Privacy Policy

This Privacy Policy explains how RBNs Studio B.V. ("RBNs Studio", "Vuci", "we", "us" or "our") collects, uses, shares and protects personal data when you use vuci.ai and our related services (the "Service"). It is written to meet the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended (CCPA/CPRA), the Australian Privacy Act 1988 and Australian Privacy Principles, and comparable privacy laws. We collect only what we need, and we never sell your personal data.

1. Who is responsible for your data

The data controller is RBNs Studio B.V., a company incorporated in the Netherlands with its registered office in Amsterdam. Vuci is developed by Reuben Ferrante (Amsterdam and Malta).

• Controller: RBNs Studio B.V., Amsterdam, the Netherlands.
• Registered office: [registered office address — to be completed before launch].
• Chamber of Commerce (KvK): [KvK number].
• Privacy contact: [email protected].

We have not appointed a statutory Data Protection Officer because we are not required to; you can raise any privacy matter at the contact above. If we are required to designate an EU or UK representative under Article 27 GDPR, their details will be published here.

2. The personal data we collect

Data you give us

• Account data — your email address and password (stored only as a salted hash).
• Profile data — display name, handle, bio, avatar and cover image, preferred language, time zone, and category interests you select.
• Content and activity — collections (Spaces), saved moments, notes, follows, likes, group memberships, and the alerts or saved searches you create.
• Communications — messages you send us by email or through our contact form, including support requests.
• Payment data — if you buy a paid plan, our payment processor collects your payment details; we receive only limited information such as your billing email and subscription status, and we never see your full card number.

Data we collect automatically

• Technical and usage data — IP address, device and browser type, pages viewed, referring pages, approximate location inferred from IP, and timestamps, recorded in server and security logs.
• Cookies and similar technologies — see section 5.

Data from third parties

• Social sign-in — if you sign in with Google, X (Twitter) or Facebook, we receive basic profile information such as your name and email address from that provider, according to your settings with them.
• Payment provider — confirmation of payment and subscription status.

Personal data within podcast content

Vuci analyses publicly available podcast RSS feeds. Transcripts and analysis can include the names of speakers and of people mentioned in an episode. Because that data comes from publicly published podcasts rather than from you directly, we rely on our legitimate interest in operating a discovery and reference tool (a practice common to podcast directories and search engines), and we surface it with attribution and links to the source. If you are mentioned and want your name removed, contact us at [email protected] and we will review your request.

3. Why we use your data, and our legal bases

We process personal data only where we have a lawful basis under Article 6 GDPR:

• To create and run your account and provide the Service — performance of our contract with you.
• To personalise your feed, saves and search, to secure the Service, prevent abuse, debug, and improve the product — our legitimate interests in running and protecting a useful Service, balanced against your rights.
• To process payments and manage subscriptions — performance of our contract and compliance with legal obligations.
• To send service messages (for example security or account notices) — our legitimate interests or contract; to send newsletters or marketing — your consent, which you can withdraw at any time.
• To set non-essential cookies and analytics — your consent.
• To comply with the law and to establish, exercise or defend legal claims — compliance with legal obligations and our legitimate interests.

4. AI and automated processing

To generate transcripts and analysis, we send podcast audio, transcripts and episode metadata to third-party speech-to-text and large language model providers (see section 7). We do not send your account profile or your private activity to those providers to train their models, and we instruct our processors, by contract, to use the data only to provide the service to us. We do not use your personal data to make decisions that produce legal or similarly significant effects about you through solely automated means.

5. Cookies and similar technologies

We use a small number of cookies and similar technologies:

• Strictly necessary — a session cookie, a security (CSRF) token, and a cookie that records your cookie choice. These keep you signed in, protect form submissions, and remember your preferences; they are required for the Service and cannot be switched off.
• Preferences — a cookie that remembers your light/dark theme choice.
• Analytics (consent-based) — Google Analytics, Hotjar and DataFast help us understand how the Service is used. Hotjar may also record aggregated, anonymised interaction data such as clicks and scrolling to produce heatmaps. We load these tools and set their cookies only after you accept analytics through our cookie banner, and you can withdraw consent at any time via 'Cookie settings' in the footer.

Until you accept, no analytics scripts are loaded and no analytics cookies are set. You can also control or delete cookies through your browser settings. Blocking strictly necessary cookies may stop parts of the Service from working.

