> **⚠ Work in Progress** — This document is a draft and is not yet legally binding. It is provided for informational purposes only and is subject to change without notice. # Privacy Policy This Privacy Policy applies exclusively to the instance of SourceQuote operated at **sourcequote.org**, owned and operated by the license holder, Benjamin Leavitt. SourceQuote is open-source software; this policy is **not valid for any other deployment of this codebase**. Third-party deployments are solely responsible for their own privacy practices. This Privacy Policy describes how SourceQuote ("we", "us", "our") collects, uses, and safeguards information when you use the Service. By using the Service you agree to the practices described here. **Last updated:** June 3, 2026 ## Data We Collect We collect only what is necessary to provide the Service. ### Account data When you create an account, we collect your email address and a display name via Firebase Authentication. This is used solely for login, account identification, and service-related communication. ### Project data Audio files, transcripts, and project metadata you upload are stored in Google Cloud Storage and our database. This data is associated with your account and is not accessed by us except for the purpose of delivering the Service or diagnosing faults. ### Usage data We log page views, API request counts, and IP addresses server-side for operational monitoring and abuse prevention. These logs are not sold or shared with third parties. No third-party analytics scripts (e.g. Google Analytics, Mixpanel) are present on the Service. ### Local preferences UI preferences such as theme, colour schemes, panel layout, and workspace state may be stored in your browser's `localStorage`, in your account on our servers, or both. Preferences stored server-side are associated with your account and are subject to the same retention and deletion policies as other account data. ## Cookies SourceQuote uses **strictly necessary cookies only**. No tracking, advertising, or analytics cookies are set. Because we use only essential cookies, no consent banner is displayed — this is in compliance with GDPR Article 6(1)(f) and the ePrivacy Directive exemption for technically necessary cookies. ### Session cookie (`session`) **Purpose:** Maintains your authenticated session between page requests. This cookie is set by the Flask web framework on the server side and is required for the application to function. Without it, you would be logged out on every page navigation. **Type:** HTTP-only, server-set session cookie **Duration:** Session (expires when the browser is closed, or on logout) **Sent to:** SourceQuote servers only **Third-party access:** None **Set by:** Flask (`SESSION_COOKIE_SAMESITE=Lax`, `SESSION_COOKIE_SECURE=True` in production) ### Authentication tokens Firebase authentication tokens (JWTs) are **not stored in cookies**. They are held in JavaScript memory and transmitted via the `X-Auth-Token` HTTP header on API requests. They are not persisted to `localStorage` or any cookie, and are discarded when the page session ends. ### Local storage (not cookies) Some UI preferences are stored in browser `localStorage`. This is distinct from cookies — localStorage data is never transmitted automatically and exists only on your device. You can clear it at any time via your browser's developer tools or site settings. See [Data We Collect](#data-we-collect) for details on which preferences may also be stored server-side. ## Data Storage and Retention Your data is stored on infrastructure provided by Google Cloud Platform (GCP), including Cloud Storage (files) and Cloud SQL (structured data). Data is stored in the region configured for the deployment. Account and project data is retained for as long as your account is active. ### Account deactivation (self-service) You can deactivate your account at any time from your account settings. Deactivation sets your account to inactive and revokes login access immediately. Your data — including projects, folders, files, and account record — is retained on our servers and is not deleted. To reactivate your account, contact us at [vtleavs@gmail.com](mailto:vtleavs@gmail.com). ### Account deletion (permanent) Permanent deletion is performed by a server administrator. When an account is permanently deleted: - Your user record and authentication data are removed immediately. - Embed records you own are deleted immediately. - Projects and folders you own are disassociated from your account but are not automatically deleted — they remain on the server in an unowned state. You should delete your projects before requesting deletion if you wish them to be removed. - Audio and transcript files stored in Cloud Storage are not automatically removed at the time of deletion. To request permanent deletion, contact us at [vtleavs@gmail.com](mailto:vtleavs@gmail.com). ## Data Sharing We do not sell, rent, or trade your personal data. We share data only with: - **Google Cloud Platform** — infrastructure provider for storage, database, and compute services. - **Firebase (Google)** — authentication provider. Your email is stored with Firebase for the purpose of login. - **Stripe, Inc.** — payment processor. See [Payments and Stripe](#payments-and-stripe) for full details. - **Modal Labs** — GPU compute provider used to run transcription jobs. When you request a transcription, your audio file is transmitted to Modal's infrastructure for processing. No account information, personal data, or metadata beyond the audio content is sent. The audio is processed transiently and is not stored by Modal beyond the duration of the job. - **Law enforcement** — if required by law or valid legal process. No other third parties receive your data. ## Payments and Stripe Subscription billing and one-time donations are processed by **Stripe, Inc.** ("Stripe"), a third-party payment processor. Stripe is PCI-DSS compliant. SourceQuote never receives, stores, or processes raw payment card data — all payment information is entered directly into Stripe-hosted interfaces. By initiating a payment you also agree to [Stripe's Privacy Policy](https://stripe.com/privacy). ### What we share with Stripe When you subscribe or donate, we create a Stripe Customer record containing: - Your email address - Your display name - An internal user ID (used to link your SourceQuote account to your Stripe record) This information is sent to Stripe at the point of first payment and is used solely for billing, invoicing, and subscription management. ### What we store from Stripe We store your Stripe Customer ID (`cus_…`) in our database. This identifier links your account to your Stripe billing record and is used to open the billing portal, issue refunds, and manage subscription status. No card numbers, bank details, or other payment credentials are stored by us. ### Subscription status Stripe sends webhook events to our servers when your subscription changes (e.g. payment succeeded, payment failed, subscription cancelled). We use these events to update your subscription tier in our database. The raw webhook payloads are not stored beyond what is needed to process the event. ### Billing portal The "Manage billing" option in your account redirects you to a Stripe-hosted billing portal. Any payment method changes, cancellations, or invoice downloads take place on Stripe's infrastructure and are governed by Stripe's Privacy Policy. ### Donations One-time donations are processed via Stripe as anonymous payment intents. Donations are not linked to a SourceQuote account unless you are signed in at the time of donation. ## Your Rights Depending on your jurisdiction, you may have the right to: - Access the personal data we hold about you - Request correction of inaccurate data - Request deletion of your account and associated data - Object to or restrict certain processing - Data portability (receive your data in a machine-readable format) To exercise any of these rights, contact us at the address below. We will respond within 30 days. ## Contact Questions about this Privacy Policy or your data should be directed to: **Benjamin Leavitt** [vtleavs@gmail.com](mailto:vtleavs@gmail.com)