Privacy Policy

Last updated: March 1, 2026

English Polski

This document was originally drafted in Polish. In the event of any discrepancy between language versions, the Polish version shall prevail.

Section 1. Data Controller

  1. The controller of the Users’ personal data is Daniel Loposzko, operating under the business name Zinit Daniel Loposzko, ul. Sportowa 35, 55-040 Kobierzyce, Poland, Tax Identification Number (NIP): 896-116-23-34, Statistical Identification Number (REGON): 021006839 (hereinafter: the “Controller”).
  2. For matters related to data protection, the Controller may be contacted:
    1. by email: info@spoknlog.com,
    2. by mail: ul. Sportowa 35, 55-040 Kobierzyce, Poland.
  3. The Controller has not appointed a Data Protection Officer.

Section 2. Categories of Personal Data Processed

  1. Data provided by the User:

    1. first name,
    2. email address (optional, required for the extended Service plan),
    3. voice preference (male or female),
    4. selected Application language.

  2. Data collected automatically:

    1. unique device identifier (device hash) — generated and stored locally on the User’s device,
    2. date and time of Account creation,
    3. information on acceptance of the Terms of Service and Privacy Policy, and the date of acceptance,
    4. information on completion of the Account setup process,
    5. information on the Service plan (FREE, extended, PRO) and subscription status,
    6. number of Actions used in the current billing period.

  3. Data processed in the course of providing the Service:

    1. voice recordings (audio) — processed solely in server memory for the purpose of obtaining a transcription; not stored or archived,
    2. transcriptions of voice recordings — stored on the Controller’s servers,
    3. AI-generated note summaries — stored on the Controller’s servers,
    4. numerical vectors (embeddings) created from summaries — stored in the database; these do not allow reconstruction of the original note content,
    5. question and answer history (Q&A sessions) — stored on the Controller’s servers.

  4. Payment data: The Controller does not directly process Users’ payment data (such as credit card numbers or bank account details). Payments for the PRO subscription are handled by the Apple App Store platform (Apple Inc.) and the RevenueCat system. The processing of payment data is governed by the privacy policies of those entities.

  1. The Controller processes Users’ personal data for the following purposes and on the following legal bases:

    1. Provision of the Service (conclusion and performance of the Agreement) Legal basis: Article 6(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”) — processing is necessary for the performance of a contract. Scope of data: device identifier, first name, preferences (voice, language), voice recordings (in-memory processing), transcriptions, summaries, embeddings, Q&A history.

    2. Account and subscription management Legal basis: Article 6(1)(b) GDPR — processing is necessary for the performance of a contract. Scope of data: device identifier, email address (if provided), subscription status, number of Actions used.

    3. Handling complaints and exercising consumer rights Legal basis: Article 6(1)(c) GDPR — processing is necessary for compliance with a legal obligation (Consumer Rights Act, Civil Code). Scope of data: first name, email address, complaint content, correspondence.

    4. Compliance with legal obligations (tax, accounting) Legal basis: Article 6(1)(c) GDPR — processing is necessary for compliance with a legal obligation (tax and accounting regulations). Scope of data: identification data, transaction data (applicable only to Users on the PRO plan).

    5. Establishment, exercise, or defense of legal claims Legal basis: Article 6(1)(f) GDPR — legitimate interest of the Controller in being able to defend against claims. Scope of data: identification data, Service usage data, correspondence.

    6. Ensuring security and stability of the Application Legal basis: Article 6(1)(f) GDPR — legitimate interest of the Controller in ensuring the security and continuity of the Service. Scope of data: device identifier, technical data related to Service usage.

Section 4. Processing of Voice Recordings and Data by Artificial Intelligence

  1. The Controller applies a two-tier data processing model for artificial intelligence, ensuring the protection of raw User data:

    Tier 1 — Processing of raw User data (voice recordings, transcriptions, vectors): Voice recordings and transcriptions are processed exclusively within the Microsoft Azure OpenAI Service, on infrastructure located in the region corresponding to the User’s location (European Union or United States). Raw User data is not shared with other artificial intelligence service providers.

    Tier 2 — Processing of derived data (summaries, classification, responses): Processed and transformed data (such as note summaries, reformulated questions, search contexts) may be shared with external artificial intelligence service providers for the purpose of generating responses, classifying intent, and creating summaries. This data does not constitute a verbatim reproduction of the User’s utterances but rather a processed form thereof.

