Privacy Policy

Last updated: April 15, 2026

Tablingo ("we", "our", or "us") is an independently operated service. For the purposes of applicable data protection law, Tablingo (independently operated) is the data controller of personal data collected through this service. Contact details are provided in Section 14.

This policy explains what data we collect, how we use it, the legal basis on which we process it, your rights under applicable law, and how we handle international data transfers.

1. What We Collect

Account information: Your email address and a hashed (PBKDF2-SHA256) version of your password when you register.
Subscription information: Your subscription tier (free or Pro), subscription status, and the end date of your current billing period. This is stored in our database via Stripe webhooks.
Audio data: When you use the extension, short audio segments from the active tab are sent to OpenAI's Whisper API for transcription. We do not store, record, or log any audio. Audio is transmitted only for the purpose of generating subtitles and is not retained after the API call completes.
Website session data: When you sign in on our website, two items are stored in your browser's localStorage: (1) your authentication token (lt_token), used to authenticate API requests on your behalf; and (2) your account information (lt_user), a small JSON object containing your email address and subscription tier, used to personalise the website UI without additional server calls. Both items remain on your device, are never transmitted independently, and are removed automatically when you sign out.
IP address (rate limiting): When you make API requests (transcription or translation) as a free or unauthenticated user, your IP address is temporarily recorded in our rate-limiting system to prevent abuse. IP addresses are stored for approximately 25 hours and then automatically deleted. They are never linked to your identity, used for tracking, or disclosed to third parties. Authenticated Pro users are rate-limited by account ID rather than IP address, so their IP addresses are not stored for this purpose.
Legacy activation-code users: If you activated Tablingo with a one-time activation code, your IP address at the time of activation is stored alongside the activation record. This record expires automatically after the subscription duration (maximum 1 year) and is then deleted.
Free-tier usage counter: For authenticated users on the free plan, we track your cumulative audio transcription time server-side (in seconds) to enforce the 10-minute lifetime limit. This counter is stored by account ID with no automatic expiry — it is deleted when you delete your account. It is never used for purposes other than enforcing the free-tier limit.

Note on sensitive data in audio: Audio captured by the extension may incidentally contain special category data as defined by GDPR Article 9 — for example, a speaker's health information, religious views, or political opinions present in the audio content. Tablingo does not intentionally collect or process such data. Because audio is processed in real time and immediately discarded after each transcription call, no special category personal data is retained by Tablingo at any point.

2. What We Do Not Collect

We do not record, store, or retain any audio from your tabs.
We do not collect browsing history, tab URLs, or page content.
We do not use tracking pixels, third-party analytics, or advertising networks.
We do not sell your data to any third party.

3. How We Use Your Data

Email address: Used to identify your account and send essential transactional communications (e.g., password reset).
Subscription data: Used to determine your feature access (free vs. Pro).
Audio data: Sent to OpenAI for real-time transcription only. OpenAI's data usage is governed by OpenAI's Privacy Policy.

4. Third-Party Services

OpenAI: Audio is sent to OpenAI Whisper for speech-to-text transcription, and transcribed text is sent to GPT-4o-mini for translation. In accordance with OpenAI's API usage policy, data submitted via the API is not used to train OpenAI's models by default, and OpenAI does not retain API inputs and outputs beyond what is necessary for safety monitoring and abuse detection. See OpenAI Privacy Policy and OpenAI Usage Policies.
Stripe: Payments are processed entirely by Stripe. When you make a payment, your card number, billing name, and address are submitted directly to Stripe's servers and are never transmitted to or stored by Tablingo. Tablingo receives only a Stripe customer ID and subscription status via webhook, solely to determine your access tier. See Stripe Privacy Policy.
Cloudflare: Our API and website are hosted on Cloudflare Workers and Pages. See Cloudflare Privacy Policy.

5. Data Retention

Your account data (email, password hash, subscription status) is retained until you delete your account. Audio data is never stored — it is processed in real time and discarded immediately after transcription.

