Privacy Policy

Introduction

SpeakToNotes ("we," "us," "our") operates the website https://speaktonotes.com, the SpeaktoNotes mobile applications for iOS and Android, and the SpeaktoNotes desktop applications for macOS and Windows (collectively, the "Services"). We are a sole trader business registered in New Zealand with NZBN 9429053108999, operating from Nelson, New Zealand 7020.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services on any platform - iPhone, iPad, Android, Mac, Windows, or the web. This policy applies to information we collect through the Services and in email, text, and other electronic messages between you and the Services.

Our Services are primarily intended for users in New Zealand, Australia, United Kingdom, Canada, and the United States.

Please read this Privacy Policy carefully. By using the Services, you agree to the collection and use of information in accordance with this policy.

Contact Information:
Email: reubenscott@speaktonotes.com
Address: Nelson, New Zealand 7020

Table of Contents

1. Information We Collect
2. How We Use Your Information
3. Disclosure of Your Information
4. Data Retention
5. Data Storage and Transfer
6. Third-Party Services
7. Your Privacy Rights
8. Security of Your Information
9. Children's Privacy
10. Changes to This Privacy Policy
11. Contact Us

1. Information We Collect

We collect only the information necessary to provide, maintain, and improve our Services across all platforms.

Information You Provide to Us

Registration Information:

• Email address (required for account creation)
• Password (encrypted using bcrypt hashing with salt)
• Display name or username (optional)
• Account preferences and settings
• Time zone and language preferences (if provided)

We do NOT require: real name, phone number, physical address, date of birth, or government identification.

Payment Information:

• Payment information is processed exclusively through Stripe (PCI-DSS compliant)
• We do NOT store your complete credit card numbers, CVV codes, or full payment card details
• We store only: subscription status, plan type, subscription dates, and anonymized payment references

Voice Recordings and Transcriptions:

• Audio recordings are processed immediately upon upload, regardless of which platform (iOS, Android, Mac, or Windows) you recorded on
• Audio files are transmitted directly to our transcription service providers for processing
• Audio files are NOT stored on our servers
• Audio files are deleted immediately after transcription is complete
• We cannot retrieve or recover your original audio recordings after processing
• Text transcriptions are stored in your account and synced across all platforms

IMPORTANT: Once audio is transcribed, only the text transcription exists. The original audio recording is permanently deleted and cannot be recovered.

Information Automatically Collected

When you use our Services on any platform, we automatically collect minimal information:

Account and Authentication Data: Account creation date, last login date/time, account status, subscription tier, email verification status.

Usage Analytics (Privacy-First):

• User registration events (date/time only)
• Login and logout events (date/time, success/failure)
• Transcription creation events (date/time, duration, success/failure)
• Note editing events (date/time, type of action)
• Subscription events (date/time, plan type, action)
• Feature usage events (which features, how often)
• Error events (type, timestamp, affected feature - no personal data)

Technical Information (Minimal):

• Operating system type (iOS, Android, macOS, Windows, etc.) - collected only to prioritize platform development
• Browser type and version - collected only for compatibility testing
• Screen resolution category (mobile, tablet, desktop)
• Transcription success/failure status
• API response times and performance metrics

What We Explicitly DO NOT Collect

• IP addresses (not collected for analytics)*
• Precise geolocation or GPS coordinates
• Device identifiers (IMEI, MAC address, advertising IDs)
• Device fingerprints
• Detailed browsing behavior
• Third-party cookies or tracking pixels
• Cross-site tracking data
• Keystroke patterns or typing behavior
• Clipboard data
• Microphone or camera access outside of explicit recording sessions
• Files on your device outside of files you explicitly upload
• Contact lists or social connections
• Behavioral profiles

*IP Address Exception: IP addresses are temporarily processed in-memory only for: rate limiting, DDoS mitigation, fraud detection, and immediate security threats. They are discarded within seconds and never written to permanent storage.

Authentication and Session Management

We use JSON Web Tokens (JWT) for secure, stateless authentication across all platforms:

• Tokens expire after 24 hours (7 days with "Remember Me")
• We do NOT use cookies for authentication, tracking, or any other purpose
• No cookie consent banner is required

2. How We Use Your Information

We use information collected only for:

Essential Service Delivery

• Create, maintain, and authenticate your account across all platforms
• Process your voice recordings through transcription services
• Generate and deliver text transcriptions
• Store, organize, and display your notes
• Synchronize your data across devices (iOS, Android, Mac, Windows)
• Process and manage your subscription payments

Customer Support

• Respond to support requests and inquiries
• Troubleshoot technical issues across platforms

Product Improvement

• Understand aggregate usage patterns
• Identify which features are used most
• Determine which platforms to prioritize
• Monitor transcription quality

All analytics use aggregated, anonymized data only - no Google Analytics or third-party tracking.

Communications (Transactional Only)

Account confirmation, password reset, subscription notifications, payment receipts, security alerts.

We do NOT send marketing emails, newsletters, or promotional offers.

