Voca ("we", "our", or "us"). This policy explains what personal data Voca collects, why we collect it, how long we keep it, who we share it with, and what rights you have over it. We've tried to write this in plain language. If something is unclear, email us at [email protected].
Voca is a voice dictation service operated by Shay Stephan Lee Punter, Korunní 2569/108, 101 00 Praha - Vinohrady, Czech Republic (IČ: 23507101, DIČ: CZ0003091869). We act as the data controller for personal data processed through this service.
When you create an account we collect your name, email address, and a hashed password. We also store your email verification status and, if you enable it, a remember-me token for persistent login.
We use this data to create and manage your account, communicate with you about your subscription, and send transactional emails (e.g. password reset, billing receipts).
If you enable 2FA we store an encrypted TOTP secret, encrypted recovery codes, and a confirmed-at timestamp. This data exists solely to verify your identity at login and is never shared with third parties.
We store your Stripe customer ID, payment method type, and the last four digits of your card. We do not store full card numbers or CVV codes; those are held exclusively by Stripe under their own PCI-DSS compliance.
For subscribers we also store subscription status, trial start and end dates, plan prices, and quantities. For Pay As You Go users we maintain a credit ledger recording each transaction's amount, source, and Stripe session ID.
Every transcription request logs duration in seconds, the Whisper model used, your billing tier, and the number of credits charged. We also store session and chunk identifiers to correlate multi-part recordings. This data is used to enforce your plan limits, calculate costs, and display your usage history in the dashboard.
We do not store your transcripts by default. Transcript text is only saved if you explicitly enable the "Save transcript history" toggle in Settings. This setting is off by default. You can delete individual transcripts or your entire history at any time from the Transcripts page.
To keep you securely logged in we store:
Note on session encryption: session payloads are not currently encrypted at rest on the server. They are encrypted in transit via TLS. We intend to enable server-side session encryption in a future release.
The essential cookies below (session and CSRF token) are required for the site to function and are always set. The analytics cookies (Google Analytics and Microsoft Clarity) are only set after you grant consent through our cookie banner, and you can withdraw consent at any time via the Cookie preferences link in the footer.
We use Google Analytics 4 to measure aggregate site usage (page views, referrers, approximate location, device and browser type) and Microsoft Clarity for session replays and heatmaps so we can see how visitors actually use our marketing site and dashboard. See Section 7 for details on what is shared with each provider. We do not use advertising cookies and we do not allow Google to use the data collected through our property for ad personalisation.
If you join a team, certain account information is visible to other members of the same team so that shared usage and quotas can be managed.
Team membership records (your link to a team and your role within it) are deleted when you leave the team or delete your account. If you are the sole owner of a team with active members or an active paid plan, you must transfer ownership or cancel the plan before deletion. See Section 9.
Under the EU General Data Protection Regulation (GDPR), we are required to identify a lawful basis for each category of processing. The bases we rely on are set out below.
Where processing is based on consent, you can withdraw it at any time: disable transcript history in Settings → Privacy, opt out of analytics through your browser controls (see Section 7), or revoke Google sign-in access at myaccount.google.com/permissions. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms. You can object to such processing at any time by contacting us at [email protected].
We do not store your audio. When you dictate, the audio stream is transmitted from your device directly to our transcription provider (Groq) over an encrypted connection and is never written to our servers or any storage. Groq processes the audio and returns the transcript text. Groq's Zero Data Retention policy is enabled on our account, meaning Groq does not retain your audio after processing. See Section 7 for more detail on Groq.
Voca is available on Android. The mobile app requests microphone access (RECORD_AUDIO) only at the moment you tap Record, in order to capture your voice for transcription. Audio handling matches the desktop client exactly: streamed directly to Groq with Zero Data Retention, never written to our servers. The mobile app stores your authentication token in app-private storage; on supported devices this is encrypted at rest by Android's File-Based Encryption.
Our support team may add internal notes to your account record to provide context for support interactions. These notes are never visible to you in the product and are not shared externally. They are deleted when your account is deleted.
We assign roles and permissions to accounts for access control purposes. This assignment data is deleted on account deletion.
We use Stripe to process payments. We share your name, email address, and user ID with Stripe when creating a billing account. Stripe stores your full payment details under their own privacy policy and PCI-DSS certification. We only ever see the last four digits of your card. Stripe's privacy policy is available at stripe.com/privacy.
