Transgate Privacy Policy

Privacy Policy

This privacy policy applies between you, the User of this Website and Transgate, the owner and provider of this Website. Transgate takes the privacy of your information very seriously and maintains the highest standards of data protection through SSL encryption, GDPR compliance, and HIPAA compliance measures. This privacy policy applies to our use of any and all Data collected by us or provided by you in relation to your use of the Website.

Security & Compliance Framework

Transgate operates under a comprehensive security and compliance framework that includes:

• SSL/TLS Encryption: All data transmission is secured with industry-standard SSL/TLS encryption protocols
• GDPR Compliance: Full adherence to General Data Protection Regulation requirements for EU users
• HIPAA Compliance: Healthcare-grade security measures for handling sensitive personal information

SSL/TLS Security

Transgate implements comprehensive SSL/TLS security measures to protect your data:

• End-to-End Encryption: All data transmitted between your device and our servers is encrypted using TLS 1.3
• Certificate Authority: We use trusted certificate authorities to ensure secure connections
• Perfect Forward Secrecy: Each session uses unique encryption keys to prevent retroactive decryption
• HSTS Implementation: HTTP Strict Transport Security ensures all connections are secure
• Regular Security Audits: Our SSL implementation is regularly tested and updated

GDPR Compliance

Transgate is fully compliant with the General Data Protection Regulation (GDPR) and provides the following protections for EU users:

Data Protection Principles

• Lawfulness, Fairness, and Transparency: We process data lawfully and provide clear information about our practices
• Purpose Limitation: Data is collected for specific, explicit, and legitimate purposes
• Data Minimization: We only collect data that is necessary for our services
• Accuracy: We maintain accurate and up-to-date personal data
• Storage Limitation: Data is retained only as long as necessary
• Integrity and Confidentiality: Appropriate security measures protect your data
• Accountability: We demonstrate compliance with GDPR principles

GDPR Rights Implementation

• Right to Erasure: Automated data anonymization system activated upon user deletion requests any time can delete your data also system automatically delete transcripts in 14 days.
• Data Portability: Export your data in machine-readable formats
• Consent Management: Granular consent controls for different data processing activities
• Breach Notification: 72-hour breach notification system to supervisory authorities
• Data Protection Officer: Designated DPO available for GDPR-related inquiries

HIPAA Compliance

Transgate maintains HIPAA compliance standards to protect sensitive health information and personal data:

Administrative Safeguards

• Security Officer: Designated security officer responsible for HIPAA compliance
• Workforce Training: All personnel trained on HIPAA requirements and data handling
• Access Management: Role-based access controls with minimum necessary principles
• Incident Response: Comprehensive incident response procedures for potential breaches
• Risk Assessment: Regular risk assessments and mitigation strategies

Physical Safeguards

• Data Center Security: Secure, certified data centers with 24/7 monitoring
• Access Controls: Multi-factor authentication and biometric access controls
• Workstation Security: Secured workstations with automatic screen locks
• Media Controls: Secure handling and disposal of storage media

Technical Safeguards

• Audit Logging: Comprehensive audit trails for all data access and modifications
• Database Security: HIPAA-compliant database schema with audit logs and data scoping
• API Security: HIPAA audit logging integrated into API key validation middleware
• Data Anonymization: Automatic anonymization functions for data deletion requests
• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Access Logging: Detailed logging of all system access and user activities

API Security & Compliance

Our API infrastructure incorporates advanced security measures:

• HIPAA Audit Logging: All API requests are logged with HIPAA-compliant audit trails
• API Key Validation: Robust middleware validates API keys with comprehensive logging
• Database Migrations: HIPAA-compliant database schema including audit logs table and scopes column
• GDPR Anonymization: Automated data anonymization functions activated on user deletion
• Rate Limiting: API rate limiting to prevent abuse and ensure service availability
• Request Validation: Comprehensive input validation and sanitization

Definitions and interpretation

In this privacy policy, the following definitions are used:

1. Data – collectively all information that you submit to Transgate via the Website. This definition incorporates, where applicable, the definitions provided in the Data Protection Laws.
2. Cookies – a small text file placed on your computer by this Website when you visit certain parts of the Website and/or when you use certain features of the Website. Details of the cookies used by this Website are set out in the clause below (Cookies).
3. Data Protection Laws – any applicable law relating to the processing of personal Data, including but not limited to the Directive 96/46/EC (Data Protection Directive) or the GDPR, and any national implementing laws, regulations and secondary legislation, for as long as the GDPR is effective in Belgium.
4. GDPR – the General Data Protection Regulation (EU) 2016/679.
5. HIPAA – the Health Insurance Portability and Accountability Act of 1996 and related regulations.
6. Transgate, we or us –
7. EU Cookie Law – the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.
8. User or you – any third party that accesses the Website and is not either (i) employed by Transgate and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Transgate and accessing the Website in connection with the provision of such services.
9. Website – the website that you are currently using, https://transgate.ai/, and any sub-domains of this site unless expressly excluded by their own terms and conditions.