  2. Voice recordings (audio) are transmitted from the User’s device to the Controller’s server solely for the purpose of obtaining a text transcription. The voice recording is then forwarded to the Azure OpenAI Service (4o-transcribe / Whisper model) for speech-to-text conversion. The voice recording resides in server memory only for the time necessary to complete the transcription and is then permanently deleted. The Controller does not store, archive, or copy voice recordings.

  3. The transcription of a voice recording is processed by artificial intelligence models for the following purposes:

    1. creation of numerical vectors (embeddings) enabling semantic search — Azure OpenAI Service, Embedding model (Tier 1),
    2. classification of User intent (note or question) — LLM models available through the providers listed in Section 5 (Tier 2),
    3. generation of note summaries — LLM models available through the providers listed in Section 5 (Tier 2),
    4. generation of answers to User questions based on saved notes — LLM models available through the providers listed in Section 5 (Tier 2),
    5. text-to-speech synthesis (reading responses aloud) — Microsoft Azure Text-to-Speech or Google Cloud Text-to-Speech services; speech synthesis is performed on text generated by the Controller’s system, not on raw User data.

  4. None of the artificial intelligence service providers listed in Section 5 use User data for training, fine-tuning, or evaluating their models. The Controller exclusively uses API interfaces subject to Enterprise/API terms that guarantee customer data is not used in the model training process.

  5. Within the Azure OpenAI Service, data may be temporarily retained by Microsoft Corporation for up to 30 (thirty) days for abuse monitoring purposes, in accordance with the Azure service terms. The Controller endeavors to obtain an exemption from such monitoring (Modified Abuse Monitoring or Zero Data Retention) as such options become available.

  6. Voice recordings are not processed for the purpose of biometric identification of the User. Voice is used solely as a medium for content to be converted to text (speech-to-text). The Controller does not create, store, or compare voiceprints or other biometric identifiers.

Section 5. Recipients of Personal Data

  1. Users’ personal data may be disclosed to the following categories of recipients:

    1. Server infrastructure providers: a) Hetzner Online GmbH (Germany) — hosting the application server serving Users from the European Economic Area, b) Hetzner Cloud Inc. (United States) — hosting the application server serving Users from outside the European Economic Area, c) Neon Inc. — PostgreSQL database hosting (European Union region — Frankfurt for EEA Users; United States region for non-EEA Users), d) Amazon Web Services Inc. (S3) — caching of generic, pre-defined system audio phrases used in the application interface (e.g. “Saved”, “Let me search”, “Checking…”). These cached files are not derived from, and do not contain, any User content — they are static responses generated once by the Controller’s text-to-speech system. Audio responses to actual User queries are not stored on S3 and are delivered only in real time during the session.

    2. Artificial intelligence service providers — Tier 1 (raw data processing): a) Microsoft Corporation (Azure OpenAI Service) — transcription of voice recordings (speech-to-text) and creation of numerical vectors (embeddings). Processing takes place on Azure infrastructure in the region corresponding to the User’s location (European Union or United States).

    3. Artificial intelligence service providers — Tier 2 (derived data processing): a) Microsoft Corporation (Azure OpenAI Service) — intent classification, summary and response generation (primary provider), b) Google LLC (United States) — intent classification, summary and response generation; data processed via the Google Gemini API, c) OpenAI, L.L.C. (United States) — intent classification, summary and response generation (secondary/fallback provider); data processed via the OpenAI API under terms that exclude the use of data for model training, d) Groq, Inc. (United States) — intent classification, summary and response generation (secondary/fallback provider); data processed via the Groq API.

    4. Text-to-speech service providers: a) Microsoft Corporation (Azure Text-to-Speech) — speech synthesis on text generated by the Controller’s system (primary provider), b) Google LLC (Google Cloud Text-to-Speech) — speech synthesis on text generated by the Controller’s system (secondary provider).

    5. Payment service providers: a) Apple Inc. — subscription and payment processing via the Apple App Store, b) RevenueCat Inc. — subscription management system.

    6. Email service provider: a) Resend Inc. (United States) — sending email messages for email address verification (PIN codes). Resend Inc. processes only the User’s email address and the content of the verification message.

    7. Government authorities — only in cases provided for by law (e.g., at the request of a court, prosecutor, or law enforcement authority).

  2. The providers listed in subsection 1, items 2–4 process User data solely for the purpose of providing services to the Controller and do not use such data for training, fine-tuning, or improving their own artificial intelligence models.

