Privacy Policy

Scriba Technologies Ltd (“Scriba”, “we”, “us” or “our”) is committed to protecting personal data and respecting the privacy of individuals who use our website and our platform. This Privacy Policy explains how and why we collect and use personal data:

  • When you visit our website or contact us directly (where Scriba acts as a Data Controller); and
  • When our platform is used by schools, multi-academy trusts and other organisations to record and transcribe meetings on their behalf (where Scriba acts as a Data Processor).

This Privacy Policy applies to website visitors, customer administrators, platform users and meeting participants. It does not cover staff or employee data, which is addressed in a separate policy.

1. About us

Our site is owned and operated by Scriba Technologies Ltd, a limited business incorporated in England under company number 15899866. Our registered address is Unit 1a Brewery Court, North Street, Bristol BS3 1JS.

For personal data collected through our website and business activities, Scriba Technologies Ltd is the Data Controller.

If you wish to contact us about this Privacy Policy or how your personal data is handled, you can do so by email at privacy@scriba.co.uk or by post at the address above. Scriba is registered with the Information Commissioner’s Office (ICO).

2. What Does This Policy Cover?

This Privacy Policy explains how personal data is handled when you interact with Scriba through our website and when our platform is used by schools, multi-academy trusts and other organisations.

It applies to:

  1. Visitors to our website;
  2. People who submit enquiries or request demonstrations;
  3. Customer administrators and business contacts;
  4. Users of the Scriba platform; and
  5. Individuals whose personal data appears in recorded meetings and transcripts.

Where the Scriba platform is used by a school, trust or other organisation, that organisation is responsible for providing its own privacy information to meeting participants and pupils.

This Privacy Policy does not apply to:

  • Third-party websites that may be linked from our website; or
  • Staff or employee personal data, which is covered by a separate policy.

3. What Is Personal Data?

Personal data is defined by the UK GDPR and the Data Protection Act 2018 as ‘any information relating to an identifiable person who can be directly or indirectly identified.’

In simple terms, personal data is any information about you that enables you to be identified. This includes obvious information such as your name and contact details, but also less obvious information such as identification numbers, electronic location data and online identifiers.

In the context of the Scriba platform, personal data may also include audio recordings of meetings, voice data, written transcripts and summaries, and information discussed during meetings. This may sometimes include information about children or special category data such as health, safeguarding or SEND information, depending on how the platform is used by the Customer organisation.

4. Data Protection Roles

Scriba has different responsibilities depending on how personal data is processed.

Website and business users: 

When you interact with our website (www.scriba.co.uk) or contact us directly, Scriba acts as a Data Controller. This means we decide how and why your personal data is processed.

Platform users and meeting participants:

When the Scriba platform is used by a school, multi-academy trust or other organisation (including for recordings, transcripts and summaries of meetings), Scriba acts as a Data Processor.

The Customer organisation is the Data Controller and is responsible for determining:

  • The purpose of processing;
  • The lawful basis;
  • What data is recorded and how long it is kept; and
  • How rights requests are handled.

Scriba processes personal data only on the Customer’s documented instructions in accordance with its Data Processing Agreement. Scriba does not determine the purposes or lawful basis for processing platform data and acts only on the documented instructions of the Customer organisation.

Meeting participants should refer to the relevant organisation’s privacy notice for information about how their personal data is used.

5. Personal Data We Collect

Website and business users (Scriba as Data Controller)

We may collect and process the following categories of personal data:

  1. name, job title and organisation
  2. email address, telephone number and postal address
  3. enquiry and demonstration request details
  4. account administrator and billing contact information
  5. support requests and correspondence
  6. marketing preferences (where applicable)
  7. IP address and device information
  8. browser type and website usage data; and 
  9. cookies and analytics data

We do not intentionally collect children’s personal data through our website.

Platform users and meeting participants (Scriba as Data Processor)

When the Scriba platform is used by schools, multi-academy trusts and other organisations, Scriba processes personal data solely on behalf of the Customer organisation and in accordance with its Data Processing Agreement.

This may include:

  1. audio recordings of meetings;
  2. voice data (which may constitute biometric data only where processed by the Customer organisation for identification purposes);
  3. meeting transcripts and summaries;
  4. names and roles of attendees;
  5. opinions, comments and discussion content;
  6. agendas and supporting documents uploaded to the platform.

