We know you care about your privacy and confidentiality, and we do too. We wrote this page to answer your questions about your data: how we use it, store it, share it, and delete it.
Here is a summary of our policies, followed by a detailed Q&A:
- Your Project Information is confidential, even from Descript.
- If you delete your data from Descript, we permanently delete it from our servers.
- Our systems and implementation measures are compliant with the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).
- We have taken measures to comply with SOC 2 certification and expect to be formally certified by Q1 2020.
How does Descript use my data?
Descript stores your Project Information — which includes the files you upload to Descript, the transcripts of those files, and other metadata included inside a Project — on our servers. This allows us to offer you features such as live collaboration, full version history of your Projects, and access to your Projects from any computer.
We don't use your Project Information for anything other than providing the service we offer — e.g. we don’t sell it; we don’t use it for marketing; we don’t use it for advertising.
Your Project Information is even confidential from us. The exception is if you specifically ask us to look at a Project for the purpose of customer service, or if you explicitly opt-in to sharing Project Information (e.g. the results of your automatic transcriptions) with us for the purpose of improving the quality of the algorithms we use to provide our service.
We use the services of third party suppliers such as Google, Amazon, and Stripe. We list exactly what we share and why below.
We use your name to make the experience of using Descript more personal. That is, we’ll say “Hi, Johnny,” not “Hi, User.” If you collaborate on a Project in Descript, your collaborators will also see your name when you interact with them by doing things like leaving a comment or sharing a Project.
When you log in, we use your password to validate your account.
We use your email address as your main identifier in Descript and as the primary way to contact you.
How we share your email address
Intercom to provide customer support
Intercom is the messaging platform we use to answer customer questions. We share your email with Intercom, so we can send you emails from Intercom to answer your questions.
Stripe to process subscription payments — you may opt in
Stripe is our payments processor. When you sign up for a paid subscription, we share you email address with Stripe. Stripe uses your email address to send payment receipts and to contact you if your payment method stops working.
A paid account is entirely optional. You can try Descript without providing any billing information. Also, if you decide to go for a paid subscription, you may change your mind and cancel your subscription at any time from your Account page.
Descript marketing emails — you may opt out
In addition to sending emails about your account, we may also email you information about Descript. You may unsubscribe from these emails at any time by clicking the link in the footer of the email.
When you sign up for a paid account, we collect billing details including your credit card information and billing address. We use this information to collect payments.
How we share your billing details
Stripe to process subscription payments — you may opt in
Stripe is our payments processor. When you sign up for a paid account, Stripe uses your billing details to process your payments on our behalf, prevent credit card fraud, and prepare invoices when requested.
A paid account is entirely optional. You can try Descript without providing any billing information. Also, if you decide to go for a paid subscription, you may change your mind and cancel your subscription at any time from your account page.
Media files, transcripts, and Descript Projects
We use the audio, video, and transcript files you upload to Descript to create your Descript Projects.
How we share your files, transcripts, and Projects
Google Cloud Speech-to-Text to provide automatic transcription
Google only accesses or uses your data to complete the automatic transcription service. Shortly after completing the service, Google deletes your data from its servers. As the only HIPAA-compliant automatic transcription service, Google is an extremely privacy-friendly transcription service.
Amazon AWS to store your files
After the initial transcription, Descript stores your audio, video, and transcription data on Amazon AWS, the same service used by the CIA and thousands of other organizations that prioritize security.
Rev to provide human-powered transcription
If you request a human transcription, we will share your audio files with Rev, which has strict confidentiality agreements with all of its employees.
To improve Descript — you may opt in
You can choose to share your transcription information with Descript to help improve the quality of our service. This option is disabled by default and can only be enabled by you. You can change this setting from your Descript account at any time.
We collect usage analytics on how you use the app to detect bugs and ensure that our software is behaving as expected. We do not access or collect information from your confidential Projects or files. Your usage data is deleted if you delete your account.
How we share your usage data
Segment to organize and analyze it
We use Segment to consolidate and organize usage data so we can analyze it effectively.
How does Descript protect my data?
We encrypt it
Any data that’s uploaded to Descript is stored in an encrypted database while at rest. Any time your data is “in transit,” it is encrypted over HTTPS, the industry standard for secure internet transactions. This means that the data you send to and from Descript is secure, even if your network is not secure, such as when you’re on a public Wi-Fi network.
We have a Data Protection Officer
At Descript, we have implemented a set of internal policies and procedures related to data protection that all our employees must follow. We have designated a Data Protection Officer who is accountable for enforcing these policies and ensuring that data protection issues are promptly communicated to our CEO.
We map our data inventory
Our Data Protection Officer works closely with our engineering team to ensure that we always know what user data we have, where we’re storing it, and who has access to it.
We have Third Party Service Agreements in place
We only work with third-party suppliers that have strict data protection policies and are willing to commit to data processing agreements that preserve the privacy of our users and their data.
We are working on SOC 2 compliance
We are preparing to have a Certified Public Accounting firm audit our internal measures and controls regarding data protection against the SOC 2 standards. We expect to receive this certification by Q1 2020.
Is Descript CCPA and GDPR Compliant?
Yes, our systems and implementation measures are fully compliant with the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). Under these regulations, you have a number of rights:
Right to access
Most of your personal data in Descript is visible from your account page. To access your account, click on the circle with your initials in the top right corner of Descript. If you want a detailed report, send a Subject Access Request to firstname.lastname@example.org.
Right to be forgotten
When you delete a Project from Descript, we delete it permanently from our servers within 30 days. If you delete your user account, all data associated with your account is permanently deleted.
Right to be informed
You have the right to know all the personal information we have on you and what we are doing with it — that’s why we wrote this page. If you have additional questions, email us at email@example.com.
Right to equal services and price
Descript will not increase the price or decrease the quality of the service for any customer who exercises their rights under these regulations.
Right to withdraw consent
You have the right to withdraw consent for us to process your data. In the section above, we describe the different levels of consent you can agree to and how to give and withdraw consent — for example, you can unsubscribe from some emails, or you can choose to share your transcript data to improve our transcription accuracy. To withdraw your consent completely, simply delete your Descript account.
Right to portability
You have the right to obtain all of the personal data Descript has on you in a structured and commonly used format. We will gladly prepare this for you at your request. To initiate this request, send us an email at firstname.lastname@example.org.
Right to correction
Most of your personal data can be modified from your Descript account page. To access your account, click on the circle with your initials in the top right corner of Descript. If you would like us to make any modifications for you, just send us a request at email@example.com.
Right to object
We only use your personal data for the purpose of providing you with our service. If you think we are not honoring this, send an email describing the issue to firstname.lastname@example.org and we will start an investigation right away.
Right to stop automated decision-making
Our system doesn't do any automatic profiling to make decisions. If for any reason you believe that we are making automatic decisions and you would like us to stop, email email@example.com describing the issue and we will start an investigation right away.
Right to stop processing and right to stop third-party transfer
If you’d like Descript to stop processing your personal data or stop third party transfers, simply delete your Descript account. By doing so, all your data will be permanently deleted.
Where can I ask other questions about data protection?
If you have any questions or comments regarding how Descript protects your data or about our compliance with any of the regulations mentioned above, you can email our Data Protection Officer at firstname.lastname@example.org.