  3. The Controller does not sell Users’ personal data to third parties. Within the meaning of the California Consumer Privacy Act (CCPA), the Controller does not engage in the “sale” or “sharing” of personal information for cross-context behavioral advertising purposes.

  4. The Controller does not disclose Users’ personal data to third parties for marketing purposes.

  5. The Controller reserves the right to change the artificial intelligence service providers listed in subsection 1, items 2–4, provided that at least an equivalent level of personal data protection is maintained. The Controller shall inform Users of material changes to providers by updating this Privacy Policy.

Section 6. Location of Data Processing and Transfers of Data Outside the European Economic Area (EEA)

  1. The Controller applies the principle of regional data processing (data residency):

    1. data of Users accessing the Application within the European Economic Area is processed on servers located in the European Union,
    2. data of Users accessing the Application outside the European Economic Area may be processed on servers located in the United States of America or in the European Union.

  2. Raw data of EEA Users (voice recordings and transcriptions) is processed exclusively on infrastructure located within the European Union (Azure OpenAI Service, EU region; Neon Inc., Frankfurt region).

  3. Derived data (summaries, reformulated questions, search contexts) of EEA Users may be transferred to providers located in the United States of America, as listed in Section 5, subsection 1, item 3.

  4. Where data is transferred outside the EEA, the Controller ensures an adequate level of personal data protection through the application of at least one of the following mechanisms:

    1. an adequacy decision by the European Commission (including the EU-US Data Privacy Framework),
    2. Standard Contractual Clauses adopted by the European Commission (SCC),
    3. other legally permissible safeguards provided for in Chapter V of the GDPR.

  5. With respect to the database (Neon Inc.), the Controller applies encryption of data at rest and in transit. The database contains transcriptions, summaries, numerical vectors, and Account data.

  6. The User may obtain further information about the safeguards applied and a copy of the relevant documents by contacting the Controller at the address specified in Section 1, subsection 2.

Section 7. Data Retention Periods

  1. Users’ personal data is retained for the following periods:

    1. Account-related data (device identifier, first name, preferences, email address): For the entire duration of the Agreement (use of the Application), and following Account deletion, for an additional archival period of 90 (ninety) days, after which the data is permanently deleted.

    2. User Content (transcriptions, summaries, embeddings, Q&A history): For the entire duration of the Agreement, and following Account deletion, for an additional archival period of 90 (ninety) days, after which the data is permanently deleted.

    3. Voice recordings (audio): Processed solely in server memory for the time necessary to obtain the transcription (typically a few seconds to a few minutes), then permanently deleted. Not stored or archived.

    4. Transaction data (PRO subscription): For the period required by tax and accounting regulations (5 years from the end of the calendar year in which the taxable event occurred).

    5. Complaint and correspondence data: For the duration of the Agreement and for the statute of limitations period under applicable law (generally 6 years).

  2. Upon expiration of the periods specified in subsection 1, personal data is permanently deleted or anonymized.

  3. The User may at any time request earlier deletion of their personal data, subject to the Controller’s legal obligations (e.g., tax obligations, defense of legal claims).

Section 8. User Rights

  1. Users are entitled to the following rights in connection with the processing of their personal data:

    1. Right of access (Article 15 GDPR): The User has the right to obtain confirmation from the Controller as to whether their personal data is being processed, and if so, the right to access such data and information about the purposes of processing, categories of data, recipients, retention periods, and applicable rights.

    2. Right to rectification (Article 16 GDPR): The User has the right to request prompt rectification of inaccurate personal data or completion of incomplete data.

    3. Right to erasure — “right to be forgotten” (Article 17 GDPR): The User has the right to request erasure of their personal data where the data is no longer necessary for the purposes for which it was collected, where the User has withdrawn consent (if processing was based on consent), where the User has lodged a successful objection, where the data was processed unlawfully, or where erasure is required by law. This right may be limited where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.

    4. Right to restriction of processing (Article 18 GDPR): The User has the right to request restriction of processing where the accuracy of data is contested, where processing is unlawful and the User opposes erasure, where the Controller no longer needs the data but it is required by the User for the establishment of claims, or where the User has lodged an objection to processing.

    5. Right to data portability (Article 20 GDPR): The User has the right to receive their personal data in a structured, commonly used, machine-readable format (JSON) and the right to transmit that data to another controller. This right applies to data processed on the basis of consent or a contract, by automated means.