This may include special category data such as health information, safeguarding matters, SEND information or disciplinary discussions, and may include personal data relating to children where the platform is used by schools, multi-academy trusts and other organisations.  The Customer organisation is responsible for identifying and relying on an appropriate Article 9 condition for processing such data.

The Customer organisation is responsible for:

  1. determining the lawful basis for processing;
  2. providing privacy information to individuals;
  3. responding to rights requests;
  4. setting retention periods; and 
  5. ensuring appropriate safeguards are in place

Meeting participants should refer to the relevant organisation’s privacy notice for further information about how their personal data is used.

6. How We Use Your Personal Data

How we use personal data depends on whether you are interacting with our website and business services (where Scriba acts as Data Controller) or whether your data is processed through the Scriba platform (where Scriba acts as Data Processor).

Website and business users (Scriba as Data Controller)

We use personal data for the following purposes:

  • to respond to enquiries and demonstration requests;
  • to create and manage customer accounts;
  • to administer contracts and billing;
  • to provide technical support and customer communications;
  • to operate and manage our business;
  • to improve our website and services;
  • to send service-related and administrative communications;
  • to send marketing communications where permitted by law and in accordance with your preferences; and
  • to comply with legal and regulatory obligations.

Marketing Communications

We may send service-related and business communications. Marketing communications will only be sent where permitted by law and in accordance with your preferences.  We do not use automated profiling for marketing.

You can opt out of marketing communications at any time using the unsubscribe link in our emails or by contacting us directly.

We do not share personal data with third parties for their own marketing purposes.

Platform users and meeting participants (Scriba as Data Processor)

When the Scriba platform is used by schools, multi-academy trusts and other organisations, personal data is processed solely on their behalf and in accordance with their documented instructions and the Data Processing Agreement.

Personal data processed through the platform is used only to:

  • record meetings;
  • generate transcripts and summaries using AI-enabled tools;
  • store and retrieve meeting content;
  • allow authorised users to review and manage meeting records;
  • support accessibility and inclusion where required; and
  • provide and maintain the platform services.

Scriba does not determine how meeting content is used by the Customer organisation.

AI and Automated Processing

Scriba uses artificial intelligence to convert audio recordings into written transcripts and summaries.

AI-generated outputs:

  • are provided to assist users only;
  • may not be fully accurate;
  • must be reviewed by humans before being relied upon; and
  • are not used for automated decision-making with legal or similarly significant effects.

Scriba does not carry out profiling and does not make automated decisions about individuals.

Scriba does not use Customer recordings, transcripts or meeting content to train generative intelligence models unless expressly agreed in writing with the Customer.

Use for Compatible Purposes

We will only use personal data for the purposes for which it was originally collected unless we reasonably consider that another purpose is compatible with those original purposes.

Where required by law, we will inform you and explain the legal basis for any new use of your personal data.

In limited circumstances, we may be required to process personal data without your knowledge or consent where this is required by law.

7. Lawful Bases for Processing

Under the UK GDPR, personal data must be processed on a lawful basis. Which lawful basis applies depends on whether Scriba is acting as a Data Controller (for website and business users) or as a Data Processor (for platform users and meeting participants).

Website and business users (Scriba as Data Controller)

We rely on the following lawful bases when processing personal data collected through our website and business activities:

  1. Contract – where processing is necessary to provide our services, manage customer accounts, or administer contracts and billing;
  2. Legitimate interests – to operate and manage our business, respond to enquiries, provide support and improve our website and services, provided those interests are not overridden by your rights and freedoms;
  3. Consent – where required for cookies and marketing communications; and
  4. Legal obligation – where we must comply with applicable laws and regulatory requirements.

8. Retention of Website and Business Data

This section applies only to personal data collected through our website and business activities where Scriba acts as Data Controller.

Typical retention periods include:

  • enquiries and demonstration requests – typically up to 12 months, although this may be longer where necessary for business, legal or regulatory purposes;
  • customer contact and account data – for the duration of the contract and up to 6 years afterwards;
  • support records – up to 2 years;
  • marketing data – until consent is withdrawn; and
  • cookie data – as set out in our Cookies Policy.

