SPOKEN DIARY — Privacy Policy

Last updated: 24-03-2026

AJ Software Innovation B.V. · Groenendaalkade 1, 2103AA · Netherlands

Introduction

At Spoken Diary, privacy is not a compliance checkbox — it is a product requirement. Your diary entries, voice recordings, and family photos are among the most personal data you will ever share with any service. This Privacy Policy explains precisely what we collect, why we collect it, who we share it with, and what rights you have over it.

This policy is written to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, “UAVG”), and other applicable Dutch and EU law.

Data controller:

AJ Software Innovation B.V.

Groenendaalkade 1, 2103AA, Netherlands

Chamber of Commerce (KvK): 42003203

VAT: NL869236568B01

Privacy contact: privacy@spoken-diary.com

1. What Data We Collect and Why

We only collect data that is necessary to provide the Services. Below is a complete account of what we collect, the legal basis under GDPR Article 6 (and Article 9 where special categories are involved), and the purpose.

Account data

What: Email address, chosen display name, password (stored as a one-way hash), account creation date, subscription tier, preferred language.

Why: To create and manage your account and deliver the Services.

Legal basis: Performance of a contract (Article 6(1)(b)).

Voice recordings

What: Audio files you record or send via the app or messaging integrations (WhatsApp, Telegram). These may contain your voice, background sounds, and the voices of others present when you record.

Why: To transcribe your recordings into text and generate diary entries.

Legal basis: Performance of a contract (Article 6(1)(b)). Where recordings contain health information, emotional content, or other special-category data as defined by Article 9 GDPR, we rely on your explicit consent, granted at sign-up, to process that content for the purpose of providing the Services.

Retention: For the duration of your account, plus 90 days after closure.

Transcripts and AI-generated diary entries

What: The text produced by transcribing your recordings, and the rewritten, formatted diary entries produced by our AI pipeline.

Why: To display, store, and — where you order a printed book — print your diary entries.

Legal basis: Performance of a contract (Article 6(1)(b)).

Retention: For the duration of your account, plus 90 days after closure.

Photos and images

What: Photos you upload through the app or send via messaging integrations. These may include images of children and other individuals.

Why: To include in your diary entries and printed books, and to enable AI-assisted photo selection and layout.

Legal basis: Performance of a contract (Article 6(1)(b)). Photos of identifiable individuals, including children, may constitute biometric or sensitive data depending on context; we rely on your explicit consent for any processing beyond strict service delivery.

Retention: For the duration of your account, plus 90 days after closure.

Subscription and billing data

What: Subscription tier, billing date, payment status. We do not store full payment card details — these are handled directly by our payment processor.

Why: To manage your subscription, process renewals, and handle refund requests.

Legal basis: Performance of a contract (Article 6(1)(b)); legal obligation for transaction records (Article 6(1)(c)).

Retention: Transaction records retained for 7 years to comply with Dutch tax law, regardless of account status.

Messaging integration metadata

What: If you use WhatsApp or Telegram integrations: the phone number or account identifier associated with your bot connection, and message timestamps.

Why: To route incoming messages to the correct user account.

Legal basis: Performance of a contract (Article 6(1)(b)).

Retention: For the duration of your account, plus 90 days after closure.

Service communications

What: Emails or push notifications we send you about your account, subscription renewals, product updates, and support responses.

Why: To keep you informed about your account and the Services.

Legal basis: Performance of a contract (Article 6(1)(b)); legitimate interest (Article 6(1)(f)) for service-related communications.

What we do not collect

We do not collect:

2. What We Do Not Do With Your Data

We want to be explicit about what we will never do:

3. Sub-processors: Who Processes Your Data on Our Behalf

We engage the following third-party service providers as data processors. Each provider's standard terms of service and API usage policies incorporate Data Processing Agreement (DPA) terms that apply automatically to our use of their services. These terms prohibit them from using your data for any purpose other than providing their service to us, and specifically prohibit model training on your content. By accepting their terms in order to use their services, we are bound by — and you benefit from — those contractual protections.

