Privacy Policy

Effective date: 1 January 2026 · Last updated: 1 January 2026

Rescriptum ("we", "us", "our") is a legal document collaboration service. This Privacy Policy explains what personal data we collect, why, how long we keep it, and what rights you have under the General Data Protection Regulation (GDPR, Regulation EU 2016/679).

1. Data controller

The data controller is the operator of Rescriptum, reachable at privacy@rescriptum.io. We process personal data of subscribers (lawyers) and of their clients to the extent those clients are invited to a workspace.

2. Data we collect and why

CategoryDataPurposeLegal basis
AccountName, work email, firm name, password hashAuthentication, account managementContract (Art. 6(1)(b))
BillingEmail, payment token (Stripe); no card numbers stored by usSubscription managementContract (Art. 6(1)(b))
2FA credentialsTOTP secret (encrypted), WebAuthn credentialAccount security — mandatoryLegitimate interest (Art. 6(1)(f))
DocumentsLegal document content uploaded or created by the subscriberService delivery — version-controlled storageContract (Art. 6(1)(b))
Activity logsTimestamps, IP addresses, patch identifiers, accept/reject actionsAudit trail, security, legal accountabilityLegitimate interest (Art. 6(1)(f))
CommunicationsSupport emailsCustomer supportContract (Art. 6(1)(b))

We do not use your documents to train any AI model, now or in the future.

3. Data processors (sub-processors)

  • Infomaniak Network AG — infrastructure hosting (Geneva, Switzerland — EU adequacy decision).
  • Stripe Inc. — payment processing (EU data stored in EU).
  • Infomaniak Mail — transactional email. No marketing without explicit consent.

We do not share personal data with any other third party. We will never sell your data.

Where we process client data on a subscriber's behalf, our Data Processing Agreement (GDPR Art. 28) governs that role.

4. Retention

  • Account data: duration of subscription plus 12 months.
  • Documents: retained until explicitly deleted by the account owner.
  • Activity logs: 5 years (legal accountability).
  • Billing records: 10 years (French accounting law).

5. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, object, and port your data. Export is available at any time via Settings → Export. To exercise rights, email privacy@rescriptum.io. We respond within 30 days. You may also lodge a complaint with your national supervisory authority (e.g. CNIL in France).

6. Security

Two-factor authentication enforced on all accounts. TLS 1.3 in transit. Encrypted storage at rest. Passwords hashed with PBKDF2-SHA256 (≥ 200 000 iterations). Annual security reviews.

7. Cookies

One session cookie (authentication) and one CSRF cookie. No tracking cookies. No third-party analytics.

8. Changes

30 days' email notice before any material change. Continued use after the effective date constitutes acceptance.

9. Contact

Email privacy@rescriptum.io.