For personal data processed through the Scriba platform (including recordings, transcripts and summaries), retention periods are determined by the Customer organisation. Scriba retains such data only in accordance with the Customer’s documented instructions and its Data Processing Agreement.

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal and contractual requirements.

9. Sharing Your Personal Data

How personal data is shared depends on whether Scriba is acting as a Data Controller (for website and business users) or as a Data Processor (for platform users and meeting participants).

Website and business users (Scriba as Data Controller)

We may share personal data with trusted third parties who provide services to support our operations, including:

  1.   hosting and cloud infrastructure providers;
  2. customer support and communications platforms;
  3. analytics providers; and
  4. professional advisers, such as legal and accounting services.

These third parties act as data processors and are required to process personal data securely and only in accordance with our instructions.

We do not sell personal data and do not share personal data for third-party marketing purposes.

We may also disclose personal data where required to do so by law, regulation, court order or a competent authority.

Platform users and meeting participants (Scriba as Data Processor)

For personal data processed through the Scriba platform (including recordings, transcripts and summaries), Scriba acts only on behalf of the Customer organisation.

Personal data may be shared only with:

  1. approved sub-processors (such as cloud hosting and technology providers); and
  2. where required by law or regulatory obligation.

All sub-processors are engaged under written agreements that impose data protection obligations no less protective than those in Scriba’s Data Processing Agreement.

A list of Scriba’s approved sub-processors is available on request.

10. International Transfers

Personal data may be transferred outside the United Kingdom where we use service providers or sub-processors that operate internationally, such as cloud hosting or technology providers.

Where Scriba transfers personal data outside the United Kingdom (whether as a Data Controller for website and business data or as a Data Processor for platform data), we ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. These safeguards include:

  1. transfers to countries subject to UK adequacy regulations;
  2. the use of the UK International Data Transfer Agreement (IDTA); or
  3. the UK Addendum to the EU Standard Contractual Clauses.

For personal data processed through the Scriba platform, international transfers are carried out only in accordance with the Customer’s instructions and Scriba’s Data Processing Agreement.

Further information about safeguards is available on request.  Scriba’s preference is that personal data is processed within the United Kingdom or the European Economic Area, wherever possible.

11. What Are My Rights?

Under the UK GDPR and the Data Protection Act 2018, individuals have certain rights in relation to their personal data.

How these rights are exercised depends on whether Scriba is acting as a Data Controller (for website and business users) or as a Data Processor (for platform users and meeting participants).

Website and business users (Scriba as Data Controller)

If you are a website visitor, enquiry contact or customer administrator, you have the right to:

  1. be informed about how your personal data is used;
  2. request access to the personal data we hold about you;
  3. request correction of inaccurate or incomplete personal data;
  4. request deletion of your personal data in certain circumstances;
  5. request restriction of processing;
  6. object to processing based on legitimate interests;
  7. withdraw consent where processing is based on consent;
  8. request data portability where applicable; and
  9. not be subject to automated decision-making or profiling. Scriba does not carry out such processing.

Requests relating to website and business data should be made using the contact details set out in Clause 1 of this Privacy Policy.

You also have the right to lodge a complaint with the Information Commissioner’s Office if you believe your personal data has been processed unlawfully. We encourage you to contact us first so that we can try to resolve any concerns.

Platform users and meeting participants (Scriba as Data Processor)

If your personal data appears in recordings, transcripts, or summaries created using the Scriba platform, the relevant school, academy trust, association or Customer organisation is the Data Controller and is responsible for handling your data protection rights.

Requests relating to platform data (including access, deletion or correction) must be made directly to the Customer organisation.

If Scriba receives a rights request relating to platform data, we will refer it to the relevant Customer organisation in accordance with our Data Processing Agreement.

12. Data Collection Summary (Website Users)

Website and business users (Scriba as Data Controller)

When you visit our website, contact us, request a demonstration or act as an account or billing contact for a Customer organisation, we may collect and process the personal data set out below.

This section applies only to website and business users.

