Privacy Policy

Effective Date: January 29, 2026
Last Updated: January 29, 2026
Version: 2.1

1. Introduction

Welcome to Vowise, an AI-powered voice transcription service. At Vowise, we are committed to protecting your privacy and handling your personal data with care and transparency. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), Illinois Biometric Information Privacy Act (BIPA), and other applicable data protection laws.

Data Controller: Vowise
Registered Address: Germany
Contact Email: support_no_spam_@vowise.com
Data Protection Officer: dpo_no_spam_@vowise.com
Website: https://www.vowise.com

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email address (required)
Name (optional)
Password (encrypted with bcrypt, we never store plaintext passwords)
Authentication method (email, Google OAuth, GitHub OAuth)

2.2 Voice Data and Biometric Information

"Voice Data" means any audio recordings of your voice and the unique vocal characteristics derived from such recordings, including but not limited to:

Pitch, tone, and timbre characteristics
Speech patterns and cadence
Accent and pronunciation features
Audio waveform data

Important Legal Notice: Depending on your jurisdiction, Voice Data may be classified as biometric data under applicable laws, including:

GDPR (EU): Special category data requiring explicit consent
BIPA (Illinois, USA): Biometric identifier requiring informed written consent
CCPA/CPRA (California, USA): Sensitive personal information

How We Process Voice Data

Purpose	Data Used	Retention	Legal Basis
Transcription Services	Audio files	Deleted immediately after processing	Contract (GDPR Art. 6(1)(b))
User-Saved Recordings	Audio files (if you choose to save)	Until you delete or 90 days after account deletion	Consent (GDPR Art. 6(1)(a))
Service Improvement (optional)	De-identified audio patterns	Up to 3 years (anonymized)	Legitimate Interest with Opt-out

We do NOT:

Create voice fingerprints or voiceprints for identification
Use your voice to create synthetic voices without explicit consent
Sell or share your Voice Data with third parties for their own purposes
Allow third parties to train AI models on your Voice Data

Illinois Residents (BIPA Notice)

If you are an Illinois resident, your Voice Data may constitute biometric identifiers under BIPA. By using our service, you acknowledge:

We collect Voice Data solely for transcription services
We retain Voice Data only as long as necessary (see retention table above)
We will permanently destroy Voice Data when no longer needed
You may withdraw consent at any time by deleting your account

California Residents (CCPA/CPRA Notice)

Your Voice Data is considered "sensitive personal information" under CPRA. We:

Do NOT sell your Voice Data
Do NOT share Voice Data for cross-contextual behavioral advertising
Limit use to what is necessary for transcription services

2.3 Usage Information

We collect data about how you use Vowise:

Access logs: IP addresses (anonymized after 90 days), timestamps, pages visited
Feature usage: Which features you use and how often
Device information: Browser type, operating system, device type
Performance data: Page load times, errors encountered

2.4 Payment Information

We use Stripe to process payments. We do NOT store your full credit card number. Stripe collects:

Card last 4 digits (for display purposes)
Billing address
Payment history

3. Legal Bases for Processing (GDPR Article 6)

If you are located in the EEA, UK, or Switzerland, we process your personal data based on the following legal grounds:

Processing Purpose	Personal Data Used	Legal Basis	Your Rights
Provide transcription services	Account info, audio files, transcriptions	(b) Contract	Terminate contract anytime
Process payments	Payment info (via Stripe), billing address	(b) Contract	Update payment info or cancel
Send service notifications	Email address	(b) Contract + (f) Legitimate Interest	Adjust notification preferences
Improve AI accuracy	De-identified audio patterns	(f) Legitimate Interest	Opt-out available
Prevent fraud and abuse	IP address, usage patterns	(f) Legitimate Interest	Right to object
Comply with legal obligations	All data as required by law	(c) Legal Obligation	Limited (required by law)
Send marketing emails	Email address, name	(a) Consent	Withdraw consent (unsubscribe)
Analytics	IP address (anonymized), device info	(a) Consent	Withdraw via Cookie settings

Understanding Legal Bases

(a) Consent: You give explicit permission. Withdraw anytime.
(b) Contract: Necessary to provide the service you signed up for.
(c) Legal Obligation: Required by law (e.g., tax records).
(f) Legitimate Interest: Valid business reason, balanced against your rights. You have the right to object.