Data	Retention period
Email address & password hash	Until account deletion
Subscription status	Until account deletion
Audio data	Never stored — discarded immediately after each API call
IP address (free/unauthenticated rate limit)	~25 hours, then auto-deleted
IP address (legacy activation code)	Until activation record expires (max 1 year), then auto-deleted
Free-tier usage counter (cumulative transcription seconds)	Until account deletion (no automatic expiry)

6. Legal Basis for Processing

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with similar data protection law, we process your personal data on the following legal bases:

Account information (email address, password hash): Processing is necessary for the performance of a contract — specifically, to create and maintain your Tablingo account and provide you with access to the service.
Subscription information: Processing is necessary for the performance of a contract — to determine and enforce which features you are entitled to access under your chosen subscription tier.
Audio data: Processing is necessary for the performance of a contract — real-time transcription and translation is the core function of Tablingo and cannot be provided without transmitting audio to OpenAI. Audio is not retained after each API call completes.
Transactional communications (e.g., password reset emails): Processing is necessary for the performance of a contract and our legitimate interest in keeping your account secure and accessible.
Free-tier usage counter: Processing is necessary for the performance of a contract — tracking cumulative transcription time is required to enforce the free-tier limit that is a defined term of the free plan.
IP address (rate limiting): Processing is based on our legitimate interests in preventing abuse and maintaining service availability for all users.

We do not process your data for any purpose beyond what is described in this policy. We do not use your data for automated decision-making or profiling.

7. International Data Transfers

Tablingo is an independently operated service. The third-party providers we use are headquartered in the United States, which means your personal data may be transferred to and processed in the United States — a jurisdiction outside the European Economic Area (EEA).

We rely on the following safeguards to ensure your data receives an adequate level of protection during these transfers:

OpenAI: OpenAI offers a Data Processing Addendum (DPA) that incorporates Standard Contractual Clauses (SCCs) approved by the European Commission for international transfers. When you use Tablingo, your audio and transcribed text are transferred to OpenAI under these mechanisms.
Stripe: Stripe is certified under the EU–US Data Privacy Framework and provides SCCs for data transfers from the EEA to the United States.
Cloudflare: Cloudflare participates in the EU–US Data Privacy Framework and provides SCCs. Your account data and API requests are routed through Cloudflare's global network.

You can request more information about the specific transfer mechanisms we rely on by contacting us as described in Section 14.

8. User Responsibility for Audio Consent

Tablingo captures audio from your active browser tab only when you explicitly initiate a transcription session by clicking "Start Translation." The extension does not activate automatically and does not capture microphone input unless the tab's own audio output happens to include it.

By using Tablingo, you acknowledge and agree to the following:

You are solely responsible for ensuring you have all necessary rights, permissions, and consents to capture and transcribe audio from any tab, video, call, meeting, or podcast you direct Tablingo to process.
All-party consent jurisdictions: In jurisdictions that require all-party (two-party) consent for recording conversations — including California (California Invasion of Privacy Act, Penal Code §632), Illinois (Eavesdropping Act), and many EU member states — you must obtain explicit consent from all participants before using Tablingo during any live call or meeting.
Workplace and institutional use: If you use Tablingo in a professional, academic, or institutional context, you are responsible for complying with any applicable policies of your employer, institution, or relevant authority regarding audio capture and transcription.
Prohibited use: Tablingo must not be used to secretly record, transcribe, or monitor any person without their knowledge. Such use may constitute a criminal offence in your jurisdiction regardless of this extension's technical capabilities.

Tablingo is designed for personal accessibility and language-learning purposes — for example, generating subtitles while watching foreign-language videos or understanding audio content in a language you are learning.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, please contact us as described in Section 14. We will respond within 30 days.

Rights available to all users:

Right to access: You may request a copy of the personal data we hold about you (email address, subscription status).
Right to correction: You may request correction of inaccurate or incomplete personal data.
Right to deletion: You may request deletion of your account and all associated personal data. We will delete your email address, password hash, and subscription records.
Right to change your password: You may update your password at any time from your account dashboard without contacting us.

Additional rights for users in the EEA, UK, and Switzerland (GDPR / UK GDPR):

Right to restriction of processing: You may request that we restrict the processing of your personal data in certain circumstances — for example, while a dispute about accuracy is being resolved.
Right to data portability: Where processing is based on contract or consent and carried out by automated means, you may request your personal data in a structured, machine-readable format.
Right to object: Where we rely on legitimate interests as the legal basis for processing, you may object to that processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent: Where any processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
Right not to be subject to automated decisions: We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
Right to lodge a complaint: You have the right to lodge a complaint with the data protection authority (DPA) in your country of residence. In the UK this is the Information Commissioner's Office (ICO); in EU member states, your national DPA. A list of EU DPAs is available at edpb.europa.eu.