 

Data Collected How We Collect the Data Retention Period
Identity Information, including  name, job title, role, and organisation name Provided by you when completing enquiry forms, requesting a demo, registering an account or corresponding with us For the duration of the business relationship and up to 6 years afterwards, for legal and contractual purposes
Contact information, including email address, telephone number, and postal address Provided directly by you when contacting us or entering into a contract. For the duration of the business relationship and up to 6 years afterwards
Account and administrative information, including Account administrator details, billing contacts, and user credentials (where applicable) Provided by the Customer organisation or entered by authorised users For the duration of the contract and up to 6 years after termination
Support and communications data, including Support requests, emails, messages and correspondence with Scriba. Provided by you when you contact our support team Typically up to 2 years after resolution of the issue, although this may be retained for longer where required for contractual, operational or legal purposes.
Marketing and preferences data (if applicable), including newsletter subscriptions, communication preferences Provided by you when you opt in to receive communications Until consent is withdrawn or you opt out
Technical and usage data, including IP address, browser type and version, device information, operating system, and pages visited Collected automatically when you use our website through cookies and similar technologies Typically up to 12 months
Analytics data, including Website usage statistics and performance data Collected via analytics tools such as Google Analytics (or similar) As set out in our Cookies Policy
Data from third parties, including business contact details. Provided by Customer organisations or business partners, where appropriate and lawful For the duration of the business relationship and up to 6 years afterwards

We do not intentionally collect personal data relating to children through our website. Retention periods may be extended where required by law (for example, for accounting or regulatory purposes) or where necessary to establish, exercise or defend legal claims.

Platform Data (Scriba as Data Processor)

Information about personal data processed through the Scriba platform is set out in Section 5(B) of this Privacy Policy.

When the Scriba platform is used by schools, multi-academy trusts and other organisations, Scriba processes personal data on their behalf as a Data Processor and only in accordance with their documented instructions and the Data Processing Agreement.

Retention periods for platform data are determined by the Customer organisation in accordance with its own policies and legal obligations.

13. How and Where Do You Store or Transfer My Personal Data?

We take the security of personal data seriously and use appropriate technical and organisational measures to protect it from loss, misuse, unauthorised access or disclosure.

How and where personal data is stored depends on whether it relates to website and business users (where Scriba acts as Data Controller) or platform users and meeting participants (where Scriba acts as Data Processor).

Website and business users (Scriba as Data Controller)

Personal data collected through our website and business operations is stored securely using cloud-based systems and service providers.

Data is primarily stored within the United Kingdom and/or the European Economic Area (EEA), unless otherwise stated.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, including:

  1. UK adequacy regulations; or
  2. the UK International Data Transfer Agreement (IDTA); or
  3. the UK Addendum to the EU Standard Contractual Clauses.

Further information about the safeguards used for international transfers is available on request.

Platform users and meeting participants (Scriba as Data Processor)

Personal data processed through the Scriba platform (including recordings, transcripts and summaries) is stored and encrypted at rest in the United Kingdom and processed within the United Kingdom and the European Economic Area on behalf of the Customer organisation.

The Customer organisation determines where platform data is hosted and how long it is retained, subject to Scriba’s contractual arrangements, including the Data Processing Agreement, and security standards.

Where platform data is transferred outside the UK, Scriba ensures that appropriate safeguards are in place in accordance with the Data Processing Agreement and Chapter V of the UK GDPR, including the use of approved contractual transfer mechanisms.

14. Security Measures & Data Breaches

Scriba implements appropriate technical and organisational measures to protect personal data, including appropriate measures such as:

  1. encryption of data in transit and at rest;
  2. access controls and user authentication;
  3. segregation of customer data;
  4. audit logging and monitoring;
  5. secure cloud infrastructure;
  6. regular security testing and updates;
  7. staff confidentiality obligations; and
  8. incident response and breach management procedures.

Access to personal data is limited to authorised personnel and approved sub-processors who require access in order to provide and support the services.

Data Breaches

Scriba has procedures in place to deal with suspected personal data breaches and will notify the relevant Customer organisation and, where required by law, the Information Commissioner’s Office in accordance with the UK GDPR and the Data Processing Agreement.

15. Do You Share My Personal Data?

We only share personal data where necessary and in accordance with data protection law. How personal data is shared depends on whether Scriba acts as a Data Controller or Data Processor.

