Privacy Policy

1. Who we are and how to contact us

Controller. For the personal data described in this Policy, the controller is:

ZeroEnd Technology AB
Company registration number (organisationsnummer): [ORG-NR]
Registered address: [REGISTERED ADDRESS]
VAT number: [VAT NUMBER]

Contact for privacy matters: privacy@soundfox.ai. You can also reach us through our contact form at soundfox.ai/support/ticket, or for legal notices at legal@soundfox.ai.

Processor role for business customers. Where we process personal data on behalf of a business customer (for example, an organisation on an Enterprise plan and its Authorised Users), that organisation is the controller and we act as its processor under a data processing agreement (DPA). This Policy describes our own processing as a controller; if your employer or another organisation provides you with access to Soundfox, their privacy notice governs their use of your data.

2. Where the Services are offered

The Services are offered to users in the European Economic Area and other supported regions. The Services are not currently offered to residents of the United Kingdom; if you are in the UK, you may join our waitlist, and we will appoint a UK representative and complete UK registrations before making the Services available there. We do not knowingly target or provide the Services to jurisdictions where they would be unlawful.

3. The personal data we collect

We collect the following categories of personal data.

3.1 Account and profile data. When you create an account, our authentication provider (Clerk) collects and stores your name, email address, password or other authentication credentials, and any profile image you add. We receive the account identifiers needed to provide the Services.

3.2 Customer Content. To provide dictation and AI features, we process:

• Audio. Your microphone audio is captured only while you run a dictation session and is streamed to our speech-to-text provider for transcription. Audio is not stored by default. You can optionally enable audio storage in the desktop settings, in which case the recording is saved to our cloud storage until you delete it.
• Transcripts. The text we generate from your speech (raw transcript, polished text, and any enhanced text) is stored in your account history so you can search and reuse it, unless you delete it or turn this off.
• Related metadata. The name or identifier of the application you are dictating into (used to format output appropriately), the language, duration and word count of a session, the models and providers used, and, where you enable entity detection, structured entities detected in the text.

3.3 Personalisation and settings. Your custom vocabulary, polish profiles, personas, text expansions, redaction and formatting preferences, and other settings.

3.4 Device and technical data. For the desktop application: device platform, application version, device hostname (if available), a generated install identifier, a hashed device refresh token, and last-seen timestamps. Short-lived pairing records are created when you connect a new device and expire shortly afterwards.

3.5 Billing data. When you buy a paid plan or refill pack, our payment processor (Stripe) collects and processes your payment details (such as card or bank information and billing address) as a separate controller. We store billing status information such as your plan tier, Stripe customer and subscription identifiers, billing cadence, current period end, and a record of refill-pack purchases (amount, currency, and the seconds granted). We do not store your full payment card number.

3.6 Support data. When you contact us through the support form or by email, we collect your name, email address, the subject and content of your message, and basic technical details such as a timestamp. Where needed to prevent abuse, we may also process limited technical information (for example, a one-way hashed IP address).

3.7 Usage and analytics data. When you use our website, we and our analytics provider (Vercel Analytics) collect limited usage information such as pages viewed, referring pages, approximate (non-precise) location derived from IP, device and browser type, and similar diagnostic data, to understand and improve the Services. Within the product, we collect aggregate usage counters (for example, dictation seconds used) to power your dashboard and enforce plan limits.

3.8 Cookies and similar technologies. We use a small number of strictly necessary cookies for authentication and security, and (subject to your consent) cookies or similar technologies for analytics. See Section 7.

3.9 Marketing and communications data. If you opt in to our product or marketing emails, we (and our email provider, Loops) process your email address and your communication preferences. Marketing emails are opt-in only, and you can unsubscribe at any time.

3.10 What we do not collect. Soundfox is built to capture as little as possible. We do not take screenshots of your screen, read the contents of other applications, read window titles or browser URLs, log your keystrokes outside the dictation hotkey, or use your recordings or transcripts to train AI models (see Section 6).

4. How we collect personal data

• Directly from you — when you create an account, dictate, configure settings, buy a plan, opt in to marketing, or contact support.
• Automatically — through your use of the desktop application and website (device, usage, and, subject to consent, analytics data).
• From our service providers — for example, account identifiers from Clerk and billing status from Stripe.

5. How we use personal data, and our legal bases

We use personal data for the purposes below. Under the GDPR (and UK GDPR), each purpose relies on one or more legal bases, identified in brackets.

• Provide the Services — create and manage your account, transcribe and polish/enhance your speech, store your history and settings, sync across devices, process payments, and provide support. (Performance of a contract; for non-account holders contacting us, our legitimate interest in responding.)
• Secure the Services — authenticate devices, prevent fraud and abuse, monitor for and fix errors and security incidents. (Legitimate interests; legal obligation where applicable.)
• Improve the Services — analyse usage and create aggregated or de-identified data to understand, maintain and improve features. (Legitimate interests; consent for non-essential analytics cookies.)
• Communicate with you — send service, security, billing, and administrative messages. (Performance of a contract; legitimate interests.)
• Marketing — send product news and newsletters where you have opted in, and manage your preferences. (Consent; you can withdraw it at any time.)
• Optional features — store audio when you enable it, and apply redaction settings you choose. (Consent.)
• Comply with law and protect rights — meet legal, tax and accounting obligations, respond to lawful requests, and establish, exercise or defend legal claims. (Legal obligation; legitimate interests.)

