Privacy Policy

At Metryki, we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our transcription and translation service for historical Polish civil records, in accordance with the EU General Data Protection Regulation (GDPR) and Spanish data protection laws.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the application.

Data Controller

The Data Controller responsible for your personal data is:

DNAGENICS SL

Avd de la Industria 16, 28760 Tres Cantos, Madrid, Spain

Tax ID (NIF/CIF): ESB86552122

Email: privacy@metryki.com

Data Protection Contact: dpo@metryki.com

For any questions regarding data protection, you may contact our Data Protection Officer at the email address above.

Information We Collect

Personal Data

We may collect personally identifiable information that you voluntarily provide when:

Registering for an account (email address, username, password)
Using our contact form (name, email, message content)
Subscribing to our newsletter (email address)

Transcription Data

Information you add to your transcriptions, including:

Images of historical documents you upload for transcription
Upload batch names and metadata
Original transcriptions in source languages
English translations
Structured data extracted from documents (names, dates, places, relationships)
Detected languages and processing metadata
Processing status and timestamps

Payment Information

Credit purchase transactions
Stripe payment intent and session IDs
Transaction amounts and timestamps
Note: We do not store credit card numbers or full payment details. Payment processing is handled securely by Stripe.

Automatically Collected Data (Technical Data)

When you access Metryki, we may automatically collect:

Device information (browser type, operating system, device type)
Usage data (pages visited, features used, time spent)
IP address (may be anonymized for analytics)
Referral source (how you arrived at our site)
Account creation date and last login information
Service tier selections
Processing logs and error information

Authentication Data

If you use Google or Microsoft OAuth, we receive your email address and name from the provider
OAuth provider identifiers
Authentication tokens (managed by ASP.NET Identity)

Legal Basis for Processing (Article 6 GDPR)

We process your personal data under the following legal bases:

Processing Activity	Legal Basis
Account creation and authentication	Contract performance (Art. 6(1)(b)) - Necessary to provide the service you requested
Storing your transcription data	Contract performance (Art. 6(1)(b)) - Core service functionality
Sending service-related communications	Contract performance (Art. 6(1)(b)) - Necessary for service operation
Analytics and service improvement	Legitimate interest (Art. 6(1)(f)) - To improve our services
Marketing communications (newsletter)	Consent (Art. 6(1)(a)) - Only with your explicit opt-in consent
Analytics cookies	Consent (Art. 6(1)(a)) - Based on your cookie preferences
Legal compliance and security	Legal obligation (Art. 6(1)(c)) and Legitimate interest (Art. 6(1)(f))

How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our services
Process your requests and manage your account
Send you technical notices and support messages
Respond to your comments, questions, and requests
Analyze usage patterns to improve user experience (with appropriate legal basis)
Protect against fraudulent or unauthorized activity
Comply with legal obligations

We do NOT:

Sell your personal data to third parties
Use your data for targeted advertising
Share your transcription data with anyone without your explicit consent
Make automated decisions that significantly affect you
Profile you for marketing purposes without consent

Data Storage & Security

Your data is stored securely using industry-standard encryption and security measures. We implement:

HTTPS/TLS encryption for all data transmission
Secure password hashing (passwords are never stored in plain text)
Regular security audits and penetration testing
Access controls and role-based authentication
Regular backups with encrypted storage
Staff training on data protection

While we implement appropriate technical and organizational measures to protect your information, no electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining appropriate protection standards.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this privacy policy, or as required by law.

Data Type	Retention Period
Account data	Duration of account + 30 days after deletion request
Transcription data	Duration of account + 30 days after deletion request
Uploaded images	Duration of account + 90 days for backup purposes
Contact form submissions	2 years from submission
Payment records	7 years as required by tax and accounting regulations
Analytics data	26 months (anonymized)
Legal/compliance records	As required by applicable law (typically 6-10 years)

When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain certain information for legal obligations or legitimate business purposes.

