Scriben.AI

Back to home

SleepMind, Inc. (operating as Scriben)

Last Updated: April 28, 2026

SleepMind, Inc., doing business as Scriben ("Scriben," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, and share information through our website at https://www.scriben.ai (the "Website"), our mobile and desktop applications, and our AI scribe pen device (collectively, the "Services"). By accessing or using the Services, you agree to this Privacy Policy.

If you do not agree with this Policy, please do not use the Services.

1. Who This Policy Applies To

Who This Policy Applies To

This Privacy Policy applies to:

Visitors — individuals who access the Website and view publicly available content.
Customers — individuals or organizations that register for and use the Services.
Authorized Users — individuals authorized by a Customer to use the Services on the Customer's behalf.

By accessing the Website or using the Services, you agree to this Privacy Policy and our Terms of Use.

Clear enough for first-time use, with extra emphasis on pairing and recording so you can focus on listening and the conversation itself.

Information We Collect

Information We Collect

2.1 Account and Contact Information

When you register for an account or contact us, we collect:

Your name
Your email address
Authentication tokens from your identity provider (Sign in with Apple or Google Sign-In)

We do not collect passwords directly; authentication is handled by Apple or Google.

We do not collect phone numbers, mailing addresses, payment information, or government identifiers

2.2 Service Data (Audio, Transcripts, and AI Output)

"Service Data" means content you create, capture, or generate through the Services, including:

Audio recordings captured by the Scriben pen and streamed in real time over Bluetooth Low Energy (BLE) to the Scriben mobile or desktop application.
Transcripts generated from those recordings.
AI-generated summaries, notes, action items, and structured documents produced from those transcripts.
Conversation metadata such as timestamps and session length.

You retain ownership of your Service Data. We process it solely to provide the Services to you.

2.3 Device and Usage Information

We automatically collect limited technical information necessary to operate and secure the Services, including:

IP address
Device type, operating system, and app version
Session and feature-usage logs
Product analytics and crash diagnostics, collected through Google Firebase (see Sections 7 and 10)

We do not collect:

Apple Identifier for Advertisers (IDFA)
Identifier for Vendors (IDFV)
Other persistent device identifiers
Precise location, contacts, photos, or calendar data

2.4 Microphone Access

The Services require access to your device's microphone (and to the Scriben pen, which contains a microphone) in order to capture audio for transcription. Audio is captured only while a recording session is active and started by you. We do not perform any always-on or background listening.

Clear enough for first-time use, with extra emphasis on pairing and recording so you can focus on listening and the conversation itself.

3. How We Use Your Information

How We Use Your Information

We use the information we collect to:

Provide and operate the Services, including audio capture, transcription, and AI-assisted summarization.
Authenticate you, manage your account, and provide customer support.
Maintain reliability, security, and service quality (including diagnostics, error logging, and abuse prevention).
Comply with legal obligations and respond to lawful requests from authorities.

We do not use your personal information or Service Data for advertising, and we do not sell your personal information.

Clear enough for first-time use, with extra emphasis on pairing and recording so you can focus on listening and the conversation itself.

4. How Your Audio and Transcripts Flow Through Our Systems

Sensitive Professional Data

We believe you should know exactly where your data goes. The current data flow is:

Capture (Pen → Phone). Audio is captured by the Scriben pen and streamed in real time to the paired Scriben app over Bluetooth Low Energy. The BLE link is encrypted using standard Bluetooth link-layer encryption. Scriben does not add an additional end-to-end encryption layer between the pen and the app.
Upload (Phone → Cloud). The Scriben app uploads audio to a Google Cloud Storage bucket operated by Scriben in the us-central1 region (United States). Uploads use HTTPS / TLS in transit. Stored files are encrypted at rest by Google Cloud Storage's default encryption.
Transcription. Audio files are sent from our cloud environment to one of several speech-to-text providers, selected automatically based on the language of the recording:
- Deepgram (Nova-3) — used for English and Spanish recordings.
- Soniox — used for Chinese, French, and Portuguese recordings, and as the fallback provider for other languages.
Each provider processes the audio under its own terms of service and data processing agreement. See Section 7 for sub-processor details and Section 6 for how their terms govern model training.
Summarization and AI Output. Transcripts (and, where required, audio context) may be sent to Google Gemini (Google Cloud) to generate summaries, action items, and other structured outputs at your request. Gemini's processing is governed by Google's Cloud terms.
Storage of Outputs.
- Account and authentication data is stored in Google Firebase (Authentication and related services).
- Transcripts and AI-generated summaries are stored in Scriben's application database, hosted on Google Cloud (us-central1).
- Original audio files are retained in Google Cloud Storage subject to the limits in Section 8 so that you can play back, re-process, and re-export your recordings.

All Scriben-controlled storage is located in the United States (Google Cloud, us-central1). Your data is not stored in or transferred to mainland China.

Clear enough for first-time use, with extra emphasis on pairing and recording so you can focus on listening and the conversation itself.