All AI providers listed below are incorporated in the United States. Data transfers to them are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR. See Section 5 for details.

Supabase — Backend infrastructure and database hosting

Role: Provides our backend infrastructure, including database hosting, authentication, and file storage services.

Data processing and security: Supabase processes data on our behalf and acts as a processor. Data is encrypted in transit using TLS and at rest using industry-standard encryption.

Location: European Economic Area (Ireland, eu-west-1). We have configured Supabase to store data within the EU.

Sub-processors: Supabase uses infrastructure providers such as Amazon Web Services (AWS) to deliver its services.

DPA: Supabase Data Processing Addendum (including Standard Contractual Clauses where applicable).

Privacy information: https://supabase.com/privacy

Amazon Web Services (AWS) — Infrastructure and storage

Role: Hosts our Supabase database and file storage. All data at rest is encrypted using AES-256. All data in transit is encrypted using TLS 1.2 or higher.

Location: EU (Frankfurt, eu-central-1 region). We have configured Supabase to store data within the EU. No data is stored in AWS regions outside the EEA under normal operation.

DPA: AWS Data Processing Addendum, incorporating SCCs.

Privacy information: https://aws.amazon.com/privacy/

OpenAI — Speech transcription (Whisper) and text generation (GPT)

Role: Receives your voice recordings for transcription and your transcripts for AI rewriting and summarisation.

Model training: OpenAI's API terms explicitly prohibit using API-submitted data to train their models. Your content is not used for model training.

Location: United States. Transfer governed by SCCs.

DPA: OpenAI Data Processing Addendum.

Privacy information: https://openai.com/policies/privacy-policy

Anthropic — AI text processing (Claude)

Role: May receive transcripts or diary text for rewriting, summarisation, or formatting tasks.

Model training: Anthropic's API terms explicitly prohibit using API-submitted data to train their models by default. Your content is not used for model training.

Location: United States. Transfer governed by SCCs.

DPA: Anthropic Data Processing Addendum.

Privacy information: https://www.anthropic.com/privacy

Deepgram — Speech transcription

Role: Processes voice recordings for transcription as an alternative to other providers.

Data processing and privacy safeguards: Deepgram is configured in privacy mode, which ensures that audio data is processed only for transcription and is not retained beyond what is necessary to provide the service. Deepgram acts as a processor and processes data only on our instructions.

Model training: No. Your data is not used to train or improve Deepgram's models.

Location: United States. Transfer governed by SCCs.

DPA: Deepgram Data Processing Addendum.

Privacy information: https://deepgram.com/privacy

Groq — Speech transcription (Whisper Large Turbo)

Role: Processes voice recordings for transcription using the Whisper Large Turbo model.

Data processing and privacy safeguards: Groq acts as a processor and processes data only on our instructions. We configure the service to limit data retention to what is strictly necessary to provide the transcription.

Model training: No. Data submitted via the Groq API is not used to train or improve Groq's models.

Location: United States. Transfer governed by SCCs.

DPA: Groq Data Processing Addendum (or equivalent contractual safeguards).

Privacy information: https://groq.com/privacy-policy

Payment processing (not currently in use)

We do not currently offer paid subscriptions or process payments.

If we introduce paid features in the future, we will use a third-party payment provider. We will update this Privacy Policy to clearly identify that provider and explain how your data is processed before any payment functionality is activated.

We will update this sub-processor list when we add or change providers. Where a new sub-processor involves a material change to how your data is processed, we will notify you in advance.

4. Legal Bases for Processing — Summary

We do not rely on legitimate interest as a legal basis for processing your diary content under any circumstances.

5. International Data Transfers

Our core infrastructure (Supabase/AWS) is configured to store data within the EU. However, OpenAI, Anthropic, and Deepgram are US-based companies. When your voice recordings or transcripts are sent to these providers for processing, personal data is transferred to the United States.