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

Adequacy decisions: Transfers to countries the European Commission has determined provide adequate protection
Standard Contractual Clauses (SCCs): EU-approved contractual terms that provide appropriate safeguards
Data Processing Agreements: Binding agreements with third-party processors

Our primary data storage is within the European Union. If you would like more information about international transfers, please contact us.

Third-Party Services

We may use third-party services that process personal data:

Service	Purpose	Data Processed
Stripe	Payment processing	Payment information (we only receive transaction confirmations)
Google OAuth	Authentication	Email address, name
Microsoft OAuth	Authentication	Email address, name
Google Gemini AI	Translation services	Uploaded images and transcriptions
OpenAI	Structured data extraction	Translated text
Azure Blob Storage	Cloud storage	All application data

All third-party processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance. We encourage you to review their privacy policies:

Stripe: https://stripe.com/privacy
Google: https://policies.google.com/privacy
Microsoft: https://privacy.microsoft.com/privacystatement
OpenAI: https://openai.com/policies/privacy-policy

Your Rights Under GDPR

Under the EU General Data Protection Regulation and Spanish data protection law, you have the following rights regarding your personal data:

Right to Information (Art. 13-14)

Be informed about how your data is collected and used

Right of Access (Art. 15)

Request a copy of your personal data we hold

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete data

Right to Erasure (Art. 17)

"Right to be forgotten" - request deletion of your data

Right to Restriction (Art. 18)

Request limited processing of your data

Right to Data Portability (Art. 20)

Receive your data in a portable, machine-readable format

Right to Object (Art. 21)

Object to processing based on legitimate interests

Right to Withdraw Consent

Withdraw consent at any time (where processing is based on consent)

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@metryki.com or use our contact form.

We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Spain, this is:

Agencia Española de Protección de Datos (AEPD)

Spanish Data Protection Agency

C/ Jorge Juan, 6, 28001 Madrid

Website: www.aepd.es

Phone: +34 901 100 099

Cookies & Tracking Technologies

We use cookies and similar tracking technologies in accordance with EU cookie legislation (ePrivacy Directive) and GDPR requirements. Cookies are small text files stored on your device.

Types of Cookies We Use

Type	Purpose	Duration	Consent Required
Strictly Necessary	Essential for the website to function (authentication, security, session management)	Session / 1 year	No (exempt)
Preferences	Remember your settings and preferences (language, theme)	1 year	Yes
Analytics	Help us understand how you use Metryki (page views, features used)	2 years	Yes

Cookie Consent

When you first visit our website, you will be presented with a cookie consent banner. Non-essential cookies will only be placed after you provide your consent. You can:

Accept all cookies
Accept only strictly necessary cookies
Customize your cookie preferences
Withdraw consent at any time through your browser settings or our cookie settings panel

Managing Cookies

You can control and manage cookies through your browser settings. Note that disabling strictly necessary cookies may affect the functionality of the application.

Children's Privacy

In accordance with Article 8 of the GDPR and Spanish law (LOPDGDD), Metryki is not intended for children under 14 years of age. We do not knowingly collect personal information from children under 14.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@metryki.com. We will take steps to delete such information from our systems.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

We will update the "Last updated" date at the top of this page
We will notify registered users via email for significant changes
We may display a prominent notice on our website

We encourage you to review this privacy policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

GDPR Privacy Highlights

EU-based data storage

Your data stays in the European Union

No data selling

We never sell your personal information

Full GDPR rights

Access, rectify, delete, or port your data

Encryption

All data transmitted over HTTPS/TLS

Cookie consent

Non-essential cookies require your consent

Data export

Download your data in portable format anytime

Account deletion

Delete your account and data within 30 days

Your Rights at a Glance

Under EU GDPR, you have the right to:

Access your data

Correct inaccuracies

Delete your data

Export your data

Object to processing

Withdraw consent

Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:

General Privacy Inquiries: privacy@metryki.com

Data Protection Officer: dpo@metryki.com

Or use our contact form.

We aim to respond to all privacy-related inquiries within 72 hours, and to formal rights requests within one month as required by GDPR.