Additional rights for California residents (CCPA / CPRA):

We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and have not done so in the preceding 12 months. California residents have the following rights:

Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purpose for collecting it, and the categories of third parties with whom it is shared.
Right to delete: You may request deletion of personal information we have collected from you, subject to certain legal exceptions.
Right to correct: You may request correction of inaccurate personal information we hold about you.
Right to opt out of sale or sharing: We do not sell or share personal information. No opt-out action is required, but you may contact us to confirm this at any time.
Right to non-discrimination: We will not discriminate against you — including by denying services, charging different prices, or providing a lower quality of service — because you exercised any of your CCPA rights.
Right to limit use of sensitive personal information: We do not use sensitive personal information for any purpose beyond what is strictly necessary to provide the service.

To exercise your CCPA rights, contact us as described in Section 14. We will respond within 45 days as required by California law, with a possible 45-day extension where reasonably necessary.

Rights for Canadian users (PIPEDA / Quebec Law 25):

Tablingo's operations are governed by Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level. Canadian users have the following rights:

Right to access: You may request access to personal information Tablingo holds about you and receive an account of how it has been used and disclosed.
Right to challenge accuracy: You may challenge the accuracy and completeness of your personal information and request that it be corrected or annotated.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time, subject to legal or contractual restrictions. Note that withdrawing consent may affect our ability to provide the service.
Right to complain: If you believe Tablingo has violated your rights under PIPEDA, you may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

If you are a resident of Quebec, additional rights under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25) apply, including the right to data portability and the right to de-indexation (removal of personal information from public accessibility). Complaints may also be directed to the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca.

10. Permissions Used by the Extension

tabCapture: Required to capture audio from the active browser tab for transcription. Audio is never stored.
storage: Used to save your settings (language preferences, subtitle position, font size) and authentication token locally on your device.
offscreen: Required by Chrome's Manifest V3 to process audio in an offscreen document.
activeTab: Required to inject the subtitle overlay into the active tab.

11. Security

Passwords are never stored in plain text. We use PBKDF2-SHA256 with 100,000 iterations. Authentication tokens are short-lived JWTs. All API communication is over HTTPS.

Data breach notification: In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify affected users without undue delay. Where required by applicable law — including GDPR Article 33 — we will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Breach notifications to users will be sent to the email address associated with your account.

12. Children's Privacy

Tablingo is not directed to children. We do not knowingly collect personal data from:

Children under 13, as required by the U.S. Children's Online Privacy Protection Act (COPPA); or
Children under 16 (or the applicable minimum age set by their EU member state) without verifiable parental consent, as required by GDPR Article 8. The age of consent for information society services varies across EU member states — it is 16 in countries such as Germany, the Netherlands, and Ireland, and as low as 13 in others.

If you are below the applicable age threshold in your jurisdiction, please do not use Tablingo. If you believe a child below the applicable age has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this policy periodically. The date at the top of this page reflects the most recent revision. Significant changes will be communicated via the website or, where appropriate, by email. Continued use of the extension after changes constitutes acceptance of the updated policy.

14. Contact

For privacy questions, data access requests, or data deletion requests, please contact us through the Chrome Web Store listing support page. We aim to respond to all privacy-related requests within 30 days. If you are located in the EEA or UK and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority (see Section 9).

15. Governing Law

This policy and any disputes arising from it are governed by the laws of the Province of Ontario and the applicable federal laws of Canada, including the Personal Information Protection and Electronic Documents Act (PIPEDA), without regard to conflict-of-law principles.

This governing law clause does not override mandatory protections afforded to you by the law of your country of residence:

Users in the EEA, UK, and Switzerland retain all rights under GDPR and UK GDPR regardless of this clause.
Users in California retain all rights under CCPA/CPRA regardless of this clause.
Users in Quebec retain all rights under Quebec Law 25 regardless of this clause.

Any dispute that cannot be resolved by contacting us (Section 14) will be subject to the non-exclusive jurisdiction of the courts of Ontario, Canada, without prejudice to your right to bring a complaint before your local data protection authority.

16. Geographic Availability

Tablingo relies on OpenAI's API for transcription and translation. OpenAI's services are not available in mainland China; therefore, this extension does not function for users located in mainland China.

Users in Hong Kong, Macau, Taiwan, and other regions outside mainland China are not affected by this restriction. Audio data from those users is transmitted to and processed by OpenAI (United States) in accordance with OpenAI's privacy policy and the international transfer safeguards described in Section 7.

If you are unsure whether OpenAI's services are accessible in your jurisdiction, please verify independently before using this extension.