The United States does not have a blanket EU adequacy decision covering these providers. We protect these transfers by relying on Standard Contractual Clauses (SCCs) — the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission on 4 June 2021 (Decision 2021/914). We have executed SCCs with each of these providers as part of our Data Processing Agreements.

You may request a copy of the relevant SCCs by contacting us at privacy@spoken-diary.com.

6. Data Retention

We keep your data for as long as your account is active and for 90 days after account closure, regardless of the reason for closure. During this 90-day period, you may request a copy of your personal data in a structured, commonly used, machine-readable format at any time by contacting support@spoken-diary.com.

At the end of the 90-day period, your User Content — voice recordings, transcripts, diary entries, photos, and generated outputs — is permanently and irreversibly deleted from our systems and those of our sub-processors.

The following data is retained for longer where required by law:

If you submit a deletion request before the 90-day period expires, we will delete your User Content within 30 days of receiving the request, subject to the legal retention obligations above.

7. Children's Data

Our Services are not directed at children under 16. We do not knowingly collect personal data directly from children under 16.

However, our Services are used by parents and caregivers who create diary entries about their children, including uploading photos and recording stories that reference children's personal information. In this context:

8. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights. You can exercise any of them by contacting us at privacy@spoken-diary.com.

Right of access (Article 15)

You can request a copy of all personal data we hold about you, including your voice recordings, transcripts, diary entries, and account data.

Right to rectification (Article 16)

You can correct inaccurate personal data. For diary content, you can edit entries directly within the app.

Right to erasure (Article 17)

You can request deletion of your personal data. We will delete your User Content within 30 days, subject to legal retention obligations. You can also delete individual entries or your entire account at any time within the app.

Right to restriction (Article 18)

You can ask us to restrict processing of your data in certain circumstances, for example while a complaint is being resolved.

Right to data portability (Article 20)

You can request your personal data in a structured, commonly used, machine-readable format (JSON and/or PDF). This right applies to data you have provided to us and that we process on the basis of contract or consent. You can also use the in-app export feature at any time.

Right to object (Article 21)

You can object to processing based on legitimate interest. We do not rely on legitimate interest for processing your diary content, so this right is most relevant to service communications.

Right to withdraw consent

Where we process data on the basis of your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to lodge a complaint

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) at https://autoriteitpersoonsgegevens.nl, or with the supervisory authority in your EU member state of residence.

We will respond to all rights requests within 30 days. In complex cases we may extend this by a further 60 days, in which case we will notify you of the extension and the reason.

9. Security

We implement the following technical and organisational measures to protect your personal data:

No system is completely secure. We encourage you to use the in-app export feature regularly as your own backup.

10. Cookies and Tracking

We use only technically necessary cookies and local storage required to operate the app and maintain your session. We do not use advertising cookies, cross-site tracking, or analytics cookies at this time.

If we introduce analytics tools or non-essential cookies in the future, we will update this policy and seek your consent before placing them.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes — including changes to sub-processors, legal bases, or retention periods — we will notify you by email at least 30 days before the change takes effect. The “Last updated” date at the top of this policy reflects the most recent version.

Your continued use of the Services after the effective date of an updated policy constitutes acceptance of the changes. If you do not accept the changes, you may close your account and request deletion of your data before they take effect.

12. Contact and Complaints

For any privacy-related questions, rights requests, or complaints:

Email: privacy@spoken-diary.com

Post: AJ Software Innovation, Groenendaalkade 1, 2103AA, Netherlands

For disputes you can also use the EU Online Dispute Resolution platform at https://ec.europa.eu/consumers/odr/.

If you are unsatisfied with our response, you have the right to escalate to the Autoriteit Persoonsgegevens at https://autoriteitpersoonsgegevens.nl.

© 2026 AJ Software Innovation B.V. All rights reserved.