In this privacy policy, unless the context requires a different interpretation:

1. The singular includes the plural and vice versa.
2. References to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this privacy policy. A reference to a person includes firms, companies, government entities, trusts and partnerships. "Including" is understood to mean "including without limitation."
3. Reference to any statutory provision includes any modification or amendment of it; the headings and sub-headings do not form part of this privacy policy.

Scope of this privacy policy

This privacy policy applies only to the actions of Transgate and Users with respect to this Website. It does not extend to any websites that can be accessed from this Website including, but not limited to, any links we may provide to social media websites.

For purposes of the applicable Data Protection Laws, Transgate is the "data controller." This means that Transgate determines the purposes for which, and the manner in which, your Data is processed.

Data collected

We may collect the following Data, which includes personal Data, from you:

1. name;
2. job title;
3. profession;
4. contact information such as email addresses and telephone numbers;
5. demographic information such as postcode, preferences and interests;
6. IP address (logged and retained for 7 days for security and debugging with HIPAA audit logging);
7. web browser type and version (automatically collected);
8. operating system (automatically collected);
9. physical address;
10. usage data on how you use our website and services (with HIPAA-compliant audit trails);
11. record of correspondence you have with us (stored with encryption and audit logging).

How we collect Data

We collect Data in the following ways:

1. data is given to us by you;
2. data is received from other sources; and
3. data is collected automatically (e.g., via cookies, short-term logs with HIPAA audit trails).

Data that is given to us by you

Transgate will collect your Data in a number of ways, for example:

1. when you contact us through the Website, by telephone, post, e-mail or through any other means;
2. when you register with us and set up an account to receive our products/services;
3. when you complete surveys that we use for research purposes (although you are not obliged to respond to them);
4. when you use our services; In each case, in accordance with this privacy policy.

Data that is received from third parties

Transgate will receive Data about you from the following third parties:

1. Google user data: (email and name) - processed with GDPR consent mechanisms;
2. Google Analytics (if you opt in to cookies) - with GDPR-compliant consent management;
3. Vercel (for hosting and deployment) - HIPAA-compliant hosting infrastructure;
4. YouTube API* (if you choose to upload files via YouTube integration) - with appropriate data handling agreements.

Users that choose to upload files using the YouTube upload integration are agreeing to be bound by the YouTube Terms of Service https://www.youtube.com/t/terms, which are related to the Google Privacy Policy http://www.google.com/policies/privacy.

Data that is collected automatically

To the extent that you access the Website, we will collect your Data automatically, for example:

1. We automatically collect some information about your visit to the Website. This information helps us to make improvements to Website content and navigation, and includes your IP address (retained for 7 days with HIPAA audit logging), the date, times and frequency with which you access the Website, and the way you use and interact with its content.
2. We will collect your Data automatically via cookies, in line with the cookie settings on your browser. For more information about cookies, see the section below, headed "Cookies."

Our use of Data

1. Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Website. Specifically, Data may be used by us for the following reasons:

   1. Internal record keeping (with HIPAA audit trails).
   2. Improvement of our products / services.
   3. Transmission by email of marketing materials that may be of interest to you (with GDPR consent).
   4. Contact for market research purposes which may be done using email, telephone, fax or mail. Such information may be used to customise or update the Website.

2. We may use your Data for the above purposes if we deem it necessary to do so for our legitimate interests. If you are not satisfied with this, you have the right to object in certain circumstances (see the section headed "Your rights" below).

3. For the delivery of direct marketing to you via e-mail, we'll need your consent, whether via an opt-in or soft-opt-in:

   1. Soft opt-in consent applies when you have previously engaged with us (for example, you contacted us for more details about a product/service, and we are marketing similar products/services). Under "soft opt-in," we will take your consent as given unless you opt out.
   2. For other types of e-marketing, we are required to obtain your explicit consent; that is, you need to take a positive and affirmative action when consenting (e.g., checking a tick box).
   3. If you are not satisfied about our approach to marketing, you have the right to withdraw consent at any time. To find out how to withdraw your consent, see the section headed "Your rights" below.

