Last updated: 24-03-2026
AJ Software Innovation B.V. · Groenendaalkade 1, 2103AA · Netherlands
At Spoken Diary, privacy is not a compliance checkbox — it is a product requirement. Your diary entries, voice recordings, and family photos are among the most personal data you will ever share with any service. This Privacy Policy explains precisely what we collect, why we collect it, who we share it with, and what rights you have over it.
This policy is written to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, “UAVG”), and other applicable Dutch and EU law.
Data controller:
AJ Software Innovation B.V.
Groenendaalkade 1, 2103AA, Netherlands
Chamber of Commerce (KvK): 42003203
VAT: NL869236568B01
Privacy contact: privacy@spoken-diary.com
We only collect data that is necessary to provide the Services. Below is a complete account of what we collect, the legal basis under GDPR Article 6 (and Article 9 where special categories are involved), and the purpose.
What: Email address, chosen display name, password (stored as a one-way hash), account creation date, subscription tier, preferred language.
Why: To create and manage your account and deliver the Services.
Legal basis: Performance of a contract (Article 6(1)(b)).
What: Audio files you record or send via the app or messaging integrations (WhatsApp, Telegram). These may contain your voice, background sounds, and the voices of others present when you record.
Why: To transcribe your recordings into text and generate diary entries.
Legal basis: Performance of a contract (Article 6(1)(b)). Where recordings contain health information, emotional content, or other special-category data as defined by Article 9 GDPR, we rely on your explicit consent, granted at sign-up, to process that content for the purpose of providing the Services.
Retention: For the duration of your account, plus 90 days after closure.
What: The text produced by transcribing your recordings, and the rewritten, formatted diary entries produced by our AI pipeline.
Why: To display, store, and — where you order a printed book — print your diary entries.
Legal basis: Performance of a contract (Article 6(1)(b)).
Retention: For the duration of your account, plus 90 days after closure.
What: Photos you upload through the app or send via messaging integrations. These may include images of children and other individuals.
Why: To include in your diary entries and printed books, and to enable AI-assisted photo selection and layout.
Legal basis: Performance of a contract (Article 6(1)(b)). Photos of identifiable individuals, including children, may constitute biometric or sensitive data depending on context; we rely on your explicit consent for any processing beyond strict service delivery.
Retention: For the duration of your account, plus 90 days after closure.
What: Subscription tier, billing date, payment status. We do not store full payment card details — these are handled directly by our payment processor.
Why: To manage your subscription, process renewals, and handle refund requests.
Legal basis: Performance of a contract (Article 6(1)(b)); legal obligation for transaction records (Article 6(1)(c)).
Retention: Transaction records retained for 7 years to comply with Dutch tax law, regardless of account status.
What: If you use WhatsApp or Telegram integrations: the phone number or account identifier associated with your bot connection, and message timestamps.
Why: To route incoming messages to the correct user account.
Legal basis: Performance of a contract (Article 6(1)(b)).
Retention: For the duration of your account, plus 90 days after closure.
What: Emails or push notifications we send you about your account, subscription renewals, product updates, and support responses.
Why: To keep you informed about your account and the Services.
Legal basis: Performance of a contract (Article 6(1)(b)); legitimate interest (Article 6(1)(f)) for service-related communications.
We do not collect:
We want to be explicit about what we will never do:
We engage the following third-party service providers as data processors. Each provider's standard terms of service and API usage policies incorporate Data Processing Agreement (DPA) terms that apply automatically to our use of their services. These terms prohibit them from using your data for any purpose other than providing their service to us, and specifically prohibit model training on your content. By accepting their terms in order to use their services, we are bound by — and you benefit from — those contractual protections.
All AI providers listed below are incorporated in the United States. Data transfers to them are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR. See Section 5 for details.
Role: Provides our backend infrastructure, including database hosting, authentication, and file storage services.
Data processing and security: Supabase processes data on our behalf and acts as a processor. Data is encrypted in transit using TLS and at rest using industry-standard encryption.
Location: European Economic Area (Ireland, eu-west-1). We have configured Supabase to store data within the EU.
Sub-processors: Supabase uses infrastructure providers such as Amazon Web Services (AWS) to deliver its services.
DPA: Supabase Data Processing Addendum (including Standard Contractual Clauses where applicable).
Privacy information: https://supabase.com/privacy
Role: Hosts our Supabase database and file storage. All data at rest is encrypted using AES-256. All data in transit is encrypted using TLS 1.2 or higher.
Location: EU (Frankfurt, eu-central-1 region). We have configured Supabase to store data within the EU. No data is stored in AWS regions outside the EEA under normal operation.
DPA: AWS Data Processing Addendum, incorporating SCCs.
Privacy information: https://aws.amazon.com/privacy/
Role: Receives your voice recordings for transcription and your transcripts for AI rewriting and summarisation.
Model training: OpenAI's API terms explicitly prohibit using API-submitted data to train their models. Your content is not used for model training.
Location: United States. Transfer governed by SCCs.
DPA: OpenAI Data Processing Addendum.
Privacy information: https://openai.com/policies/privacy-policy
Role: May receive transcripts or diary text for rewriting, summarisation, or formatting tasks.
Model training: Anthropic's API terms explicitly prohibit using API-submitted data to train their models by default. Your content is not used for model training.
Location: United States. Transfer governed by SCCs.
DPA: Anthropic Data Processing Addendum.
Privacy information: https://www.anthropic.com/privacy
Role: Processes voice recordings for transcription as an alternative to other providers.