5. Regulated and Privileged Data — Current Capabilities and Limits

HIPAA and Healthcare Data

We want to be precise about what the Services are configured to handle today, so you can make an informed decision before submitting sensitive content.

5.1 What the Services are configured for today

Scriben provides general-purpose audio capture, transcription, and AI-assisted note-taking. The current configuration of the Services is suitable for everyday professional and personal use, including meetings, interviews, lectures, and personal notes. Service Data is encrypted in transit and at rest, processed only to deliver the Services to you, and is not used by Scriben to train its own models (see Section 6).

The Services are not currently configured, certified, or marketed as a regulated medical, legal, or financial product. In particular:

Scriben has not entered into a HIPAA Business Associate Agreement with its current sub-processors, and the Services should not be assumed to operate as a HIPAA-eligible environment.
Scriben does not provide a contractual data residency guarantee outside the United States.
Scriben does not currently offer FedRAMP, SOC 2 Type II, ISO 27001, or other formal third-party attestations of its security program.

5.2 HIPAA-covered entities (healthcare)

Customers who are HIPAA-covered entities, or business associates acting on their behalf, should not use the Services to process Protected Health Information (PHI) until a written Business Associate Agreement has been executed between such Customer and Scriben, and Scriben has confirmed in writing that the configuration in use is HIPAA-eligible.

We are actively evaluating a HIPAA-eligible configuration of the Services. When that configuration becomes available, we will update this Policy and offer eligible Customers a written Business Associate Agreement before any PHI is processed. If you would like to be notified when a HIPAA-eligible configuration becomes available, please contact us at the address in Section 15.

5.3 Other regulated and privileged contexts

If you handle data subject to regulatory or professional frameworks that require sub-processor-level contractual controls — such as attorney–client privileged communications, non-public material financial information, government-controlled information, or data subject to FERPA, GLBA, SOX, or similar regimes — you remain solely responsible for determining whether your use of the Services is consistent with those obligations before submitting such information.

Scriben provides general-purpose transcription and note-taking technology. Nothing in this Policy should be read as a representation that the Services are certified or warranted for use with regulated data, and nothing in your use of the Services creates a Business Associate, processor, or service-provider relationship beyond what is set out in a written agreement with Scriben.

AI Processing and Model Training

AI Processing and Model Training

Scriben does not train its own foundation models on your Service Data. We do not run model training pipelines on user audio, transcripts, or summaries.

Each third-party AI and transcription provider's use of your data is governed by that provider's own terms of service and data processing agreement. Default behavior with respect to model improvement, data retention, and data aggregation differs across providers and depends on the contract tier in effect. We encourage you to review the relevant policies:
- Google Cloud — Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum
- Google Cloud Generative AI — Data Governance: https://cloud.google.com/terms/generative-ai/data-governance
- Deepgram — Privacy & Data Use: https://deepgram.com/privacy
- Soniox — Privacy Policy: https://soniox.com/privacy
We make commercially reasonable efforts to configure each provider in a manner that does not permit our Customers' Service Data to be used to train cross-customer or general-purpose models. Where a provider offers a higher-tier configuration that contractually prohibits such use, we evaluate adopting it on an ongoing basis.
Where a provider offers an opt-out from model-improvement programs that operates under standard service tiers, Scriben has elected that opt-out on behalf of Customers.

If you have specific contractual requirements regarding model training or data residency, please contact us at the address in Section 15 before using the Services.

Clear enough for first-time use, with extra emphasis on pairing and recording so you can focus on listening and the conversation itself.

7. Sub-Processors and Third-Party Services

AI Processing and Model Training

We share data with the following third-party service providers, each of which is bound by contractual confidentiality and data protection obligations. All listed sub-processors process data in the United States.

Google Cloud Platform (us-central1) — provides hosting, Cloud Storage, and our application database. Receives audio recordings, transcripts, summaries, and account metadata.
Google Firebase — provides authentication, account data services, product analytics, and crash diagnostics. Receives email address, name, authentication tokens, app usage events, and crash logs.
Google Gemini (Google Cloud) — generates AI summaries and structured outputs. Receives transcripts and, where required for context, audio.
Deepgram — transcribes English and Spanish audio recordings. Receives audio recordings.
Soniox — transcribes Chinese, French, and Portuguese audio recordings, and serves as the fallback transcription provider for other languages. Receives audio recordings.
Apple (Sign in with Apple) — provides authentication. Receives an Apple-issued identifier and, only if you choose to share it, your email address.

We do not currently use Mixpanel, Amplitude, Segment, Sentry, third-party Crashlytics products other than Firebase Crashlytics, Meta/Facebook SDKs, or any advertising network.

We may also disclose information when required by applicable law, court order, or lawful government request, or where reasonably necessary to protect the rights, safety, or security of Scriben, our users, or the public. In the event of a merger, acquisition, financing, or sale of assets, data may be transferred to a successor entity, subject to the same protections described in this Policy.