4. When you register with us and set up an account to receive our services, the legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

Who we share Data with

We may share your Data with the following groups of people for the following reasons:

1. Our employees, agents and/or professional advisors – to enable us to engage in direct marketing (such as newsletters or marketing emails about products and services provided by us). All personnel are HIPAA-trained and bound by confidentiality agreements.
2. Third party payment providers who process payments made over the Website – to enable third party payment providers to process user payments and refunds. All payment processors are HIPAA-compliant and maintain appropriate security standards.
3. HIPAA-compliant service providers and infrastructure partners who assist in delivering our services, subject to business associate agreements.

Keeping Data secure

We will use technical and organisational measures to safeguard your Data, including:

• Access to your account is controlled by a password and a user name that is unique to you with multi-factor authentication options.
• We store your Data on secure servers (e.g., Supabase, Google Cloud Storage) with HIPAA-compliant configurations, encryption at rest and in transit.
• Audio files are processed via (AWS) EU regions but are not stored there long-term. We use Google Cloud Storage (EU regions) for actual audio storage with end-to-end encryption.
• All data transmission is protected by SSL/TLS encryption using the latest security protocols.
• Regular security audits and penetration testing to identify and address vulnerabilities.
• HIPAA-compliant backup and disaster recovery procedures.
• Comprehensive audit logging for all data access and modifications.

Technical and organisational measures include measures to deal with any suspected data breach. If you suspect any misuse or loss or unauthorised access to your Data, please let us know immediately by contacting us via this e-mail address: support@transgate.ai

Data retention

Unless a longer retention period is required or permitted by law, we will only hold your Data on our systems for the period necessary to fulfil the purposes outlined in this privacy policy or until you request that the Data be deleted.

We do not store IP addresses beyond 7-day security logs (with HIPAA audit logging). We store name and email data as long as your account is active. You may request deletion at any time, triggering our GDPR-compliant automatic anonymization process. If you remain inactive for over one year (or any set period we may adopt), we may remove your data as part of routine cleanup with appropriate audit logging.

We store transcriptions and audio files for 1 month, unless the user chooses to delete them earlier. All stored data is encrypted and subject to HIPAA audit logging. Usage history and payment history are deleted when the user deletes their account through our GDPR right-to-erasure implementation. Card transactions may remain stored by our payment gateway (Iyzico) according to their policies.

Even if we delete your Data, it may persist on backup or archival media for legal, tax or regulatory purposes, but will be anonymized where possible.

Your rights

1. You have the following rights in relation to your Data:
   1. Right to access – the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is "manifestly unfounded or excessive." Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you why.
   2. Right to correct – the right to have your Data rectified if it is inaccurate or incomplete.
   3. Right to erase – the right to request that we delete or remove your Data from our systems, implemented through our automated GDPR anonymization system.
   4. Right to restrict our use of your Data – the right to "block" us from using your Data or limit the way in which we can use it.
   5. Right to data portability – the right to request that we move, copy or transfer your Data in machine-readable formats.
   6. Right to object – the right to object to our use of your Data including where we use it for our legitimate interests.
   7. Right to withdraw consent – the right to withdraw your consent for data processing at any time.
2. To make enquiries, exercise any of your rights set out above, or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via this e-mail address: privacy@transgate.ai.
3. It is important that the Data we hold about you is accurate and current. Please keep us informed if your Data changes during the period for which we hold it.

Transcription Feature & Privacy

We process your audio files strictly for providing the transcription service with the highest levels of security and privacy protection. Audio files and resulting transcriptions are stored on our HIPAA-compliant secure servers with end-to-end encryption for a maximum of 1 month, unless you choose to delete them sooner. These files are not shared with or accessible to third parties other than the trusted, HIPAA-compliant infrastructure providers we use (who only store data on EU-based servers with appropriate security measures).

All transcription activities are subject to comprehensive audit logging, and your audio content is processed in isolated, secure environments with no human access. We maintain strict access controls and monitoring to ensure your sensitive information remains confidential throughout the entire transcription process.

