SpeechApp Privacy Policy

Effective date: 25 Sep 2025 • Version: 2.0 (Worldwide)

This Privacy Policy explains how Mindloop Apps Ltd. (”Mindloop”, “we”, “us”) processes information when you use SpeechApp: Speech to Text for iOS. This policy is designed for worldwide availability and aligns with major privacy regimes including GDPR/UK GDPR, US state privacy laws (e.g., CPRA), LGPD (Brazil), and PIPEDA (Canada).

Controller
‍Mindloop Apps Ltd. • Agion Omologiton 15, 1080 Nicosia, Cyprus
Contact: [email protected]

Territorial scope. We offer the Service globally (subject to App Store availability). Features or notices may differ by region to meet local legal requirements. Where local law conflicts with this policy, the stricter requirement applies.

1. Scope & audience

• Service: SpeechApp: Speech to Text (iOS; global distribution where available).
• No user accounts.
• General‑audience app (see Children & Teens for regional age thresholds).

2. Data we process

A. Content you provide (core function)

• Voice audio you record to obtain a transcript and optional prompt‑based edits.Processing locations: uploaded to our infrastructure on AWS (us‑east‑1, USA) and to OpenAI API to perform speech‑to‑text and text transformations.Retention (ours): audio on our storage is automatically deleted within 24 hours of upload.We do not store transcripts/prompts/outputs after delivery.OpenAI retention: OpenAI may retain audio, transcripts, prompts, and outputs under its API policies.

B. App diagnostics & analytics

• Amplitude / Firebase Analytics / Crashlytics default telemetry (e.g., device model/OS, app version, language, event/funnel data, crash logs, vendor identifiers such as Amplitude Device ID / Firebase Instance ID).Purpose: product analytics, A/B testing, stability/quality.Retention: by vendors per their configurations (we target ≤24 months where configurable).Location signals: we do not request location permissions; providers may infer coarse location from IP by default.

C. Purchases/subscriptions metadata

• Processed via Apple In‑App Purchase and RevenueCat (entitlements, purchase status, non‑financial identifiers). We do not receive payment card numbers or full billing details.

D. Support communications

• If you email support, we process your message contents and attachments. If you start email from within the app, your device identifier is appended to help with troubleshooting.

3. Purposes & legal bases

• Core processing: capture audio, run transcription/transformations with OpenAI, return results, operate queues/retries.
  GDPR/UK GDPR basis:performance of a contract (Art. 6(1)(b)).
• Diagnostics/analytics & fraud prevention: measure performance, debug, improve features, run A/B tests.
  Basis: legitimate interests (Art. 6(1)(f)); where local law requires it for analytics SDKs, we obtain consent and honor withdrawal.
• Purchases/compliance: validate subscriptions and entitlements; maintain tax/audit records.
  Basis: contract (6(1)(b)) and legal obligation (6(1)(c)).
• Support: respond to inquiries and resolve issues.
  Basis: contract (6(1)(b)) and legitimate interests (6(1)(f)).

We do not use data for targeted advertising and do not sell or share personal information for cross‑context behavioral advertising.

4. AI/ML specifics

• Inference location:third‑party API (OpenAI).
• Model training: we do not train or fine‑tune our models on your content.
• Human review: none by us.
• Biometrics: we do not create or store voiceprints or perform biometric identification.
• History: we do not persist prompts/transcripts/outputs on our servers. OpenAI may retain data under its policies.
• Downstream restrictions: vendors act as processors/service providers; secondary advertising use is prohibited by contract.

5. Vendors/Processors

We use the following service providers (examples of data and region):

• Amazon Web Services, Inc. — S3/CloudFront/Lambda, us‑east‑1 (USA): audio objects, transient job metadata.
• OpenAI, L.L.C. — API for speech‑to‑text and text operations: audio, transcripts, prompts/outputs as required by the API.
• Amplitude, Inc. — product analytics/A‑B testing: event telemetry, device/app metadata, vendor IDs.
• Google LLC (Firebase + Crashlytics) — analytics and crash reporting: diagnostics, event telemetry, vendor IDs.
• RevenueCat, Inc. — subscription status/entitlements: receipt references, product IDs, entitlement status.

All vendors process data under data‑processing agreements. For transfers from the EEA/UK to countries without adequacy decisions (e.g., the United States), we rely on Standard Contractual Clauses (SCCs) and, for the UK, the UK IDTA/Addendum, with additional safeguards. Where available, we may also rely on a vendor’s valid Data Privacy Framework certification.