    6. Right to object (Article 21 GDPR): The User has the right at any time to object to the processing of personal data based on the Controller’s legitimate interest (Article 6(1)(f) GDPR). The Controller shall cease processing unless it demonstrates compelling legitimate grounds for processing that override the User’s interests.

    7. Right to withdraw consent: To the extent that personal data processing is based on consent, the User has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.

  2. To exercise the above rights, the User should contact the Controller at the address specified in Section 1, subsection 2 of this Privacy Policy.

  3. The Controller shall respond to the User’s request without undue delay and no later than within 30 (thirty) days of receipt of the request. In particularly complex cases or where numerous requests are received, this period may be extended by an additional 60 (sixty) days, of which the Controller shall inform the User.

  4. The User has the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl) — if the User considers that the processing of their personal data infringes the GDPR.

Section 9. Automated Decision-Making and Profiling

  1. The Application uses automated data processing for the following purposes:

    1. automatic classification of User intent (determining whether the utterance is a note or a question) — based on the transcription content, using an artificial intelligence model,
    2. automatic generation of note summaries,
    3. automatic semantic search within saved notes,
    4. automatic generation of answers to User questions.

  2. The automated processing referred to in subsection 1 does not constitute automated decision-making within the meaning of Article 22 GDPR, because:

    1. it does not produce legal effects concerning the User,
    2. it does not similarly significantly affect the User,
    3. it is an integral part of the Service that the User has requested.

  3. In the event of an incorrect intent classification (e.g., a note classified as a question or vice versa), the User may delete the incorrectly created record and re-record.

  4. The Controller does not profile Users for marketing, advertising purposes, or for the purpose of making decisions that affect access to the Service or its terms.

Section 10. Personal Data Security

  1. The Controller applies appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or disclosure, including in particular:

    1. encryption of data in transit (SSL/TLS),
    2. encryption of data at rest in databases,
    3. access controls for IT systems and databases,
    4. regular database backups,
    5. permanent deletion of voice recordings after transcription is obtained,
    6. monitoring of server infrastructure security.

  2. Access to Users’ personal data is limited to persons authorized by the Controller who are obligated to maintain confidentiality.

  3. The Controller regularly reviews the security measures applied and updates them as needed, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing.

Section 10a. Minimum User Age

  1. The Application may be used by persons who have reached the age of 16 (sixteen). With respect to Users from the United States, in accordance with the Children’s Online Privacy Protection Act (COPPA), the Controller does not knowingly collect personal data from persons under 13 (thirteen) years of age.

  2. If the Controller becomes aware that personal data has been provided by a person below the required age (16 years, or 13 years for residents of the United States) without the consent of a parent or legal guardian, the Controller shall promptly take steps to delete such data.

Section 10b. Additional Information for Users from the United States (US Privacy Disclosures)

  1. This section contains additional information required by United States state law and applies exclusively to Users who are residents of the United States of America. In the event of a conflict between the provisions of this section and the remaining provisions of the Privacy Policy, the provisions of this section shall prevail with respect to Users from the United States.

Information for California Residents (California Consumer Privacy Act / California Privacy Rights Act)

  1. Under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively: “CCPA”), residents of the State of California have the right to obtain information about the categories of personal information collected, used, and disclosed by the Controller.

  2. Categories of personal information collected by the Controller within the meaning of the CCPA:

    1. Identifiers — first name, email address, unique device identifier,
    2. Internet or electronic network activity information — Application usage information, question and answer history,
    3. Audio information — voice recordings processed for transcription purposes (not stored),
    4. Inferences drawn from the above data — intent classification, note summaries, semantic vectors.

  3. Purposes of data collection: data is collected and used solely for the purposes of providing the Service described in Section 3 of this Privacy Policy. The Controller does not use personal information for purposes incompatible with the context in which it was collected without prior notice to the User.

  4. The Controller does not “sell” personal information within the meaning of the CCPA. The Controller does not “share” personal information for cross-context behavioral advertising purposes.

  5. Rights of California residents under the CCPA:

    1. Right to Know — the right to information about the categories and specific pieces of personal information collected in the preceding 12 months,
    2. Right to Delete — the right to request deletion of personal information,
    3. Right to Correct — the right to request correction of inaccurate personal information,
    4. Right to Opt-Out of Sale/Sharing — the right to opt out of the sale or sharing of personal information (the Controller does not engage in such activities),
    5. Right to Non-Discrimination — the right to equal treatment regardless of exercising rights under the CCPA.