4. How We Use Your Data to Improve Our AI

4.1 What Data We May Use for Training

Data We MAY Use (with opt-out):

Transcription text (de-identified, no personal info)
Audio patterns (fully anonymized, voice characteristics removed)
Correction feedback you provide
Error reports

Data We NEVER Use:

Your raw audio recordings
Personal information that can identify you
Private conversations or sensitive content
Data you have opted out of

4.2 Privacy Protection in Training

When we use data for training, we:

De-identify: Remove all personally identifiable information
Aggregate: Combine data from thousands of users
Remove Voice: Extract only linguistic patterns, remove unique voice characteristics

4.3 How to Opt-Out of AI Training

Method 1: Account Settings

Log in to your account
Go to Settings → Privacy & Data
Toggle "Use my data to improve services" to OFF
Click "Save Preferences"

Method 2: Contact Us

Email privacy_no_spam_@vowise.com with subject "Opt-out of AI Training"

Important:

Opt-out applies to data generated after your request
Previously de-identified data may already be in training datasets
Opt-out does not affect core transcription services

4.4 Third-Party AI Training

We do NOT:

Provide your data to third-party AI companies for their model training
Sell or license your data to AI research companies
Participate in data marketplaces

Specifically, Groq does NOT use your audio to train their models (per our DPA).

5. International Data Transfers

5.1 Primary Storage Locations

Data Type	Primary Location	Backup Location
Account Information	Germany (EU) - Supabase	United States (encrypted)
Audio Recordings	Germany (EU) - Supabase	Deleted after processing
Transcriptions	Germany (EU) - Supabase	United States (encrypted)
Payment Data	United States - Stripe	Stripe-managed

5.2 Third-Party Data Recipients

Recipient	Service	Location	Data Transferred	Safeguards
Groq	AI Transcription	United States	Audio files (temporary)	DPA + SCC + Immediate deletion
Supabase	Database & Auth	Germany (EU)	Account info, transcriptions	DPA + EU hosting
Cloudflare	CDN & Security	Global	IP address, request logs	DPA + SCC
Stripe	Payments	United States	Payment info	DPA + SCC + Data Privacy Framework
Postmark	Email	United States	Email address	DPA + SCC
PostHog	Product Analytics	Germany (EU)	Usage data, device info	DPA + EU hosting

5.3 Transfer Safeguards

For transfers outside the EEA, UK, or Switzerland, we implement:

Standard Contractual Clauses (SCCs): EU-approved contracts with all US processors
EU-U.S. Data Privacy Framework: Some providers are certified (Stripe, Google)
Technical Measures: End-to-end encryption, encryption keys stored in EU
Transfer Impact Assessments: Regular review of US surveillance law implications

You can request a copy of our SCCs by emailing legal_no_spam_@vowise.com

6. Data Retention

Data Type	Retention Period	Reason
Audio files (processing)	Deleted immediately after transcription	Data minimization
Audio files (user-saved)	Until user deletes or 90 days after account deletion	User content ownership
Transcription text	30 days or until user deletes	Service provision
Account data	Until account deletion + 30 days grace period	Account management
Usage logs	90 days (then anonymized)	Security and debugging
Payment records	7 years	Legal requirement (tax)
Support tickets	2 years after resolution	Quality assurance

6.1 Voice Data Retention (Biometric Data)

In compliance with BIPA and similar laws, we will permanently destroy any Voice Data (including any biometric identifiers derived from your voice) no later than3 years after your last interaction with our Services, or when the initial purpose for collecting the data has been satisfied, whichever comes first.

Exception: Data required for legal compliance (e.g., fraud prevention records) may be retained longer as required by law.