6. Retention

• Audio uploads (our storage): auto‑deleted within 24 hours.
• Transcripts/prompts/outputs:not stored by us after delivery; may be retained by OpenAI per its policies.
• Analytics/diagnostics & purchase metadata: retained by vendors under their default schedules (target ≤24 months for analytics where configurable).
• Operational logs: ≤30 days; Security logs: ≤90 days.
• Support emails: retained as long as needed to handle your request and maintain records, unless you request deletion where feasible.
  

Backups age out on rolling cycles.

7. Security

• Encryption: TLS in transit; S3 SSE‑S3/SSE‑KMS at rest.
• Access control: least‑privilege IAM, scoped keys, audit trails, periodic access reviews.
• Operational safeguards: vulnerability management, logging/monitoring, change control, incident response.
• Infrastructure: region‑scoped resources (US), monitoring and backups as appropriate.

No method of transmission or storage is 100% secure; we implement measures appropriate to the risk.

8. Children & teens

General‑audience app. Do not use while driving or operating machinery.

• United States (COPPA): we do not knowingly collect personal information from children under 13.
• EEA: local digital‑consent age may be up to 16; a parent/guardian should provide required consent.
• UK: digital‑consent age is 13.
• Brazil (LGPD): parental consent required for children under 12.

We do not offer user accounts; audio is transient.

9. Your choices & rights

• Permissions: Microphone is required for speech capture; revoke in iOS settings.
• Analytics controls: Restrict analytics via device settings and in‑app controls (where available). Where law requires consent for analytics SDKs, we will seek consent.

EEA/UK (GDPR/UK GDPR)

Rights to access, rectification, erasure, portability, restriction, objection (including to analytics based on legitimate interests). Response within 1 month (extendable by 2 months for complexity). You may lodge a complaint with your supervisory authority.

Brazil (LGPD)

Rights to confirmation/access (typically within 15 days), correction, anonymization/blocking/deletion, portability, information on sharing/consent, and revocation of consent.

United States (CPRA and similar)

Rights to access, deletion, correction, portability, opt‑out of sale/sharing/targeted advertising (not applicable as we do not sell/share), limit sensitive data, and appeal (where provided). Response within 45 days (extendable by 45).

Canada (PIPEDA)

Rights to access and correct personal information and to complain to the Office of the Privacy Commissioner of Canada.

Submit requests:[email protected]. We may verify via device identifiers and purchase receipts.

10. Do Not Track / IDFA

We do not request or use IDFA and do not engage in cross‑app tracking. Where local law requires consent for analytics/SDK signals, we will seek consent and honor withdrawal.

11. International transfers

Primary content hosting is in the United States (AWS us‑east‑1). For transfers of personal data from the EEA/UK to countries lacking adequacy decisions, we implement SCCs and the UK IDTA/Addendum, supported by transfer impact assessments and technical/organizational safeguards (e.g., encryption, access controls, minimization). Where applicable, we may also rely on a vendor’s valid Data Privacy Framework certification.

12. Regional disclosures

• EU/EEA:Mindloop Apps Ltd. is established in the EU (Cyprus) and acts as controller. EU Art. 27 representative: not required due to EU establishment.
• UK: If UK GDPR Art. 27 applies, we will appoint a UK representative and update this policy with contact details.
• Canada (PIPEDA): Contact us to access/correct personal information or file a complaint.
• Australia & others: You may have additional local rights; we will honor them where applicable.

13. Changes to this policy

We may update this policy. We will post the new version in‑app and update the effective date. Material changes may be highlighted via an in‑app notice.

14. Contact

Questions or requests: [email protected]

Appendix A — California “Notice at Collection” (summary)

Categories collected: audio content (user‑provided); identifiers/usage/diagnostics (vendor IDs, device/app metadata, crash logs); purchase metadata (entitlements/receipts via Apple/RevenueCat); communications (support emails).

Purposes: provide and improve the service (transcription/transformations), analytics/diagnostics/A‑B testing, subscription validation, support.

Retention: audio on our storage ≤24h; logs ≤30–90d; analytics per vendor settings (target ≤24 months); support emails retained as needed.

Sensitive data: none intentionally collected beyond the voice audio you submit for the core function.

Sale/Sharing: No.

Appendix B — EEA/UK lawful‑basis matrix

Appendix C — Permissions rationale

• Microphone: record audio for transcription (core function).
• No location, contacts, camera, or photo library permissions.