Data processing and privacy safeguards: Deepgram is configured in privacy mode, which ensures that audio data is processed only for transcription and is not retained beyond what is necessary to provide the service. Deepgram acts as a processor and processes data only on our instructions.
Model training: No. Your data is not used to train or improve Deepgram's models.
Location: United States. Transfer governed by SCCs.
DPA: Deepgram Data Processing Addendum.
Privacy information: https://deepgram.com/privacy
Role: Processes voice recordings for transcription using the Whisper Large Turbo model.
Data processing and privacy safeguards: Groq acts as a processor and processes data only on our instructions. We configure the service to limit data retention to what is strictly necessary to provide the transcription.
Model training: No. Data submitted via the Groq API is not used to train or improve Groq's models.
Location: United States. Transfer governed by SCCs.
DPA: Groq Data Processing Addendum (or equivalent contractual safeguards).
Privacy information: https://groq.com/privacy-policy
We do not currently offer paid subscriptions or process payments.
If we introduce paid features in the future, we will use a third-party payment provider. We will update this Privacy Policy to clearly identify that provider and explain how your data is processed before any payment functionality is activated.
We will update this sub-processor list when we add or change providers. Where a new sub-processor involves a material change to how your data is processed, we will notify you in advance.
| Data category | Legal basis |
|---|---|
| Account data | Contract (Art. 6(1)(b)) |
| Voice recordings | Contract (Art. 6(1)(b)) + Explicit consent for special-category content (Art. 9(2)(a)) |
| Transcripts and AI outputs | Contract (Art. 6(1)(b)) |
| Photos | Contract (Art. 6(1)(b)) + Explicit consent where sensitive content |
| Billing records | Contract + Legal obligation (Art. 6(1)(c)) |
| Messaging metadata | Contract (Art. 6(1)(b)) |
| Service communications | Contract + Legitimate interest (Art. 6(1)(f)) |
We do not rely on legitimate interest as a legal basis for processing your diary content under any circumstances.
Our core infrastructure (Supabase/AWS) is configured to store data within the EU. However, OpenAI, Anthropic, and Deepgram are US-based companies. When your voice recordings or transcripts are sent to these providers for processing, personal data is transferred to the United States.
The United States does not have a blanket EU adequacy decision covering these providers. We protect these transfers by relying on Standard Contractual Clauses (SCCs) — the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission on 4 June 2021 (Decision 2021/914). We have executed SCCs with each of these providers as part of our Data Processing Agreements.
You may request a copy of the relevant SCCs by contacting us at privacy@spoken-diary.com.
We keep your data for as long as your account is active and for 90 days after account closure, regardless of the reason for closure. During this 90-day period, you may request a copy of your personal data in a structured, commonly used, machine-readable format at any time by contacting support@spoken-diary.com.
At the end of the 90-day period, your User Content — voice recordings, transcripts, diary entries, photos, and generated outputs — is permanently and irreversibly deleted from our systems and those of our sub-processors.
The following data is retained for longer where required by law:
If you submit a deletion request before the 90-day period expires, we will delete your User Content within 30 days of receiving the request, subject to the legal retention obligations above.
Our Services are not directed at children under 16. We do not knowingly collect personal data directly from children under 16.
However, our Services are used by parents and caregivers who create diary entries about their children, including uploading photos and recording stories that reference children's personal information. In this context:
As a data subject under the GDPR, you have the following rights. You can exercise any of them by contacting us at privacy@spoken-diary.com.
You can request a copy of all personal data we hold about you, including your voice recordings, transcripts, diary entries, and account data.
You can correct inaccurate personal data. For diary content, you can edit entries directly within the app.
You can request deletion of your personal data. We will delete your User Content within 30 days, subject to legal retention obligations. You can also delete individual entries or your entire account at any time within the app.
You can ask us to restrict processing of your data in certain circumstances, for example while a complaint is being resolved.
You can request your personal data in a structured, commonly used, machine-readable format (JSON and/or PDF). This right applies to data you have provided to us and that we process on the basis of contract or consent. You can also use the in-app export feature at any time.
You can object to processing based on legitimate interest. We do not rely on legitimate interest for processing your diary content, so this right is most relevant to service communications.
Where we process data on the basis of your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) at https://autoriteitpersoonsgegevens.nl, or with the supervisory authority in your EU member state of residence.
We will respond to all rights requests within 30 days. In complex cases we may extend this by a further 60 days, in which case we will notify you of the extension and the reason.
We implement the following technical and organisational measures to protect your personal data:
No system is completely secure. We encourage you to use the in-app export feature regularly as your own backup.
We use only technically necessary cookies and local storage required to operate the app and maintain your session. We do not use advertising cookies, cross-site tracking, or analytics cookies at this time.
If we introduce analytics tools or non-essential cookies in the future, we will update this policy and seek your consent before placing them.
We may update this Privacy Policy from time to time. For material changes — including changes to sub-processors, legal bases, or retention periods — we will notify you by email at least 30 days before the change takes effect. The “Last updated” date at the top of this policy reflects the most recent version.
Your continued use of the Services after the effective date of an updated policy constitutes acceptance of the changes. If you do not accept the changes, you may close your account and request deletion of your data before they take effect.
For any privacy-related questions, rights requests, or complaints:
Email: privacy@spoken-diary.com
Post: AJ Software Innovation, Groenendaalkade 1, 2103AA, Netherlands
For disputes you can also use the EU Online Dispute Resolution platform at https://ec.europa.eu/consumers/odr/.
If you are unsatisfied with our response, you have the right to escalate to the Autoriteit Persoonsgegevens at https://autoriteitpersoonsgegevens.nl.
© 2026 AJ Software Innovation B.V. All rights reserved.