Privacy Policy RecapHub

Non-binding summary: This policy explains how Niron B.V. processes personal data when providing real-time transcription and translation services  (Translingo) and live- and post-event content summary/analysis and generation (RecapHub). It is drafted to cover scenarios where Niron B.V. primarily acts as a processor on behalf of organizing clients, without prejudice to cases where it acts as a controller (e.g., self-service accounts, billing, support, limited proprietary analytics).

1. Data controller

  • Entity: Niron B.V.

  • Address: Stationsplein 45, 4th floor A4.004, 3013 AK Rotterdam, The Netherlands

  • Commercial Register (KVK): 90020340

  • NIF/VAT: NL865184938B01

  • Privacy contact email: build@niron.ai

Note on roles:

  • In assignments with event organizers, the organizer is generally responsible and Niron B.V. processor (art. 28 GDPR).

  • In functions that Niron B.V. defines on its own (e.g. account registration, billing, security, minimum technical analytics), Niron B.V. acts as a data controller.

  • If there are joint decisions on ends/means, joint responsibility will be documented  (art. 26 GDPR).

2. Scope of application

This policy applies to:

  • Translingo (real-time transcription and translation at events, conferences, and meetings).

  • RecapHub (generation of abstracts, indexes, proceedings and post-event derivative materials).

  • Associated websites and apps: translingo.cc, recaphub.co, and eventlabs.ai.

  • Integrations with storage platforms and technology providers (e.g., Google Cloud, Supabase, Heroku, etc.). The full list is available upon request.

3. Types of personal data processed

A. Account and profile data: first name, last name, email, phone, language, role, company/organization; credentials (hash), settings and preferences.
B. Event data: title, agenda, participants/speakers (names/roles if provided by the client), languages and metadata (date, duration, access).
C. Captured content: audio (and video if enabled), presentations or materials shared by the client.
D. Outputs generated: transcripts, translations, subtitles, abstracts, proceedings, excerpts, keywords, topic tags, mind maps, derivative editorial material.
E. Support Data: tickets, helpdesk communications, support recordings (if authorized).
F. Technical data and telemetry: IP, device/session identifiers, access logs, user agent, usage events, cookies/similar storage.
G. Billing and collection data: tax data, billing address, payment history, vouchers.

Special categories (art. 9 GDPR)
We do not intentionally request sensitive data (health, ideology, etc.). They could appear incidentally if a speaker discloses them. In such a case:

  • We apply encryption and strong access controls.

  • The organiser should assess the appropriate legal basis and, if appropriate, carry out an impact assessment (DPIA/DPIA).

Minors: Services are not directed to minors. The organiser must avoid recruiting them or obtain valid authorisations.

4. Source of the data

  • Client/organizer: configuration of events, participants, materials.

  • Participants: voice interventions, documentary contributions.

  • Integrations: Customer-authorized video conferencing/storage platforms.

  • Automatically: telemetry, cookies, usage logs.

5. Purposes of processing and legal bases

When we act as a processor, we deal with the instructions of the person in charge (organizer). When we act as a responsible party, the following legal bases apply:

Purpose

Description

Legal basis

Real-time delivery

Audio capture/processing for transcription and simultaneous translation; Viewing to Authorized Users

Execution of the contract (art. 6.1.b GDPR); Legitimate interest  (security/operational)

During- and post-event 

Generating abstracts, minutes, indexes, and derivative materials from transcripts

Execution of contract (art. 6.1.b GDPR)

Account Management

Registration/deregistration, authentication, access control, space management

Execution of contract (art. 6.1.b GDPR)

Integrations

Connect to database, import/export

Execution of contract (art. 6.1.b GDPR); Consent if the integration requires it

Support & Service

Incident Handling and Service Communications (Non-Marketing)

Execution of the contract (art. 6.1.b GDPR); Legitimate interest (security/operational)

Safety and abuse prevention

Monitoring, logging, detection and response to incidents

Legitimate interest; Legal obligation where applicable

Limited Product Analytics

Technical metrics for stability, quality, and incremental improvement, with aggregation/pseudonymization/anonymization

Legitimate interest (art. 6.1.f GDPR)

Invoicing and accounting

Invoice issuance, payment management, tax compliance

Legal obligation (art. 6.1.c GDPR)

Own marketing

Newsletter and equivalent commercial communications

Consent (Art. 6.1.a); legitimate interest (with opt-out where permitted by law)

Non-essential cookies

Analytics/Personalization

Consent for non-essential (mandatory technical and functional) (ePrivacy)

AI/Training

We do not use identifiable data to train general models without express consent; use of aggregated/anonymized data for benchmarking/statistics

Consent (if applicable) / Legitimate interest with robust anonymization

6. Description of the technical flow (transparency)

  1. Capture: The audio of the speaker/participants is captured from the room or the authorized video conferencing platform.