Website and business users (Scriba as Data Controller)

We may share personal data with trusted third parties who provide services to support our business operations, including trusted service providers such as:

  1. cloud hosting and IT service providers
  2. customer support and communications platforms
  3. analytics providers
  4. professional advisers, such as legal and accounting services

These third parties act as data processors and are required to process personal data only on our instructions and in accordance with data protection law.

We may also disclose personal data:

  1. where required by law or regulation
  2. in connection with legal proceedings
  3. to regulatory or law enforcement authorities; or
  4. if our business or assets are transferred as part of a sale, merger or restructuring of all or part of our business.

In such cases, appropriate safeguards will be applied.

We do not sell personal data and do not share personal data with third parties for their own marketing purposes.

Platform users and meeting participants (Scriba as Data Processor)

For personal data processed through the Scriba platform, Scriba acts only on behalf of the Customer organisation.

Personal data may be shared only with approved sub-processors engaged to provide the platform services, or where required by law or regulatory obligation.

All sub-processors are engaged under written agreements that impose data protection obligations no less protective than those in Scriba’s Data Processing Agreement.

Scriba does not disclose meeting recordings, transcripts or summaries to third parties for its own commercial or analytical purposes.

The Customer organisation remains responsible for determining who has access to meeting content and how it is shared.

16. How Can I Control My Personal Data?

You can manage your marketing and communication preferences by using the unsubscribe links in our emails or by contacting us using the details in this Privacy Policy.

For personal data processed through the Scriba platform, requests must be made to the relevant organisation, which is the Data Controller.

17. How Can I Access My Personal Data?

Under the UK GDPR and the Data Protection Act 2018, you have the right to request access to personal data held about you. This is known as a Subject Access Request (SAR).

Website and business users (Scriba as Data Controller)

If you are a website visitor, enquiry contact, customer administrator or business contact, you may request:

  1. confirmation of whether we hold personal data about you
  2. a copy of that personal data
  3. information about how it is used

Requests should be made in writing using the contact details set out in this Privacy Policy.

We will normally respond within one month of receiving your request. In complex cases, this period may be extended by up to a further two months, in accordance with the UK GDPR. You will be informed if an extension is required.

There is usually no charge for making a request. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, in accordance with the law.

Platform users and meeting participants (Scriba as Data Processor)

If your personal data appears in recordings, transcripts or summaries created using the Scriba platform, your request must be made to the relevant school, academy trust, association or Customer organisation that arranged the meeting.

Scriba acts only as a Data Processor in relation to this data and does not determine how it is used or retained.

If Scriba receives a request directly from a meeting participant, we will refer the request to the Customer organisation in accordance with our Data Processing Agreement.

18. How Do You Use Cookies?

How We Use Cookies – (Website only)

Our website uses cookies and similar technologies to help it function properly and to understand how visitors use the site. Cookies are small text files placed on your device when you visit a website. Cookies used on the Scriba website relate only to website activity and do not apply to recordings, transcripts or other content processed through the Scriba platform.

Types of Cookies We Use

We use the following categories of cookies:

Strictly necessary cookies

These are required for the website to operate securely and correctly.

Analytics cookies

These help us understand how visitors use our website so that we can improve its performance and usability.

We may use services such as Google Analytics (or similar) to collect aggregated and pseudonymised usage information about how the website is used.

We do not use cookies for behavioural advertising or profiling.

Cookie Consent

When you visit our website, you will be shown a cookie banner allowing you to accept or manage your cookie preferences.

You can change your cookie preferences at any time using the cookie management tool on our website or through your browser settings.

Strictly necessary cookies are used where required for the operation of the Website. Analytics cookies are used only with your consent.

Managing Cookies

Most web browsers allow you to control cookies through their settings. You can choose to block or delete cookies, but doing so may affect how the website functions.

19. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, guidance, technology or how we operate our services.

When we make changes, the updated version will be published on our website with a revised “last updated” date.

Where changes are significant, we will take reasonable steps to bring them to the attention of users.

We recommend that you review this Privacy Policy periodically so that you remain informed about how personal data is handled.

This Privacy Policy was last updated on: 20.3.2026