Privacy Policy
This policy explains what personal data Utterdeck collects about you, why we process it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR). We have written it to be honest about gaps that still exist; where we describe a process that is today manual, we say so.
1. Data controller
The data controller for Utterdeck is:
- Company name: PRIVESC.EU WEB SRL
- Tax ID: 28132460
- Trade Register No.: J2011/002562407
- EUID: ROONRC.J2011/002562407
- Incorporated: 2011-03-04
- Registered office: 14 Alexandru Lapusneanu Street, Sector 1, Bucharest, postal code 012867, Romania
- Contact: support@utterdeck.com
2. What personal data we collect
- Account data. Email address, password hash (we never store or see your password in clear text), public username, and account timestamps (created, last sign-in).
-
Session metadata. Session title, the pre-session description
you type when creating a session, language hint, aspect ratio, a short access
code, and the two-letter country code for your presenter session derived from
the
CF-IPCountryheader supplied by our CDN (Cloudflare). - Audio. Opus-encoded audio chunks uploaded from your browser during a live session. Audio is transient by default: it is sent to Google Gemini for transcription and then is not retained beyond what is needed to produce slides for that session. If — and only if — you explicitly toggle "Record audio" when creating a session, the uploaded audio is stored in our blob-storage provider so that it can be played back with the replay.
- Slide content. The AI-generated cartoon images and the short scene descriptions derived from your audio. We keep these so the live audience and any authorised replay viewer can see them.
- Payment metadata. For each purchase: the Stripe Checkout Session ID, the Stripe Invoice ID (if generated), the amount, the currency, and the product description. We do not see, store, or transmit your card number. Card handling is performed entirely by Stripe.
-
Referral attribution. If you arrive via a referral link or a
free-tier QR code, we set a cookie called
utterdeck_refcarrying an opaque session identifier for 30 days; on signup, we record which session referred you.
3. Why we process this data
For each processing purpose we rely on one of the legal bases under GDPR Article 6:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the service — receive audio, generate slides, deliver to your audience | Performance of a contract — Art. 6(1)(b) |
| Bill you for slide credits; send invoices | Performance of a contract — Art. 6(1)(b); also legal obligation under Romanian fiscal law — Art. 6(1)(c) |
| Send transactional email (sign-up, password reset, post-session summary) | Performance of a contract — Art. 6(1)(b) |
| Prevent abuse, enforce rate limits, protect the service | Legitimate interests — Art. 6(1)(f) |
| Referral-attribution cookie | Legitimate interests — Art. 6(1)(f) |
4. Who we share data with
We use a small number of processors that host or operate parts of the service. We do not sell your personal data, and we do not share it with advertisers.
| Processor | Role | Data shared | Transfer safeguards |
|---|---|---|---|
| Google Ireland Ltd / Google LLC (Gemini API) | Audio-to-text and text-to-image generation | Audio bytes, scene descriptions, language hint, aspect ratio | EU Standard Contractual Clauses; Google Cloud Data Processing Addendum |
| Stripe Payments Europe Ltd (Ireland) / Stripe, Inc. (US) | Payment processing and invoicing | Email, amount, currency, Stripe session + invoice IDs | EU Standard Contractual Clauses; Stripe DPA |
| Microsoft Corporation (Azure Blob Storage) | Storage of audio (opt-in) and generated slide images | Audio files, slide images, session Sqid in the path | EU Standard Contractual Clauses; Microsoft Online Services DPA. Region depends on deployment; until we publish a regional commitment, assume storage in the US. |
| Cloudflare, Inc. (US) | Edge / reverse proxy / CDN | IP address, user-agent, request metadata | EU Standard Contractual Clauses; Cloudflare DPA |
We may also disclose personal data to law-enforcement or government authorities if required by a valid legal order.