  2. Encrypted transmission: The stream is sent via TLS to infrastructure.

  3. Processing: STT (speech-to-text) engines transcribe; where appropriate, MT (machine translation) translates; and AI assistive systems generate summaries/indexes.

  4. Controlled delivery: The result is displayed/delivered to users with permissions.

  5. Retention/erasure: After the service is terminated, the data is retained for the minimum time necessary according to the customer's configuration, and is deleted or anonymized.

7. Recipients and sub-processors

We may share data with:

  • Technology sub-processors: cloud hosting, databases, CDN, monitoring, STT/MT/TTS APIS, transactional email, helpdesk, invoicing and payments.

  • Advisors/auditors: under confidentiality agreements.

  • Authorities: when there is a legal obligation or valid requirement.

All under contract in accordance with art. 28 GDPR. We maintain an up-to-date list of sub-processors. We will give reasonable notice of material changes, offering the right to object where required by the contract.

8. International transfers

The architecture is designed to store data  in the EU/EEA. Where a subprocessor operates outside the EEA, we will apply Standard Contractual Clauses (SCCs);

9. Retention periods

We apply minimization and limited withholdings. As a guideline (adjustable by contract/customer instruction):

Category

Default Deadline

Remarks

Audio

Up to 1 year

Recording can be disabled or force delete on closure

Transcriptions/translations

Up to 1 year

Exportable by the customer; Deletion on request

Generated outputs (recaps)

Up to 2 years

Or even deleted by the client

Event metadata

Up to  2 year

For traceability and invoicing

Technical logs/security

3–12 months

Different withholdings depending on the purpose

Support

12–24 months

After ticket closure

Billing/Accounting

7–10 years

According to applicable tax regulations

10. Security measures (summary)

  • Encryption in transit and at rest (TLS ≥1.2; database encryption and backups).

  • Identity and access management (IAM), MFA, segregation of duties, principle of least privilege.

  • Logical isolation by client/tenant, control of environments and activity logging.

  • SSDLC: Code reviews, dependency analysis, testing, and remediation.

  • Incident monitoring and response; WAF/CDN when applicable.

  • Continuity and disaster recovery  plans; Encrypted and tested backups.

  • Internal policies and privacy/security training.

  • Breach notification in accordance with Articles 33–34 GDPR.

11. Rights of individuals

You can exercise: access, rectification, deletion, opposition, limitation, portability and not to be subject to automated decisions (art. 22 GDPR). To do this, write to build@niron.ai indicating the right exercised. We may request identity verification. We will resolve in 1 month (extendable 2 months due to complexity). You have the right to lodge a complaint with your supervisory authority: in the Netherlands, Autoriteit Persoonsgegevens.

12. Cookies and similar technologies

We use cookies/local storage to:

  • Strictly necessary (operation, security, authentication).

  • Preferences (language, accessibility).

  • Analytics (usage measurement) – requires consent.

  • Personalization/own marketingrequires consent.

You can set or withdraw your consent at any time from our cookie management panel. More information in the Cookies Policy.

13. AI Information (AI Act)

  • Our services incorporate AI systems to transcribe, translate and summarize content.

  • Transparency: we inform customers and users that AI intervention is present and that errors may occur; human supervision throughout the process (no automated decisions with legal effects).

  • Training Data: We do not use identifiable customer data to train general-purpose models without express consent

  • Risk management: We conduct regular reviews on accuracy, robustness, safety, and bias, documenting mitigation measures.

  • Traceability: We retain proportionate technical records for auditing, security, and responsible improvement.

  • Prohibited Use: We block uses contrary to law/contract (e.g., unauthorized surveillance, unlawful extraction of information).

14. Responsibilities in events (transparency towards participants)

The organiser must inform speakers and attendees in advance of the recording and processing (transcription/translation/recap).
Suggested short notice (editable by the organizer):

"This event uses services from Niron B.V. (Translingo / RecupHub) for real-time transcription/translation and abstract generation. The audio of the interventions will be captured for operational purposes of the event. More information and exercise of rights: [link to this policy] / [contact of the organizer]."

15. Automated Decisions

We do not adopt automated decisions with legal effects or of similar importance to individuals (art. 22 GDPR). AI capabilities support and require human supervision from the customer.

16. Reporting data to authorities

We may disclose data where there is a legal obligation or a valid requirement from a competent authority, limiting disclosure to what is strictly necessary and, where legally possible, informing the customer.

17. Changes to this Policy

We may update this policy to reflect legal or technical changes.

18. Contact

For privacy or exercise of rights: build@niron.ai, postal address: Stationsplein 45, 4th floor A4.004, 3013 AK Rotterdam, The Netherlands