Breach Notification

In the event of a data breach, Transgate will:

• Notify supervisory authorities within 72 hours as required by GDPR
• Inform affected users without undue delay if the breach poses a high risk
• Provide clear information about the nature of the breach and steps taken
• Maintain detailed incident logs for regulatory compliance
• Implement immediate containment and remediation measures

International Data Transfers

When transferring data outside the EU, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) with all data processors
• Adequacy decisions from the European Commission where applicable
• Additional safeguards including encryption and access controls
• Regular assessments of data transfer mechanisms

Links to other websites

This Website may, from time to time, provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are advised to read the privacy policy or statement of other websites prior to using them.

Changes of business ownership and control

1. Transgate may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of Transgate. Data provided by Users will, where it is relevant to any part of our business so transferred, be transferred along with that part, and the new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use the Data for the purposes for which it was originally supplied to us.
2. We may also disclose Data to a prospective purchaser of our business or any part of it.
3. In the above instances, we will take steps with the aim of ensuring your privacy is protected and maintain compliance with GDPR, HIPAA, and other applicable regulations.

Cookies

1. This Website may place and access certain Cookies on your computer. Transgate uses Cookies to improve your experience of using the Website and to improve our range of services. Transgate has carefully chosen these Cookies and has taken steps to ensure that your privacy is protected and respected at all times.
2. This Website may place the following Cookies: Below is a list of the cookies that we use. We have tried to ensure this is complete and up to date, but if you think that we have missed a cookie or there is any discrepancy, please let us know.
   1. Strictly necessary cookies – These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
   2. Analytical/performance cookies – They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. These cookies are only set with your explicit consent under GDPR.
   3. Functionality cookies – These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
3. Third-party cookies – Some cookies may be set by third parties, such as YouTube, when you interact with embedded YouTube videos or use the YouTube API integration on our Website. These cookies may collect information about your interaction with the video or the API and may be used by YouTube as per its privacy policy. By using YouTube features, you agree to YouTube Terms of Service https://www.youtube.com/t/terms and Google Privacy Policy https://www.google.com/policies/privacy. All third-party cookies are subject to GDPR consent management.
4. You can choose to enable or disable Cookies in your internet browser. By default, most internet browsers accept Cookies but this can be changed. For further details, please consult the help menu in your internet browser. We provide granular cookie consent options to comply with GDPR requirements.
5. You can choose to delete Cookies at any time; however you may lose any information that enables you to access the Website more quickly and efficiently including, but not limited to, personalisation settings.
6. It is recommended that you ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your internet browser if you are unsure about adjusting your privacy settings.
7. For more information generally on cookies, including how to disable them, please refer to aboutcookies.org. You will also find details on how to delete cookies from your computer.

Data Processing Lawful Basis

Under GDPR, we process your personal data based on the following lawful bases:

• Contract: To provide our transcription services and fulfill our contractual obligations
• Legal Obligation: To comply with legal requirements and regulations
• Legitimate Interests: For service improvement, security, and business operations
• Vital Interests: To protect your safety or the safety of others

Contact Information

For any questions, concerns, or requests regarding this privacy policy or your data:

• General Support: support@transgate.ai
• Privacy Officer: privacy@transgate.ai
• Data Protection Officer: dpo@transgate.ai
• Security Issues: security@transgate.ai

EU Representative Notice

Transgate is currently in the process of aligning its operations with Article 27 of the EU General Data Protection Regulation (GDPR), which requires the appointment of an EU representative for organizations not established in the EU that process personal data of EU residents. Once appointed, the representative's contact details will be published here in accordance with the regulation.

Supervisory Authority

If you have concerns about how we process your personal data, you have the right to lodge a complaint with your local supervisory authority. For EU users, you can contact your national data protection authority or the lead supervisory authority where Transgate is established.

Regular Policy Reviews

We regularly review and update this privacy policy to ensure continued compliance with:

• GDPR requirements and regulatory updates
• HIPAA standards and healthcare regulations
• SSL/TLS security best practices
• Industry standards and emerging privacy regulations
• User feedback and privacy concerns

General

1. You may not transfer any of your rights under this privacy policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.
2. If any court or competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy policy will not be affected.
3. Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

Children under the age of 16

1. The Website is not aimed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are under 16, please do not use our services or provide any information to us through the Website. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information immediately and ensure it is removed from all systems including backups. If you believe we might have any information from or about a child under 16, please contact us immediately at privacy@transgate.ai.

Changes to this privacy policy

1. Transgate reserves the right to change this privacy policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website and you are deemed to have accepted the terms of the privacy policy on your first use of the Website following the alterations. We will notify users of material changes via email and provide a summary of key changes.
2. We maintain a version history of this privacy policy and can provide previous versions upon request for transparency and compliance purposes.