We will use commercially reasonable efforts to update this Policy when we add or remove material sub-processors.

Clear enough for first-time use, with extra emphasis on pairing and recording so you can focus on listening and the conversation itself.

8. Data Retention

Data Sharing

We retain personal data and Service Data only for as long as needed for the purposes described in this Policy:

Account information (name, email, auth tokens) is retained for as long as your account remains active.
Transcripts and AI-generated summaries are retained in your account until you delete them or close your account.
Original audio recordings are retained in Google Cloud Storage for a maximum of 365 days from the date of upload, after which they are automatically deleted from our cloud storage. You may delete any specific recording (or all of your recordings) at any time before that period elapses through the Scriben app, or by contacting us at the address in Section 15.
Backups containing Service Data may persist for up to 30 days after deletion before being permanently purged from backup media.
Operational logs (e.g., authentication, request, error logs) are retained for up to 90 days for security and reliability purposes.
Upon account deletion, we will delete or anonymize your personal data and Service Data within a reasonable period (typically within 30 days), except where retention is required by law or to resolve disputes and enforce our agreements.

Clear enough for first-time use, with extra emphasis on pairing and recording so you can focus on listening and the conversation itself.

9. Security

Data Retention

We maintain administrative, physical, and technical safeguards designed to protect your information, including:

HTTPS / TLS encryption for all data in transit between the app and our cloud, and between our cloud and our sub-processors.
Bluetooth link-layer encryption for the connection between the Scriben pen and the Scriben app. Scriben does not implement an additional end-to-end encryption layer over BLE.
Encryption at rest for cloud-stored data (managed by Google Cloud).
Role-based access controls and least-privilege access for Scriben personnel.
Audit logging and activity monitoring for production systems.

No system can be guaranteed to be completely secure. If we become aware of a security incident that materially affects your personal data, we will notify you in accordance with applicable law and within the timeframes required by such law (for example, within 72 hours of becoming aware of an incident falling under the EU GDPR).

10. Analytics

We use Google Firebase Analytics to understand how the Services are used and to improve product quality. Firebase Analytics may collect information such as app open events, feature interactions, session duration, device model, OS version, app version, and crash diagnostics. It does not collect IDFA or IDFV.

Status of opt-out controls. We are aware that current best practice — and, in the European Economic Area, the United Kingdom, and Switzerland, applicable law — calls for granular user control over non-essential analytics, including the ability to opt out (or, in the EEA/UK, the ability to opt in). Scriben does not yet offer an in-app opt-out control or a region-aware default-off mechanism for non-essential analytics. We are working to ship both, and we will update this Policy when those controls become available.

In the meantime:

If you are located in the European Economic Area, the United Kingdom, or Switzerland and would like Scriben to suppress non-essential analytics from your account on a manual basis, please contact us at the address in Section 15. We will honor such requests on a per-account basis pending the in-app control.
If you are located in any other region, you may limit collection by uninstalling the app or by disabling background app refresh in your device settings.

If you reside in California or another U.S. state with comprehensive privacy legislation, you have additional rights described in Section 12.

11. International Data Transfers

International Data Transfers

Our cloud infrastructure, and the cloud infrastructure of our sub-processors listed in Section 7, is located in the United States. If you access the Services from outside the United States, your data will be transferred to and processed in the United States.

Where required by applicable law, we and our sub-processors rely on appropriate transfer mechanisms — including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent safeguards under Swiss law — for transfers of personal data out of the European Economic Area, the United Kingdom, and Switzerland.

We do not currently offer data residency in any region other than the United States.

12. Your Rights and Choices

Subject to applicable law, you may:

Access or correct your account information through the Scriben app.
Delete your recordings, transcripts, summaries, or your entire account by using the in-app delete controls or by emailing us (see Section 15).
Opt out of marketing emails by clicking the unsubscribe link in any marketing message we send.
Manage cookies through your browser settings; disabling cookies may affect Website functionality.

If you reside in the European Economic Area, the United Kingdom, Switzerland, or a U.S. state with comprehensive privacy legislation (including California), you may also have the right to:

Request a copy of your personal data,
Object to or restrict certain processing,
Withdraw consent where processing is based on consent,
Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at the address in Section 15. We will respond within the timeframe required by applicable law.

13. Children's Privacy (COPPA)

Children's Privacy

The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13.

We rely on Sign in with Apple and Google Sign-In as our identity providers; both providers apply their own age-related account restrictions, and we do not offer an alternative registration path that would bypass those restrictions.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us at the email address below and we will promptly delete the information.

For users between 13 and 18, please use the Services only with the involvement of a parent or guardian.

14. Changes to This Policy

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) or by a prominent notice in the app or on the Website. The "Last Updated" date at the top of this Policy reflects the most recent revision. Your continued use of the Services after a material change constitutes acceptance of the updated Policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

SleepMind, Inc.(operating as Scriben)
Email: hello@scriben.ai

Privacy requests: emma@scriben.ai
Website: scriben.ai

Questions? hello@scriben.ai