Third-party content, players and links

Vuci does not host podcast audio. When you play an episode, it streams directly from the creator's own podcast host (for example Libsyn, Buzzsprout or Megaphone), so your request — including your IP address — reaches that host, which may log it, set its own cookies, and insert advertising, all under that host's privacy policy rather than ours. Where an episode is matched to a video, we embed the official YouTube player; loading or playing that embed lets YouTube/Google collect data and set cookies under Google's policies. The Service also links out to third-party websites. We are not responsible for the privacy practices of these third parties, and we encourage you to read their policies.

6. When we share data

We do not sell your personal data and we do not "share" it for cross-context behavioural advertising as those terms are defined under California law. We disclose personal data only:

• to the service providers (processors) listed in section 7, who act on our instructions;
• to other users, for content you choose to make public (for example a public Space or profile);
• to comply with the law, a lawful request, or to protect our rights, users or the public; and
• to a successor in connection with a merger, acquisition or sale of assets, under confidentiality and with notice where required.

7. Our service providers (sub-processors)

We use carefully selected providers to run the Service. Each is bound by a data-processing agreement and may use the data only to provide its service to us. Our current providers include:

• Deepgram — speech-to-text transcription.
• Anthropic and Google (Gemini) — large language model analysis of podcast content.
• Google Cloud — storage of transcript data and hosting infrastructure.
• Stripe — payment processing.
• Our email provider — transactional and (if you opt in) newsletter email.
• Cloudflare — bot protection and network security.
• Google Analytics, Hotjar and DataFast — usage analytics, loaded only with your consent (see section 5).

We keep this list current and will update it when our providers change. Ask us at [email protected] for the latest details.

8. International data transfers

We are based in the Netherlands, but some of our providers process data outside the EEA, including in the United States. Where we transfer personal data internationally, we rely on a lawful transfer mechanism — such as a European Commission adequacy decision or the EU Standard Contractual Clauses (with the UK Addendum where relevant) — together with appropriate safeguards. Contact us for more information about these safeguards.

9. How long we keep data

We keep your personal data for as long as your account is active and for as long as needed for the purposes in this policy, to comply with legal, tax and accounting obligations, and to resolve disputes. When you delete your account, we delete or anonymise your personal data within a reasonable period, except where we must retain certain records by law. Backups containing your data are overwritten on a rolling basis.

10. Security

We use appropriate technical and organisational measures to protect personal data — including encryption in transit, hashed passwords, access controls and logging. No system is perfectly secure, but we work to keep your data safe and, where the law requires, we will notify you and the relevant authority of a personal-data breach without undue delay.

11. Your rights

EEA and UK (GDPR / UK GDPR)

Subject to conditions in the law, you have the right to:

• access a copy of your personal data;
• have inaccurate data corrected and incomplete data completed;
• have your data erased ('right to be forgotten');
• restrict or object to processing, including processing based on legitimate interests and any direct marketing;
• receive your data in a portable, machine-readable format;
• withdraw consent at any time, without affecting processing already carried out; and
• lodge a complaint with a supervisory authority — in the Netherlands, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl); in the UK, the Information Commissioner's Office (ico.org.uk).

California (CCPA / CPRA)

California residents have the right to know what personal information we collect and how we use it, to request access to and deletion or correction of it, and to be free from discrimination for exercising these rights. We do not sell or share personal information as defined under the CCPA/CPRA. You may use an authorised agent to make a request, and we will verify your identity before responding.

Australia (Privacy Act / APPs)

If you are in Australia, you may request access to and correction of your personal information, and you may complain to us and then to the Office of the Australian Information Commissioner (oaic.gov.au) if you are not satisfied with our response.

How to exercise your rights

Email us at [email protected]. We will respond within the timeframe required by the applicable law (generally one month under the GDPR). Exercising your rights is free, except where requests are manifestly unfounded or excessive. We may need to verify your identity first.

12. Children

Vuci is not directed at children. We do not knowingly collect personal data from anyone under 16 (or the minimum age of digital consent in your country, and never under 13). If you believe a child has given us personal data, contact us and we will delete it.

13. Changes to this policy

We may update this policy as the Service evolves or the law changes. We will post the new version here with an updated date and, for material changes, notify you in-app or by email.

14. Contact and complaints

Privacy questions or requests? [email protected] · Contact us. You can also complain to your local data-protection authority, as noted in section 11.