Trust & Security
The receipts behind our privacy promise. Last updated: May 2, 2026.
Privacy promise, in plain language
- ✓You choose how long audio is kept.The default is 90 days from upload, but the picker on the upload page lets you set anything from "delete the moment transcription completes" up to one year.
- ✓Encrypted in transit and at rest. All traffic is HTTPS. Audio at rest in Cloudflare R2 is encrypted with AES-256.
- ✓Never used to train AI.The OpenAI API agreement explicitly excludes API traffic from model training. We don't fine-tune models on user data either.
- ✓Never sold or shared.We have no data-sale business model. Only the subprocessors listed below see your data, and only for what they're named below.
- ✓Delete anytime. One-click delete for individual transcriptions or your entire account.
Subprocessors
These are the third-party services that process your data, what they do, where they run, and a link to their DPA.
| Provider | Purpose | Region | DPA |
|---|---|---|---|
| Vercel | Application hosting (Next.js runtime, edge network) Request metadata, server logs | EU (Frankfurt) | DPA → |
| Cloudflare R2 | Encrypted object storage for uploaded audio files Audio/video files (uploaded), encrypted at rest | EU | DPA → |
| Modal | Serverless compute that runs the transcription worker Audio temporarily streamed through ephemeral container filesystem during transcription. Modal does not yet offer EU regions for our workload tier. | US | DPA → |
| OpenAI | Speech-to-text transcription via the API (gpt-4o-transcribe-diarize) Audio sent for transcription. Per OpenAI policy: not used for training, retained ≤30 days for abuse monitoring. EU data residency is enterprise-tier only. | US | DPA → |
| Neon | PostgreSQL database hosting (transcripts, account info — no audio) Account info, transcripts, billing references | EU (Frankfurt) | DPA → |
| Stripe | Payment processing Card details (handled by Stripe — never touch our servers), billing email | EU / Global (PCI-DSS) | DPA → |
| Clerk | Authentication and user management Email, name, OAuth tokens, session data | EU | DPA → |
| Resend | Transactional email delivery Recipient email, message content (transcript-ready notifications) | EU | DPA → |
| Plausible | Privacy-friendly website analytics (no cookies, no PII) Page-view counts, aggregate event counts. No personal identifiers. | EU | DPA → |
Data residency
We are an EU-based company (Klarweb, Oslo) and pick EU data residency wherever the provider supports it. Today that means:
- Audio storage — Cloudflare R2, EU jurisdiction.
- Database — Neon, Frankfurt (eu-central-1).
- Hosting — Vercel, Frankfurt (fra1).
- Authentication — Clerk, EU instance.
- Email — Resend, EU sending region.
- Analytics — Plausible, EU.
Two subprocessors still run in the United States: Modal (the transcription worker) and OpenAI (the speech-to-text model). Audio transits through both during the few minutes it takes to transcribe, then leaves no persistent copy on either. EU/US transfers for these two rely on Standard Contractual Clauses (SCCs). If your use case requires zero US transit, message us via the contact page before uploading sensitive content.
GDPR posture
If you're in the EU/EEA, you have the right to access, rectify, port, and erase your personal data. The shortcuts:
- Access / portability — export every transcript and account record from your profile page.
- Erasure — delete individual transcriptions, or delete your entire account (Profile → Delete account). Account deletion removes audio, transcripts, billing references, and all associated subprocessor records.
- Rectification / objection — message us via your in-app inbox and we'll respond within the GDPR-mandated 30 days.
Encryption
- In transit — all browser ↔ server traffic is TLS 1.2+. Database connections to Neon use SSL.
- At rest — Cloudflare R2 encrypts uploaded audio with AES-256 server-side. Neon database storage is encrypted.
- Card data — handled exclusively by Stripe (PCI-DSS Level 1). Card numbers never touch our servers.
What we do not have
In the spirit of being honest about what we are and aren't:
- SOC 2 / ISO 27001— not certified. We're a small team and haven't pursued formal audits yet. If you need SOC 2 for procurement, message us — we can talk about timelines.
- HIPAA BAA— we don't sign Business Associate Agreements. Don't upload PHI.
- 100% EU-only data residency — storage, database, hosting, auth, email, and analytics are all EU. Two subprocessors (Modal compute, OpenAI transcription) still run in the US; SCCs in place for those transfers. Reach out if your case requires zero US transit before uploading.
Reporting a security issue
Found a vulnerability? Message us via /contact with the details. We respond to security reports within 72 hours.