  6. To exercise the rights listed in subsection 6, the User should contact the Controller at the address specified in Section 1, subsection 2 of this Privacy Policy. The Controller verifies the User’s identity before fulfilling the request and responds within 45 (forty-five) days of receipt of the request, with a possible extension of an additional 45 days in justified cases.

Information for Illinois Residents (Biometric Information Privacy Act)

  1. Under the Illinois Biometric Information Privacy Act (BIPA), the Controller informs that:

    1. the Application processes the User’s voice recordings solely for the purpose of speech-to-text conversion,
    2. the Controller does not collect, capture, store, or use biometric identifiers or biometric information within the meaning of BIPA,
    3. voice recordings are not used to create voiceprints, voice identification, or any other form of biometric identification or identity verification,
    4. voice recordings are permanently deleted immediately after transcription is obtained and are not stored, archived, or shared with third parties in audio form.

  2. In the event of a change in the processing of voice recordings that could result in the collection of biometric data within the meaning of BIPA, the Controller commits to:

    1. providing the User with prior written notice of the intent to collect biometric data,
    2. obtaining the User’s explicit, informed consent before commencing such processing,
    3. publishing a biometric data retention and destruction policy.

Information for Residents of Other States

  1. Residents of states with state privacy laws in effect (including but not limited to Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, and Rhode Island) may have additional rights regarding their personal data, including the right to access, delete, correct, and port data, and the right to object to profiling. To exercise these rights, please contact the Controller at the address specified in Section 1, subsection 2.

  2. The Controller does not use dark patterns to obtain User consent or to impede the exercise of their rights.

Section 10c. Users from Outside the European Economic Area (International Users)

  1. The Application is available to Users worldwide. Data of Users from outside the European Economic Area may be processed on servers located in the United States of America, in accordance with the principles described in Section 6.

  2. By using the Application from outside the European Economic Area, the User acknowledges that their personal data may be transferred to countries where data protection laws differ from those in the User’s country of residence.

  3. Regardless of the User’s location, the Controller applies the technical and organizational measures described in Section 10 of this Privacy Policy to protect personal data.

  4. For Users from the European Economic Area, the United Kingdom, and Switzerland, the Controller processes personal data in accordance with the GDPR, and all rights arising from the GDPR apply to such Users in full.

  5. For Users from the United States, the additional provisions of Section 10b apply.

Section 10d. Changes to Artificial Intelligence Service Providers

  1. Due to the rapidly evolving nature of artificial intelligence technology, the Controller reserves the right to change the AI service providers listed in Section 5, including the right to:

    1. replace a provider with another provider offering equivalent or better services,
    2. add new AI service providers,
    3. discontinue the use of an existing provider’s services.

  2. Any change of provider is subject to the following conditions:

    1. the new provider must ensure at least an equivalent level of personal data protection,
    2. the new provider may not use User data for training artificial intelligence models,
    3. the principle of processing raw User data (Tier 1) exclusively on infrastructure located in the region corresponding to the User’s location shall remain unchanged.

  3. The current list of providers is always available in the latest version of this Privacy Policy. The Controller shall inform Users of material changes to providers in accordance with Section 12 of this Privacy Policy.

Section 11. Cookies and Tracking Technologies

  1. The SpoknLog mobile application does not use cookies in the traditional sense (the Application is not a website).

  2. The Application may use local data storage mechanisms on the User’s device (such as SecureStore) for storing the device identifier, user preferences, and session token. This data is necessary for the proper functioning of the Application and is not shared with third parties.

Section 12. Changes to the Privacy Policy

  1. The Controller reserves the right to amend this Privacy Policy, in particular in the event of changes to applicable law, changes in the manner of processing personal data, or changes to the Application’s functionality.

  2. Users shall be notified of any changes to the Privacy Policy via an appropriate notice within the Application. Users who have provided an email address shall also receive the amended Privacy Policy by email.

  3. Continued use of the Application following changes to the Privacy Policy constitutes acceptance of those changes.

  4. The current version of the Privacy Policy is always available within the Application in the settings section.

Section 13. Final Provisions

  1. This Privacy Policy is effective as of March 1, 2026.
  2. Matters not regulated by this Privacy Policy shall be governed by the GDPR and other generally applicable provisions of Polish and European Union law on the protection of personal data, and with respect to Users from the United States — also by applicable state and federal law of the United States.
  3. Contact with the Controller regarding personal data protection: info@spoknlog.com.