Voca ("we", "our", or "us"). This policy explains what personal data Voca collects, why we collect it, how long we keep it, who we share it with, and what rights you have over it. We've tried to write this in plain language. If something is unclear, email us at [email protected].
Voca is a voice dictation service operated by Shay Stephan Lee Punter, Korunní 2569/108, 101 00 Praha - Vinohrady, Czech Republic (IČ: 23507101, DIČ: CZ0003091869). We act as the data controller for personal data processed through this service.
When you create an account we collect your name, email address, and a hashed password. We also store your email verification status and, if you enable it, a remember-me token for persistent login.
We use this data to create and manage your account, communicate with you about your subscription, and send transactional emails (e.g. password reset, billing receipts).
If you enable 2FA we store an encrypted TOTP secret, encrypted recovery codes, and a confirmed-at timestamp. This data exists solely to verify your identity at login and is never shared with third parties.
We store your Stripe customer ID, payment method type, and the last four digits of your card. We do not store full card numbers or CVV codes; those are held exclusively by Stripe under their own PCI-DSS compliance.
For subscribers we also store subscription status, trial start and end dates, plan prices, and quantities. For Pay As You Go users we maintain a credit ledger recording each transaction's amount, source, and Stripe session ID.
Every transcription request logs duration in seconds, the Whisper model used, your billing tier, and the number of credits charged. We also store session and chunk identifiers to correlate multi-part recordings. This data is used to enforce your plan limits, calculate costs, and display your usage history in the dashboard.
We do not store your transcripts by default. Transcript text is only saved if you explicitly enable the "Save transcript history" toggle in Settings. This setting is off by default. You can delete individual transcripts or your entire history at any time from the Transcripts page.
To keep you securely logged in we store:
Note on session encryption: session payloads are not currently encrypted at rest on the server. They are encrypted in transit via TLS. We intend to enable server-side session encryption in a future release.
We use Google Analytics 4 to measure aggregate site usage (page views, referrers, approximate location, device and browser type). See Section 5 for details on what is shared with Google. We do not use advertising cookies and we do not allow Google to use the data collected through our property for ad personalisation.
We do not store your audio. When you dictate, the audio stream is transmitted from your device directly to our transcription provider (Groq) over an encrypted connection and is never written to our servers or any storage. Groq processes the audio and returns the transcript text. Groq's Zero Data Retention policy is enabled on our account, meaning Groq does not retain your audio after processing. See Section 5 for more detail on Groq.
Our support team may add internal notes to your account record to provide context for support interactions. These notes are never visible to you in the product and are not shared externally. They are deleted when your account is deleted.
We assign roles and permissions to accounts for access control purposes. This assignment data is deleted on account deletion.
We use Stripe to process payments. We share your name, email address, and user ID with Stripe when creating a billing account. Stripe stores your full payment details under their own privacy policy and PCI-DSS certification. We only ever see the last four digits of your card. Stripe's privacy policy is available at stripe.com/privacy.
We use Groq's API to transcribe your audio. When you dictate, we forward the audio stream and filename to Groq. Groq does not retain this audio after processing (Zero Data Retention is enabled). Groq's data practices are governed by the Groq Customer Data Processing Addendum. Groq retains data in Google Cloud Platform infrastructure in the United States. Where applicable, we rely on Standard Contractual Clauses for transfers of personal data from the EEA to the United States.
We use Amazon Simple Email Service (AWS SES) to send transactional emails such as password resets, billing receipts, and invitations. Your email address and the body of the message are shared with AWS for delivery purposes only. SES is operated by Amazon Web Services EMEA SARL under their own privacy and security commitments.
We use Google Analytics 4 (provided by Google Ireland Limited) to understand how visitors use our site. Google receives your truncated IP address, user agent, referrer, the pages you visit on voca, and a randomly generated client ID stored in the cookies listed in Section 2.7. Google uses this data to provide aggregated usage reports to us. We do not provide Google with your name, email address, or any other directly identifying information. The legal basis for this processing is our legitimate interest in measuring and improving our service. Google may transfer this data to the United States; where applicable we rely on Standard Contractual Clauses for transfers from the EEA. Google's privacy policy is available at policies.google.com/privacy. You can opt out by installing the Google Analytics opt-out browser add-on or by enabling Do Not Track / Global Privacy Control in your browser.
We do not sell your data. We do not share your data with advertisers. We do not use your data to train AI models.
Our server logs framework errors and API errors to storage/logs/laravel.log. These logs may incidentally contain email addresses in exception stack traces. Logs are stored on the server and are not transmitted to third-party logging services. We do not currently have a defined retention period for log files. We intend to implement a 30-day rolling retention policy and will update this policy when that is in place.
When you delete your account, the following data is automatically deleted: sessions, API tokens, transcription usage records, credit ledger entries, admin notes, subscriptions, and WebAuthn credentials. Your Stripe customer record remains in Stripe's systems per their retention obligations.
Depending on where you are located you may have the right to:
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
Czech Republic and EEA residents may lodge complaints with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, uoou.cz) or their local supervisory authority.
We use TLS to encrypt all data in transit. Passwords are hashed using bcrypt and never stored in plaintext. TOTP secrets and recovery codes are encrypted at rest. Payment data is handled by Stripe and never touches our servers in full. Our infrastructure is hosted on Hetzner VPS infrastructure (EU-based data centres).
Voca is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it.
We will notify you of material changes to this policy by email and by displaying a notice in the application at least 14 days before the changes take effect. The "last updated" date at the top of this page will always reflect the most recent version.
Privacy enquiries: [email protected]
General: [email protected]
Legal entity: Shay Stephan Lee Punter, Korunní 2569/108, 101 00 Praha - Vinohrady, Czech Republic