7. Your Rights (GDPR, CCPA, and Other Laws)

7.1 Rights for All Users

Right of Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate data
Right to Erasure: Request deletion of your account and data
Right to Data Portability: Export your data in JSON format
Right to Withdraw Consent: Withdraw consent at any time

7.2 Additional Rights for EU/EEA/UK Residents

Right to Restrict Processing: Limit certain processing activities
Right to Object: Object to processing based on legitimate interests
Right to Lodge Complaint: Complain to your local Data Protection Authority

7.3 Additional Rights for California Residents (CCPA/CPRA)

Right to Know: What personal information we collect and how we use it
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt-out of "sale" of personal information (we do NOT sell)
Right to Non-Discrimination: No penalty for exercising your rights
Right to Limit Use of Sensitive Personal Information

7.4 How to Exercise Your Rights

We will respond within:

GDPR: 30 days (extendable to 90 days for complex requests)
CCPA: 45 days (extendable to 90 days)

8. Data Controller and Data Processor Roles

8.1 When Vowise is the Data Controller

Scenario: You use Vowise as an individual for personal use

You are the data subject
Vowise is the data controller
This Privacy Policy applies
You can exercise all rights directly with Vowise

8.2 When Vowise is the Data Processor

Scenario: Your employer provides you with a Vowise Enterprise/Team account

Your employer is the data controller
Vowise is the data processor
Your employer's privacy policy applies
Contact your employer first to exercise data rights

8.3 Data Processing Agreement (DPA)

For Enterprise/Team accounts, we sign a DPA with your employer that includes:

Processing only on employer's documented instructions
Confidentiality obligations
Security measures
Sub-processor list and notification
Data breach notification within 24 hours
Standard Contractual Clauses for international transfers

Request a DPA: enterprise_no_spam_@vowise.com

9. Data Security

Encryption in Transit: TLS 1.3 for all connections
Encryption at Rest: AES-256 for stored data
Password Security: bcrypt with cost factor 12
Access Controls: Role-based access, principle of least privilege
Monitoring: 24/7 security monitoring and logging
Audits: Annual security audits and penetration testing

10. Content Moderation and Deep Fake Prevention

10.1 Our Commitment

Vowise is committed to preventing misuse of voice technology. We implement measures to detect and prevent:

Unauthorized use of voice data
Creation of deceptive "deep fake" audio
Identity theft using voice
Violations of our Acceptable Use Policy

10.2 Detection Measures

Suspicious upload pattern detection
Account verification requirements
Content moderation for flagged activity
User reporting mechanisms

10.3 Report Misuse

If you believe your voice has been used without authorization, contact us immediately:

Email: abuse_no_spam_@vowise.com

We investigate urgent cases within 24 hours.

11. Cookies and Tracking Technologies

11.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. We use cookies, pixel tags, and similar technologies to collect information about your activities on our Services.

11.2 Types of Cookies We Use

Cookie Type	Purpose	Duration	Can Disable?
Strictly Necessary	Authentication, security, session management, CSRF protection	Session / 1 year	No (required for service)
Functional	Language preferences, theme settings, user preferences	1 year	Yes
Analytics	Usage statistics, performance monitoring, error tracking	2 years	Yes (consent required)

11.3 Third-Party Cookies

We may use the following third-party services that set cookies:

Supabase: Authentication tokens
Cloudflare: Security and performance
Stripe: Payment processing (only on payment pages)
PostHog: Product analytics and usage tracking

We do NOT use marketing, advertising, or cross-site tracking cookies.

11.4 Managing Your Cookie Preferences

Cookie Banner: Click "Manage Preferences" when you first visit
Account Settings: Go to Settings → Privacy to update preferences
Browser Settings: Most browsers allow you to block or delete cookies

Do Not Track (DNT): Our website does not currently respond to DNT signals from browsers. However, you can manage your preferences using the methods described above.

12. Children's Privacy

Vowise is not intended for children under 16 (or 13 in the US). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy_no_spam_@vowise.com and we will delete it.

