Privacy Policy

Effective date: March 1, 2026

Summary: We collect only what we need to run the service. We do not sell your data. You can delete everything at any time. We use industry-standard security practices.

1. Who We Are

reiwrite ("we", "us", "our") operates the reiwrite desktop application and website at reiwrite.com. For questions, contact privacy@reiwrite.com.

2. Information We Collect

Account data: Email address and a bcrypt-hashed password. We never store your password in plain text.

Audio recordings: Audio is sent to OpenAI's Whisper API for processing. We do not store raw audio — only the resulting transcription text.

Transcription history: Text output, word counts, and timestamps saved to your dashboard.

Usage data: Credit usage and API call counts to operate the billing system.

Security audit logs: Authentication events (login, logout, failed attempts) with IP address and timestamp, retained for 90 days.

Technical logs: Standard server logs (IP, user-agent, timestamps) for security and diagnostics, retained up to 30 days.

3. How We Use Your Data

  • To provide, maintain, and improve the Service.
  • To authenticate you and keep your account secure.
  • To process transcriptions and return results to you.
  • To manage your credit balance and transaction history.
  • To detect, prevent, and investigate fraud, abuse, or security incidents.
  • To send important service or legal notices.

We do not use your content to train AI models. We do not sell or rent your data to third parties.

4. Legal Bases for Processing (GDPR)

For users in the EEA or UK, our legal bases are:

  • Contract performance: Account management, transcription, and billing.
  • Legitimate interests: Security logging and fraud prevention.
  • Legal obligation: Where retention is required by law.
  • Consent: Where you have explicitly opted in.

5. Data Sharing and Third Parties

  • OpenAI: Audio and text are sent to OpenAI's API for transcription and enhancement. OpenAI's API-tier service opts out of training by default. See their privacy policy.
  • MongoDB Atlas: Account and transcription data is stored on MongoDB Atlas (AWS-hosted infrastructure).
  • Razorpay: Credit purchases are handled by Razorpay. We do not store card numbers. See their privacy policy.
  • Legal compliance: We may disclose data if required by law or to protect user safety.

6. Data Retention

  • Account data: Retained until you delete your account.
  • Transcription history: Retained until you delete entries or your account.
  • Security audit logs: Auto-deleted after 90 days.
  • Server logs: Retained up to 30 days.

7. Your Rights

Depending on your location, you may have the right to:

  • Access a copy of your personal data.
  • Rectify inaccurate data.
  • Erasure ("right to be forgotten"): Delete your account and all data from your dashboard via Settings → Security → Delete Account. All data is permanently erased within 30 days.
  • Portability: Download a complete export of all your data directly from Dashboard → Security → Export Your Data.
  • Restriction or objection to certain processing.
  • Withdraw consent at any time where processing is consent-based.

To exercise any right, email privacy@reiwrite.com. We respond within 30 days.

8. Security

We implement the following measures to protect your data:

  • Encryption at rest: All personal data (emails, transcriptions, voice macros, learned usage patterns) is encrypted using AES-256-GCM with authenticated encryption before being stored in the database.
  • Encryption in transit: All data in transit is encrypted via HTTPS/TLS.
  • Zero audio storage: Voice recordings are processed in memory and immediately discarded. Raw audio is never stored on our servers.
  • Passwords are hashed with bcrypt (12 rounds) — never stored in plain text.
  • JWT tokens expire after 7 days and are version-locked — logging out all devices immediately invalidates all sessions.
  • HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options) on all responses.
  • Rate limiting on all authentication and API endpoints.
  • Account lockout after repeated failed login attempts.
  • MongoDB query sanitisation against injection attacks.
  • Desktop app tokens are encrypted via the OS native keychain (Windows DPAPI / macOS Keychain).
  • Comprehensive security audit logging with 90-day retention.

If you discover a vulnerability, please responsibly disclose it to security@reiwrite.com.

9. Children's Privacy

The Service is not directed to children under 13 (or 16 in the EEA). If you believe a child has created an account, contact privacy@reiwrite.com and we will promptly delete it.

10. International Data Transfers

Your data may be processed in the United States where our infrastructure and third-party providers operate. For transfers from the EEA/UK we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs).

11. Cookies

The website does not use tracking or advertising cookies. We may use essential session cookies for authentication only. No third-party analytics or ad-tracking scripts are loaded.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email or in-app notice at least 14 days before material changes take effect. Continued use after the effective date constitutes acceptance.

13. Contact and Complaints

For privacy questions or requests: privacy@reiwrite.com.

If you are in the EEA and believe we are not handling your data lawfully, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or the relevant EU supervisory authority).