) GDPR). Payment records are kept under Romanian accounting law (Law No. 82/1991).
- For security and abuse prevention (Art. 6(1)(f) GDPR — legitimate interest). Usage logs and rate-limit counters.
4. Your audio
During a live event the speaker's microphone audio is streamed to our translation infrastructure for real-time processing. Live audio is processed in flight and not persisted — it exists only in memory for the seconds required to produce a translated stream. It is never written to disk, database, or any long-term storage.
If you enable recording for an event, the translated audio output is saved on our infrastructure (Falkenstein, DE) and auto-deleted after 30 days. Source-language audio is never recorded.
5. Sub-processors
Three external providers touch event data:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Application, database and recording storage | Falkenstein, Germany (EU) |
| OpenAI Ireland Ltd. | Real-time speech-to-speech translation | Ireland (EU). Audio is processed in flight under a zero-retention API plan. |
| Stripe Payments Europe Ltd. | Payment processing | Ireland (EU). Card data goes directly to Stripe; we never see it. |
6. International transfers
All Chuchotage infrastructure is hosted in the EU (Germany). Our sub-processors operate EU entities and process data inside the EU under the GDPR. We do not transfer your personal data outside the European Economic Area.
7. Retention
- Account data: kept while your account is active; deleted within 30 days of an erasure request.
- Event metadata: kept while your account is active.
- Recordings: automatically deleted 30 days after the event ends.
- Live audio: not retained.
- Payment records: 10 years (Romanian accounting law).
- Usage logs: 90 days, then automatic deletion.
8. Your rights
Under the GDPR you can ask us to:
- Access (Art. 15) — receive a copy of the data we hold about you.
- Rectify (Art. 16) — correct inaccurate data.
- Erase (Art. 17) — delete your account and associated data, subject to legal retention obligations.
- Restrict (Art. 18) — limit our processing while a dispute is resolved.
- Port (Art. 20) — receive your event metadata in a structured, machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interest.
Email privacy@chuchotage.me. We reply within one business day and complete verified requests within 30 days.
If you believe we have not handled your data lawfully, you may lodge a complaint with the Romanian supervisory authority — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28–30, Sector 1, București — dataprotection.ro.
9. Cookies
Chuchotage uses one strictly-necessary cookie to keep you signed in. We do not use analytics cookies, advertising cookies, or any third-party trackers. No Google Analytics, no Hotjar, no Facebook pixel, no fingerprinting.
10. Security
Traffic to Chuchotage is served over TLS 1.3. Listener audio uses WebRTC's encrypted transport (SRTP). Recordings are stored on encrypted volumes in our EU datacenter, with backups encrypted in transit. Internal access is limited to named team members on least-privilege principles.
11. Children
Chuchotage is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@chuchotage.me and we will delete it.
12. Changes to this policy
We may update this policy. Material changes are notified to registered users by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the latest version.
13. Contact and complaints
Data-protection questions and rights requests: privacy@chuchotage.me. All other support: support@chuchotage.me.