5. International transfers
Some processing happens outside the European Economic Area — primarily in the United States — because Google (Gemini), Stripe, Microsoft Azure, and Cloudflare operate US-based infrastructure. Each of those providers is bound to us by the European Commission's Standard Contractual Clauses, together with supplementary measures (encryption in transit, access controls, DPA terms). Where a provider is certified under an EU-US adequacy framework, we also rely on that framework as an additional safeguard.
6. Retention
We keep personal data only as long as we need it:
- Account data — kept while the account exists; deleted when the account is closed (see § 8 below for how).
- Audio — transient by default (processed and not retained beyond session delivery). If you enabled "Record audio" when creating a session, the audio is retained indefinitely in blob storage for replay; we will remove recorded audio on request (see § 8).
- Slide images and scene descriptions — retained while the parent session exists; removed when the session is deleted.
- Payment records — retained for at least 10 years as required by Romanian tax law (Fiscal Code, art. 109).
- Application logs — 90 days.
We do not yet have automated retention tooling that deletes on a schedule. Until that tooling ships, the rules above are enforced on request. See § 8 for how to ask.
7. Your rights
Under GDPR Articles 15 to 22, you have the right to:
- access the personal data we hold about you;
- rectify inaccurate or incomplete data;
- erase your personal data (the "right to be forgotten"), subject to legal retention obligations for things like invoices;
- restrict processing in certain situations;
- receive a portable copy of the personal data you provided, in a machine-readable format;
- object to processing based on our legitimate interests;
- withdraw consent at any time, where processing is based on your consent.
Under GDPR Article 77 you also have the right to lodge a complaint with the Romanian data-protection authority:
National Supervisory Authority for Personal Data Processing (ANSPDCP)
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
28-30 G-ral. Gheorghe Magheru Boulevard, Sector 1, 010336 Bucharest, Romania
Website: https://www.dataprotection.ro
8. How to exercise your rights
Email support@utterdeck.com from the address associated with your account. We will respond within 30 days (the statutory maximum under GDPR Article 12(3)), extendable by a further two months for complex requests if we notify you.
Honest disclosure. At the time this policy was last updated, access, export, and deletion requests are processed manually. We are working on self-service flows; until they ship, please write to us and we will handle the request.
9. Cookies
Utterdeck sets only strictly-necessary cookies. Because every cookie is essential to the service under the ePrivacy Directive, we do not display a cookie-consent banner. If that ever changes — for example, if we add an analytics tracker — we will publish a banner and update this policy.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
.AspNetCore.Identity.Application |
Authentication session for signed-in users | Session-bound (cleared on browser close or sign-out) | Strictly necessary |
utterdeck_ref |
Referral attribution (carries an opaque session identifier) | 30 days | Strictly necessary |
During a Stripe Checkout session, Stripe sets its own cookies on
checkout.stripe.com — those are controlled by Stripe under
their own
privacy policy. Utterdeck does not set or read those cookies.
We do not use Google Analytics, Mixpanel, PostHog, advertising, or other third-party tracking cookies.
10. Security
Passwords are hashed with bcrypt via ASP.NET Identity — we never store or transmit them in clear text. All traffic between your browser and Utterdeck is encrypted with TLS. Blob storage is served over HTTPS from Microsoft Azure, and access is restricted by short-lived signed URLs. We apply the principle of least privilege internally. No online service can guarantee absolute security; please use a strong password and notify us promptly if you suspect unauthorised access to your account.
11. Children
Utterdeck is not intended for children under 16 and we do not knowingly collect personal data from them. If we learn that a user under 16 has registered, we will terminate the account and delete associated data. If you are a parent or guardian and believe a child under 16 has created an account, please contact us.
12. Changes to this policy
We will announce any material change to this policy at least 30 days before it takes effect, by email to account holders and by publishing the revised version on this page with a new "Last updated" date at the top.
13. Contact
Privacy questions, DSAR requests, and complaints: support@utterdeck.com.
Postal: Privesc.Eu Web SRL, 14 Alexandru Lapusneanu Street, Sector 1, Bucharest, postal code 012867, Romania.