Privacy and security

Our commitment

Speech Recognition Cloud respects your privacy and your rights under international frameworks such as the EU General Data Protection Regulation (GDPR), the Australian Consumer Law and Privacy Act 1988, and the California Consumer Privacy Act (CCPA/CPRA). We are committed to transparency: you can ask us at any time what data we hold, request correction or deletion, and we will act promptly. Our guiding principle is simple — your data belongs to you.

TL;DR

• We never store your audio or transcripts
• Audio is processed in memory only, then immediately erased
• Your dictation history stays on your computer — we cannot access it
• We do not sell or share your data with third parties
• You can request deletion of your data at any time

What data we process and why

Transcription

On our servers, audio is processed transiently and never stored in permanent memory. We route your audio to cloud-based speech-to-text providers that operate under zero data retention policies. Audio is processed and immediately discarded. Dictation history and transcripts remain only on your own computer. Speech Recognition Cloud staff cannot access them.

AI Modes

When you use our AI features to process your text:

• Your text is sent to a third-party AI provider (OpenAI) for processing
• OpenAI retains data for up to 30 days for service reliability — this is the only feature where temporary retention applies
• Processed results are returned to your device; we do not store the content on our servers

Screen OCR

Our Screen OCR feature helps recognise text on your screen to increase transcription accuracy:

• OCR processing happens locally on your device
• The raw text content of your active window is sent to our servers for extraction of keywords. Your screen content is not stored and only processed transiently and may only be used to build a shared anonymous dictionary
• Unrecognised words may be processed for categorisation to cloud provider servers to extract technical terms, names, and similar. Only words not in our dictionary are sent, not full sentences or personal context, as the majority of words are already in our dictionaries
• We apply a strict no-retention policy for these requests — they are kept in RAM only and are never stored, both on our servers and our cloud provider servers

Account and payment information

We collect account details (such as name and email) to manage your subscription. For billing, we process payment information (including billing address and payment method) through trusted third-party payment processors. We do not store your complete payment card details on our servers.

Payment processors we use are compliant with international standards for secure transactions (e.g. PCI-DSS). In the case of recurring subscriptions, your payment method may be securely tokenised by the payment processor to enable automatic renewals.

To maintain service reliability and prevent abuse, we collect technical information such as device type, operating system version, IP address, user account, and hardware footprint. We do not use technical metadata to build personal profiles, track browsing behaviour, or identify individuals beyond what is strictly necessary for providing the service.

Security measures

• Encryption: TLS 1.2+ in transit; AES-256 at rest for account and usage data
• Access controls: Unique accounts with mandatory two-factor authentication for all staff
• Endpoint protection: Industry-standard antivirus on workstations
• Application hardening: Secure development practices, including code review and controlled deployment procedures; only approved software on production and staff systems
• Operational hygiene: Timely patching, secure cloud configurations, backups of essential service data
• Baseline compliance: Aligned with ACSC Essential Eight, APPs, and GDPR principles. We operate in alignment with ISO 27001 controls. Security practices informed by SOC 2 Trust Services Criteria

Data sharing

Service providers: We use trusted third parties to support core operations. These providers process data only under our instructions and with strict confidentiality:

• Speech-to-text providers (zero data retention)
• AI text processing provider (up to 30-day retention for service reliability)
• Payment processor (PCI-DSS compliant)

A detailed list of sub-processors is available upon request via our contact page.

Legal compliance: We may disclose limited information if required by law, court order, or regulatory authority.

With your consent: Beyond these cases, we will only share your information if you explicitly authorise us to do so.

Legal and regulatory compliance

We comply with applicable privacy and consumer protection laws in the EU, California, Australia, and other jurisdictions where we operate. We cooperate with lawful requests from regulatory or judicial authorities, provided they are valid and proportionate. We enforce our Terms of Service and security policies to protect the rights and safety of Speech Recognition Cloud, our users, and others.

Data breach notification

In the event of a personal data breach, we will notify affected users without undue delay and within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33. Notifications will include the nature of the breach, the categories of data affected, likely consequences, and the measures taken to address it.

Business customers

Our Data Processing Agreement is available for all business customers and applies automatically when you use the Service. It covers GDPR Art. 28 requirements and includes EU Standard Contractual Clauses (SCCs) for international data transfers. If your organisation requires a countersigned copy, contact us.

Cross-border data processing

Audio may be processed outside your jurisdiction depending on your location and the transcription mode used. Audio is not retained after processing is complete. Where data is transferred outside the European Economic Area, we rely on EU Standard Contractual Clauses (SCCs) and equivalent safeguards to ensure your data is protected to GDPR standards.

Standard transcription processing locations: United States, Canada, Finland, Saudi Arabia, Australia. Your requests are automatically routed to the nearest available data centre for lowest latency.

Medical transcription processing locations: United States, European Union. Medical transcription is processed exclusively on HIPAA-compliant infrastructure with zero data retention.

Your rights

You can access, erase, object to, or restrict our use of usage logs at any time. Please note: if you request erasure or restriction of logs, we may no longer be able to provide the service, as these logs are required for billing, performance, and abuse prevention.

To make a request, contact us and include your device ID from:
%localappdata%/speechrecognitioncloud/settings.json

Healthcare use

Speech Recognition Cloud is not a medical device and does not diagnose or treat conditions. We do not persist or store Protected Health Information (PHI). Audio is processed transiently in memory and erased immediately. For healthcare clients, we apply enhanced safeguards aligned with Australian health privacy laws and international best practices. U.S. healthcare customers requiring HIPAA compliance should contact us to arrange a Business Associate Agreement (BAA).

Children's privacy

Our services are not designed for or directed at children under 13 years of age (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn we have inadvertently collected such information, we will delete it promptly.

Changes to this privacy policy

We reserve the right to periodically update this privacy policy. Any revisions will be posted prominently, with the updated effective date clearly indicated. We encourage you to regularly review this policy to stay informed about our privacy practices.

Questions about privacy?

Contact us with any questions about how your data is handled.