Security and Legal Compliance

• Detect and prevent fraud, unauthorized access, and abuse
• Comply with applicable laws and respond to valid legal requests

3. Disclosure of Your Information

We do not sell, rent, or trade your personal information. We share your information only with:

OpenAI / Groq (Transcription Services)

• Data Shared: Audio recordings only (real-time processing from any platform)
• Retention: Audio deleted after processing
• Training: API data is NOT used to train AI models

Stripe (Payment Processing)

• Data Shared: Billing name, email, payment card info, transaction amounts
• Security: PCI-DSS Level 1 certified

Google Cloud Platform (Hosting Infrastructure)

• Data Shared: All stored data (accounts, transcriptions, usage data)
• Location: Primarily United States
• Security: SOC 2, ISO 27001 certified

What We Absolutely DO NOT Do

• Never sell or rent your data
• Never share for marketing purposes
• Never use your content for AI training
• Never track you across the web
• Never share without your knowledge (except as legally required)

4. Data Retention

Active Accounts

Your data is retained and synced across all platforms while your account is active. "Active" means you have a current subscription OR have logged in within 12 months.

Voice Recordings

Audio is NEVER stored - deleted immediately after transcription, regardless of which platform you recorded on.

Inactive Accounts

After 12 months of no login: email notifications sent at 10 and 11.5 months. After 12 months, scheduled for deletion within 90 days.

Payment Records

Transaction records retained for 7 years as required by New Zealand tax law. We store only minimal data: transaction dates, amounts, invoice numbers, payment status.

Backups

Retained for up to 90 days on a rolling basis. Encrypted and stored securely. Not accessible to users.

5. Data Storage and Transfer

Our Services utilize cloud infrastructure located internationally. By using the Services on any platform, you consent to your data being transferred internationally.

• Primary Storage: United States (Google Cloud Platform)
• Third-Party Processing: OpenAI/Groq (US), Stripe (global), Google Cloud (US + global regions)

International Data Transfer Safeguards

• Technical: TLS 1.2+ encryption in transit, AES-256 at rest, bcrypt password hashing, secure authentication
• Contractual: Service provider agreements requiring confidentiality and data protection
• Organizational: Internal data protection policies, incident response procedures

6. Third-Party Services

OpenAI / Groq (AI Transcription)

Audio recordings from any platform (iOS, Android, Mac, Windows) are transmitted to our transcription providers in real-time. OpenAI states they do NOT use API data for training. We cannot independently verify third-party compliance.

Stripe (Payments)

PCI-DSS Level 1 certified. We do NOT have access to your complete credit card numbers or CVV codes.

Apple App Store, Google Play Store, Microsoft Store (Platform Distribution)

The Services are distributed through platform app stores. Your use of the app downloaded from these stores is also subject to each store's terms and conditions. Information collected by app stores (such as download analytics) is governed by their respective privacy policies, not ours.

Google Cloud Platform (Hosting)

All data stored in our Services resides on Google Cloud infrastructure. Maintains SOC 2, ISO 27001, and other certifications.

7. Your Privacy Rights

Rights Under New Zealand Privacy Act 2020

• Right to Access: View and download your data from your account, or contact us. Response within 20 working days.
• Right to Correction: Update account information and edit transcriptions at any time.
• Right to Deletion: Delete individual notes or your entire account at any time.
• Right to Complain: Contact the NZ Privacy Commissioner: https://www.privacy.org.nz

GDPR Rights (EEA/UK Users)

While not required to comply with GDPR, we honour: right to access, rectification, erasure, restrict processing, data portability, object to processing, and withdraw consent.

CCPA Rights (California Residents)

We do NOT sell your personal information. You have rights to know, delete, and non-discrimination.

Australian Privacy Act

We extend similar privacy protections to Australian users under the Australian Privacy Principles.

How to Exercise Your Rights

• Self-Service: Log into your account on any platform to access, download, edit, or delete your data
• Contact Us: reubenscott@speaktonotes.com with subject "Privacy Rights Request"
• Response Times: NZ: 20 working days, GDPR: 30 days, CCPA: 45 days

8. Security of Your Information

Technical Measures

• Encryption: TLS 1.2+ in transit, AES-256 at rest, bcrypt password hashing
• Authentication: JWT tokens with 24hr/7day expiry, rate-limited login attempts
• Infrastructure: Google Cloud Platform (SOC 2, ISO 27001), firewall protection, DDoS mitigation
• Application: Input validation, CSRF/XSS/SQL injection protection, secure headers

Platform-Specific Security

• iOS: App data stored in encrypted app sandbox, Keychain used for sensitive credentials
• Android: App data stored in encrypted app sandbox
• macOS/Windows: Application-level encryption for stored credentials

Data Breach Response

• Investigation and containment of breach
• Notification to affected users if serious harm may result
• Notification to NZ Privacy Commissioner as required by law
• Target: within 72 hours of confirming a notifiable breach

9. Children's Privacy

• You must be at least 16 years old to use our Services on any platform
• We do NOT knowingly collect information from children under 16
• If you are a parent/guardian and believe your child has provided personal information, contact us immediately

10. Changes to This Privacy Policy

Minor Changes (clarifications, formatting): May be made without advance notice.

Material Changes (data collection, sharing, retention): 30 days advance email notice, prominent website notice, summary of key changes. You may delete your account or export your data before changes take effect.

Current Version: 3.0 - Last updated: March 5, 2026

11. Contact Us

Email: reubenscott@speaktonotes.com
Business: SpeakToNotes (sole trader)
NZBN: 9429053108999
Address: Nelson, New Zealand 7020

Response Times:

• General inquiries: Within 5 business days
• Privacy rights requests: Within 20 working days
• Security reports: Within 48 hours

Regulatory Authority:
New Zealand Privacy Commissioner
Website: https://www.privacy.org.nz
Phone: 0800 803 909 (within New Zealand)