Privacy Policy
Rescriptum ("we", "us", "our") is a legal document collaboration service. This Privacy Policy explains what personal data we collect, why, how long we keep it, and what rights you have under the General Data Protection Regulation (GDPR, Regulation EU 2016/679).
1. Data controller
The data controller is the operator of Rescriptum, reachable at privacy@rescriptum.io. We process personal data of subscribers (lawyers) and of their clients to the extent those clients are invited to a workspace.
2. Data we collect and why
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Account | Name, work email, firm name, password hash | Authentication, account management | Contract (Art. 6(1)(b)) |
| Billing | Email, payment token (Stripe); no card numbers stored by us | Subscription management | Contract (Art. 6(1)(b)) |
| 2FA credentials | TOTP secret (encrypted), WebAuthn credential | Account security — mandatory | Legitimate interest (Art. 6(1)(f)) |
| Documents | Legal document content uploaded or created by the subscriber | Service delivery — version-controlled storage | Contract (Art. 6(1)(b)) |
| Activity logs | Timestamps, IP addresses, patch identifiers, accept/reject actions | Audit trail, security, legal accountability | Legitimate interest (Art. 6(1)(f)) |
| Communications | Support emails | Customer support | Contract (Art. 6(1)(b)) |
We do not use your documents to train any AI model, now or in the future.
3. Data processors (sub-processors)
- Infomaniak Network AG — infrastructure hosting (Geneva, Switzerland — EU adequacy decision).
- Stripe Inc. — payment processing (EU data stored in EU).
- Infomaniak Mail — transactional email. No marketing without explicit consent.
We do not share personal data with any other third party. We will never sell your data.
Where we process client data on a subscriber's behalf, our Data Processing Agreement (GDPR Art. 28) governs that role.
4. Retention
- Account data: duration of subscription plus 12 months.
- Documents: retained until explicitly deleted by the account owner.
- Activity logs: 5 years (legal accountability).
- Billing records: 10 years (French accounting law).
5. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, object, and port your data. Export is available at any time via Settings → Export. To exercise rights, email privacy@rescriptum.io. We respond within 30 days. You may also lodge a complaint with your national supervisory authority (e.g. CNIL in France).
6. Security
Two-factor authentication enforced on all accounts. TLS 1.3 in transit. Encrypted storage at rest. Passwords hashed with PBKDF2-SHA256 (≥ 200 000 iterations). Annual security reviews.
7. Cookies
One session cookie (authentication) and one CSRF cookie. No tracking cookies. No third-party analytics.
8. Changes
30 days' email notice before any material change. Continued use after the effective date constitutes acceptance.
9. Contact
Email privacy@rescriptum.io.