13. Aggregated and Anonymized Data

13.1 How We Use Non-Personal Data

We may use aggregated, de-identified, or anonymized data for:

Product analytics and performance monitoring
Research and development
Public statistics (e.g., "Trusted by 10,000+ users")
Business operations and planning

13.2 Our Commitments

No Re-Identification: We will not attempt to re-identify individuals from anonymized data
No Sale: We do not sell aggregated or anonymized data
Industry Standards: We follow ISO/IEC 20889 anonymization techniques

14. Third-Party Login (OAuth)

If you choose to sign in using Google or GitHub, we receive:

Google: Name, email address, profile picture
GitHub: Username, email address, profile picture

We do NOT receive your password from these providers. We use this information solely for account creation and authentication.

15. Additional U.S. State Disclosures

15.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights:

Right to Know: Request disclosure of personal information collected, used, and disclosed
Right to Delete: Request deletion of personal information
Right to Opt-Out of Sale: We do NOT sell your personal information
Right to Non-Discrimination: We will not discriminate against you for exercising your rights
Right to Limit Use of Sensitive Personal Information: Including voice/biometric data

Categories of Personal Information Collected:

Category	Examples	Sold?	Shared for Advertising?
Identifiers	Name, email, IP address	No	No
Commercial Information	Transaction history, subscription status	No	No
Biometric Information	Voice recordings, audio characteristics	No	No
Internet Activity	Browsing history on our site, usage data	No	No
Geolocation	Approximate location from IP	No	No

We do NOT sell personal information or share it for cross-context behavioral advertising.

15.2 Illinois Residents (BIPA)

Under the Illinois Biometric Information Privacy Act (BIPA), your voice data may constitute a biometric identifier. We:

Collect voice data only for transcription services
Do not sell, lease, or trade biometric data
Store voice data no longer than necessary (deleted immediately after transcription unless you save it)
Use industry-standard security to protect biometric data
Will permanently destroy biometric data when the purpose is fulfilled or within 3 years of last interaction

By using our service, you acknowledge and consent to the collection and use of your voice data as described in this policy.

15.3 Other U.S. States

Residents of Colorado, Connecticut, Virginia, Utah, Oregon, Montana, and Texas may have similar rights under their respective state privacy laws. Contact us at privacy_no_spam_@vowise.com to exercise your rights.

15.4 Authorized Agents

In U.S. states where applicable, you may designate an authorized agent to submit privacy requests on your behalf. To verify the agent's authority, we may require:

A signed written authorization from you
Proof of your identity
Verification that the agent is authorized to act on your behalf

Submit authorized agent requests to privacy_no_spam_@vowise.com with subject "Authorized Agent Request".

16. Data Breach Notification

In the event of a data breach that affects your personal data:

We will notify the relevant supervisory authority within 72 hours (GDPR requirement)
We will notify affected users without undue delay if the breach is likely to result in high risk
Notification will include: nature of breach, data affected, consequences, and measures taken

17. Changes to This Policy

We will notify you via email of material changes at least 30 days before they take effect. Continued use after changes constitutes acceptance.

View previous versions: legal_no_spam_@vowise.com

18. Contact Us

General Inquiries: support_no_spam_@vowise.com
Privacy Questions: privacy_no_spam_@vowise.com
Data Protection Officer: dpo_no_spam_@vowise.com
Report Abuse: abuse_no_spam_@vowise.com

19. Supervisory Authority

EU residents may lodge a complaint with their local Data Protection Authority. For Germany:

Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Website: https://www.bfdi.bund.de

20. Mobile Application Privacy Addendum

Specific to Vowise Android & iOS Apps:

20.1 Permissions

Microphone: We request access to your microphone solely to record audio for transcription when you initiate it. We do not record in the background.
Photo Library: We access your photos only when you choose to upload an image for processing or profile customization.

20.2 Account Deletion

You can request the permanent deletion of your account and all associated data directly within the mobile application by navigating to Settings > Profile > Delete Account.

By using Vowise, you acknowledge that you have read and understood this Privacy Policy.

Last updated: January 29, 2026