We use Groq's API to transcribe your audio. When you dictate, we forward the audio stream and filename to Groq. Groq does not retain this audio after processing (Zero Data Retention is enabled). Groq's data practices are governed by the Groq Customer Data Processing Addendum. Groq retains data in Google Cloud Platform infrastructure in the United States. Where applicable, we rely on Standard Contractual Clauses for transfers of personal data from the EEA to the United States.
We use Amazon Simple Email Service (AWS SES) to send transactional emails such as password resets, billing receipts, and invitations. Your email address and the body of the message are shared with AWS for delivery purposes only. SES is operated by Amazon Web Services EMEA SARL under their own privacy and security commitments.
If you choose "Continue with Google" to create or sign in to your account, Google shares your email address and basic profile information (name, picture) with Voca for the sole purpose of creating or matching your Voca account. Voca does not access your contacts, calendar, or any other Google data. You can revoke this access at any time at myaccount.google.com/permissions.
We use Google Analytics 4 (provided by Google Ireland Limited) to understand how visitors use our site. Google receives your truncated IP address, user agent, referrer, the pages you visit on voca, and a randomly generated client ID stored in the cookies listed in Section 2.7. Google uses this data to provide aggregated usage reports to us. We do not provide Google with your name, email address, or any other directly identifying information. The legal basis for this processing is our legitimate interest in measuring and improving our service. Google may transfer this data to the United States; where applicable we rely on Standard Contractual Clauses for transfers from the EEA. Google's privacy policy is available at policies.google.com/privacy. You can opt out by installing the Google Analytics opt-out browser add-on or by enabling Do Not Track / Global Privacy Control in your browser.
We use Microsoft Clarity (provided by Microsoft Corporation) to capture how visitors use and interact with our website through behavioural metrics, heatmaps, and session replay. This helps us improve site usability, diagnose issues, and prioritise product work. Website usage data is captured using first- and third-party cookies and other tracking technologies (see Section 2.7). We do not use Clarity to target advertising. Clarity automatically masks input fields, passwords, and personal data in session recordings by default. Microsoft may transfer this data to the United States; where applicable we rely on Standard Contractual Clauses for transfers from the EEA. The legal basis for this processing is our legitimate interest in measuring and improving our service. For more information about how Microsoft collects and uses your data, see the Microsoft Privacy Statement.
We do not sell your data. We do not share your data with advertisers. We do not use your data to train AI models.
Our server logs framework errors and API errors to storage/logs/laravel.log. These logs may incidentally contain email addresses in exception stack traces. Logs are stored on the server and are not transmitted to third-party logging services. Log files are retained for 60 days on a rolling basis, after which they are automatically deleted.
You can delete your account yourself from Settings → Account → Delete. Deletion is immediate and cannot be undone. The following data is removed automatically: your profile, saved transcripts, transcription usage records, credit ledger entries, OAuth identities, WebAuthn credentials, sessions, API tokens, role assignments, admin notes, team membership, and, if you are the sole member of a personal team, the team and its subscription records. Your Stripe customer record remains in Stripe's systems per their retention obligations.
If you are the owner of a team that has an active paid plan or other active members, you must transfer ownership to another member or cancel the paid plan before you can delete your account. This protects your team-mates from losing access without warning.
Depending on where you are located you may have the right to:
You can delete your account and export your data as a JSON file directly from Settings → Account. No email required. For any other right above, email us at [email protected] and we will respond within 30 days.
Czech Republic and EEA residents may lodge complaints with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, uoou.cz) or their local supervisory authority.
We use TLS to encrypt all data in transit. Passwords are hashed using bcrypt and never stored in plaintext. TOTP secrets and recovery codes are encrypted at rest. Payment data is handled by Stripe and never touches our servers in full. Our infrastructure is hosted on Hetzner VPS infrastructure (EU-based data centres).
Voca is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it.
We will notify you of material changes to this policy by email and by displaying a notice in the application at least 14 days before the changes take effect. The "last updated" date at the top of this page will always reflect the most recent version.
Privacy enquiries: [email protected]
General: [email protected]
Legal entity: Shay Stephan Lee Punter, Korunní 2569/108, 101 00 Praha - Vinohrady, Czech Republic