01 / Who we are and what this covers

Aran Labs LLC controls the data behind REC.

REC Content Studio is operated by Aran Labs LLC (United States). This notice explains what personal data we collect when you apply for preview access, use the studio, record interviews, and pay for a subscription, and what rights you have over that data — including under the EU/UK GDPR if you are located in the EEA, UK, or Switzerland.

This notice also covers people who appear in a recording as an interviewee or guest, even if they never create a REC account. If you are an interviewee with a question about a recording, contact us using the details at the bottom of this page.

02 / What we collect

Account details, your recordings, and what it takes to bill you.

Account and application data: your email, name, an optional work link, and what you want to record, collected when you apply for preview access or sign in.

Optional marketing data: your email address, consent timestamp and notice version, subscription status, and unsubscribe token when you separately choose to receive REC launch or product-update emails.

Session content: source recordings, transcripts and timestamped transcript segments, the research dossier and interview questions we prepare, a small ledger of live follow-up questions shown during recording and whether you accepted, dismissed, or skipped them, and any highlight or clip records you generate. Evidence quotes and model reasoning used to prepare a live suggestion are not stored in that ledger. Recordings and transcripts capture whoever appears in the session, including interviewees without an account.

Billing data: your subscription plan and status, invoice history, and payment metadata handled through Stripe. We do not receive or store your full card number.

Usage and security logs: a limited, allow-listed set of acquisition and product events, such as public-page views, preview application milestones, completed sign-in, interview creation, research and camera readiness, recording and upload completion, highlights, clip export or sharing, and repeat sessions. REC also stores bounded AI-operation facts — provider response ID, model, job type, token and web-search counts, estimated list-price cost, stable failure code, and queue or execution timing — so reliability and spend can be monitored. These records never include prompts, responses, form answers, names, email addresses, recording or transcript content, source material, raw error messages, or full URLs.

Attribution data: the landing path, a named page variant, the referring domain (not the referring URL), and sanitized UTM source, medium, campaign, content, and term when those labels are present. REC does not store raw IP addresses for analytics.

03 / How AI is used

AI powers research, questions, live follow-ups, and highlight recommendations.

When you start a session, REC may search current public web sources about the identity or topic you provide, then sends that research material together with your supplied context to Anthropic's Claude models to prepare a research dossier and interview questions.

During recording, if compatible live transcription is available, timestamped transcript segments are stored with the session and sent to Anthropic to prepare optional follow-up questions while you record and to recommend highlight moments afterward. A follow-up appears as a suggestion that you choose whether to ask; REC never asks it automatically. If transcription is unavailable, REC continues recording with the reviewed question plan and skips transcript-dependent suggestions rather than inventing them. AI output can be incomplete or inaccurate — see our Terms of Service for the full disclaimer.

04 / Lawful bases for processing

We rely on different legal bases depending on the data.

Contract: processing your account, session content, and AI-assisted research and recording features is necessary to provide the service you signed up for.

Legal obligation: we keep certain billing and tax records because the law requires it, even after you close your account.

Legitimate interests: we keep limited security and audit logs to detect abuse, and use privacy-minimized first-party measurement to understand whether public pages and the preview funnel work, balanced against your privacy interests. This notice is a description of the implementation, not legal advice; the chosen basis still requires jurisdiction-specific review.

Consent: REC relies on a separate, optional, unchecked opt-in for launch and occasional product-update emails. Applying does not depend on agreeing to marketing, and you can withdraw consent at any time through the unsubscribe link in a message. REC will ask separately before introducing advertising measurement, cross-site tracking, or non-essential browser storage where consent is required.

05 / Retention and deletion

You can request deletion, and we target a one-month turnaround.

Preview applications carry a 180-day retention date. Anonymous acquisition events expire after 3 months. Application-linked and authenticated funnel events, privacy-minimized attribution records, AI usage facts, and AI job observations expire after 13 months. Security and audit logs normally expire after 365 days. Nightly database jobs enforce those analytics and logging retention dates.

If you opt in to launch or product-update emails, REC keeps your email and consent record while you remain subscribed. After you unsubscribe, REC keeps the address and opt-out status as a suppression record so it is not added back to marketing by mistake, unless a valid deletion request requires a different result.

Session content — context, dossier, questions, recording, transcript segments, and highlight records — does not yet expire automatically, so request deletion when you no longer need it.

You can request access, export, or erasure of your data through your account or by emailing us; requests are logged and we target responding within one month, consistent with GDPR's data-subject request timeline. Erasure requests move your account into a deletion-pending state immediately, then a reviewed process cancels your subscription, removes stored recordings and transcripts, deletes your Stripe customer record, and removes your authentication identity, subject to any records we must keep for legal or tax obligations.

You can also generate an authenticated export of your account data, including linked analytics events, AI usage and job observations, and temporary signed links to your recordings, from your account settings.

06 / Who we share data with

A small set of processors run the service with us.

Supabase: our database, authentication, and file storage provider, hosting recordings and structured session data behind owner-scoped access rules.

Stripe: handles subscription billing and payment processing. Stripe receives your payment details directly; we receive subscription status and invoice metadata.

Anthropic: processes the research material and session context you submit to generate dossiers, reviewed interview questions, optional live follow-up questions, and highlight recommendations.

Railway: hosts the application infrastructure that runs REC.

We do not sell your personal data, and we do not use your content to train AI models. Each processor is contractually limited to processing data on our instructions for the purposes described here.

07 / International transfers

Data may be processed outside your home country.

Aran Labs LLC and its processors are primarily based in the United States. If you are located in the EEA, UK, or Switzerland, your data will be transferred to and processed in the United States and other countries where our processors operate. We rely on the processors' Standard Contractual Clauses and equivalent transfer safeguards for these transfers, and we review subprocessor locations as part of our security practices.

08 / Your rights

You can access, correct, move, restrict, or delete your data.

Depending on your location, you have the right to access the personal data we hold about you, correct inaccurate data, request erasure, receive a portable copy of your data, object to or restrict certain processing, and withdraw consent where processing is based on consent. You will not be charged for exercising these rights except where the law allows a reasonable fee for excessive requests.

Every launch or product-update email must include a clear unsubscribe route. Withdrawing from marketing does not affect your application, account, or necessary service messages.

To exercise any of these rights, contact us at the email below or use the export and deletion request options in your account. We may need to verify your identity before acting on a request.

09 / Cookies and analytics

REC uses no analytics cookie or persistent visitor profile.

We use strictly necessary cookies to maintain your authenticated session and keep the studio working — for example, Supabase authentication cookies. First-party funnel measurement does not set or read an analytics cookie, local-storage identifier, fingerprint, or cross-site identifier. Anonymous page events are not joined into a visitor profile.

First-touch attribution is held only in page memory during normal in-app navigation and is stored only if you submit a preview application; conversion-touch attribution is stored with that application. A reload can reset first touch, which is an intentional privacy tradeoff. Because the current measurement does not use non-essential cookies or comparable device storage, REC does not display an analytics cookie banner. We will revisit consent and this notice before changing that design.

10 / Changes to this notice

We'll post updates here as the product and its data use evolve.

We may update this privacy notice as REC changes. Material changes will be posted here with a new effective date, and where practical we will notify account holders directly.