Privacy Policy

This Privacy Policy describes how Subtitle Translator ("we," "us," or "our") handles personal information when you use our websites, applications, and related services (collectively, the "Service"). We publish this policy to support transparency, user trust, and reviews by partners such as Google OAuth.

1. Who we are & contact

The Service is operated by the team behind SubtitleFlow. For privacy requests, contact us at privacy@subtitleflow.com.

2. Information we collect

• Account data: If you register or sign in (including with Google), we may collect your name, email address, profile image URL, and authentication identifiers.
• Content you upload: Subtitle files (e.g., SRT, VTT), audio you submit for transcription, associated metadata (file names, languages), and text derived from those files (e.g., transcripts, translations).
• Usage & quotas: Approximate processing time debited against plan limits, task counts, timestamps, and related operational metrics tied to your account or anonymous browser session.
• Technical data: IP address, browser type, device identifiers, cookies and local storage (see Section 5 below), and server logs used for security and debugging.
• Support communications: Information you send when you contact us.

3. How we use information

• Provide, operate, and improve the Service (processing, translation, export, editor).
• Authenticate users, enforce plan limits, and prevent abuse.
• Communicate about the Service, security, or legal requirements.
• Comply with law and respond to lawful requests.

4. AI processing & third-party providers

To deliver transcription, translation, and related features, we send portions of your content and prompts to third-party AI and infrastructure providers (for example, OpenAI, Google Cloud / Google APIs, or other vendors we configure). Those providers process data on our instructions to perform inference and return results to the Service.

Model training: We do not use your uploads, transcripts, or subtitles to train our own machine-learning models. We configure third-party AI services for typical API use (inference). You should also review each provider's own terms and privacy notices; their contractual commitments to enterprise/API customers may limit use of customer data for training, but practices can change—check their current documentation.

5. Cookies & local storage

We use cookies and similar browser technologies only where necessary to operate the Service. We do not use third-party advertising cookies or tracking pixels.

• Authentication (NextAuth): HttpOnly, first-party session cookies that keep you signed in and protect your account. These are essential and cannot be disabled without breaking sign-in.
• Anonymous session: An HttpOnly cookie (subtitle_anon_id) lets guests access projects they created without an account in the same browser. It is not used for cross-site advertising.
• UI preferences: Non-essential preferences (e.g., dismissed notices) may be stored in local storage. You can clear these at any time via your browser settings.
• Google OAuth: When you choose "Sign in with Google," Google may set its own cookies as part of the OAuth flow, governed by Google's privacy policy.

Most browsers let you block or delete cookies. Blocking essential cookies may prevent sign-in or guest project access.

6. Legal bases (EEA/UK users)

Where GDPR applies, we rely on performance of a contract, legitimate interests (security, improvement, fraud prevention), and, where required, consent—for example, for non-essential cookies.

7. Retention

We apply a global baseline retention schedule designed to meet GDPR/UK GDPR and CPRA-style storage-limitation expectations while controlling infrastructure cost:

• Guest raw uploads are removed within 24 hours.
• Guest project records are removed after 7 days of inactivity.
• Signed-in raw uploads are removed within 24 hours.
• Draft/failed tasks are removed after 14 days of inactivity.
• Signed-in project records are removed after 180 days of inactivity.
• Export artifacts are removed after 30 days.
• Billing/subscription audit evidence may be retained for up to 7 years where required by tax or accounting law.

If you submit an account deletion request, we begin account anonymization immediately and complete erasure/anonymization actions within 30 days, except where law requires longer retention. Deleted data may remain in encrypted backups for up to 30 additional days before backup rotation completes.

8. Security

We use administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is 100% secure.

9. Sharing

We do not sell your personal information. We share data with processors (hosting, AI APIs, analytics if enabled), professional advisers when required, and authorities when legally compelled.

10. International transfers

If you access the Service from outside the United States, your information may be processed in the U.S. or other countries where we or our vendors operate.

11. Your rights & choices

Depending on where you live, you may have rights to access, correct, delete, or export personal information, and to object to or restrict certain processing. California residents: see Section 12 below. To exercise rights, email privacy@subtitleflow.com.

12. California privacy rights (CCPA/CPRA)

California residents may request access, deletion, and correction of personal information, and may opt out of "sale" or certain "sharing" (e.g., cross-context behavioral advertising) where applicable. We do not sell personal information for money. To submit a request, email privacy@subtitleflow.com.

13. Children

The Service is not directed to children under 13 (or 16 where a higher age applies). We do not knowingly collect personal information from children.

14. Changes

We may update this Privacy Policy from time to time. We will post the revised version with a new "Last updated" date and, when appropriate, provide additional notice.

15. Related policies

• Terms of Service
• Refunds & cancellation