Where we rely on legitimate interests, we balance them against your rights and freedoms. You can ask us about this balancing using the contacts in Section 1.

6. Artificial intelligence and model training

• We do not train our own AI models on your Customer Content.
• Speech-to-text (Deepgram). Your audio is sent to Deepgram to produce a transcript. We configure Deepgram to opt out of its model-improvement program, so your audio is not retained by Deepgram to train its models.
• Text generation (Anthropic). Polishing and enhancement are performed using Anthropic’s commercial API, which Anthropic does not use to train its models by default and which applies a short retention period for abuse monitoring.
• De-identified data. We may create and use aggregated and/or de-identified data, which does not identify you, to operate and improve the Services.
• No sale of personal data. We do not sell your personal data, and our business model is based on selling software, not your information.

7. Cookies, analytics and consent

We use cookies and similar technologies in two ways:

• Strictly necessary cookies — set to keep you signed in, secure your session, and operate core features. These do not require consent.
• Analytics / non-essential technologies — used (subject to your consent) to understand how the website is used and improve it. We currently use Vercel Analytics for website analytics.

We use a consent management platform (CookieYes) to present cookie choices and to record your preferences. Where required by law, non-essential cookies and analytics are not activated until you consent, and you can change or withdraw your choices at any time through the cookie settings on our website. Fuller detail is provided in our Cookie Policy. We do not use cookies for third-party advertising, and we do not use Google Analytics.

8. How we share personal data

We share personal data only as described below. We do not sell it.

8.1 Service providers (sub-processors). We use trusted providers that process personal data on our behalf and under contract, only to deliver the Services. As at the date of this Policy, they include:

• Clerk — authentication and account management.
• Deepgram — speech-to-text transcription.
• Anthropic — AI polishing and enhancement.
• OpenAI — AI polishing and enhancement.
• Cloudflare R2 — optional audio storage (only if you enable it).
• Stripe — payment processing (Stripe acts as a separate controller for payment data).
• Sentry — error and performance monitoring, configured not to capture your dictation content or IP address.
• Vercel — website hosting and analytics.
• Resend — sending transactional emails (for example, account, support and billing notifications).
• Loops — sending opt-in product and marketing emails.
• Our hosting and database providers — to run the application and store your account data, in [HOSTING/DB REGION].

A current list of sub-processors is published on our Sub-processors page and is also maintained for business customers under their DPA.

8.2 Business customers. If an organisation provides you with access to the Services, we may share account and usage information with that organisation as the controller.

8.3 Legal and protection. We may disclose personal data where reasonably necessary to comply with law or a lawful request, to enforce our Terms, or to protect the rights, property, or safety of ZeroEnd, our users, or others.

8.4 Business transfers. If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal data may be transferred as part of that transaction, subject to this Policy.

8.5 With your consent. We may share personal data for other purposes with your consent or at your direction.

9. International transfers

We are based in Sweden. Some of our service providers are located outside the EEA, including in the United States. Where we transfer personal data outside the EEA (or the UK), we rely on appropriate safeguards, including the EU–US Data Privacy Framework (and its UK extension) where the provider is certified, and the European Commission’s Standard Contractual Clauses (with the UK Addendum where relevant), together with additional measures where needed. You can ask us for more information about these safeguards using the contacts in Section 1.

10. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described in this Policy.

• Account, settings and history — for as long as your account is active. You can delete individual transcriptions or your whole history at any time. When you close your account, we delete your stored transcriptions and personal data within 30 days, except where we must keep certain data longer (see below).
• Audio recordings — not stored unless you enable audio storage; if enabled, kept until you delete them or close your account.
• Billing and accounting records — retained for as long as required by law (under the Swedish Bookkeeping Act, generally seven years).
• Support communications — kept for as long as needed to handle and resolve your request and for a reasonable period afterwards.
• Backups and logs — kept for a limited period and then deleted or overwritten on a rolling basis.

We may keep aggregated or de-identified data, which does not identify you, for longer.

11. How we protect personal data

We use technical and organisational measures appropriate to the risk, including encryption of data in transit and at rest, access controls, and limiting access to personnel who need it. Our error monitoring is configured to avoid capturing your dictation content. No method of transmission or storage is completely secure, and we cannot guarantee absolute security, but we work to protect your data and to respond appropriately to any incident, including notifying you and the relevant authorities where the law requires.

12. Your privacy rights (EEA / UK)

If you are in the EEA or the UK, you have the following rights, subject to conditions and exceptions under applicable law:

• Access — obtain confirmation of, and a copy of, the personal data we hold about you.
• Rectification — have inaccurate or incomplete data corrected.
• Erasure — have your personal data deleted in certain circumstances.
• Restriction — ask us to restrict processing in certain circumstances.
• Portability — receive certain data in a structured, commonly used, machine-readable format.
• Objection — object to processing based on our legitimate interests, and to direct marketing at any time.
• Withdraw consent — where we rely on consent, withdraw it at any time (without affecting prior processing).

To exercise your rights, contact privacy@soundfox.ai or use our contact form. We may need to verify your identity. We will respond within the time limits set by applicable law (generally one month under the GDPR). You can use much of this directly in the product, including deleting history and closing your account.

Complaints. You have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY, www.imy.se). You may also contact the authority in your EEA country of residence. We would appreciate the chance to address your concerns first.

UK users. When the Services become available in the UK, our UK representative for the purposes of UK GDPR will be: [UK REPRESENTATIVE], and you may also complain to the UK Information Commissioner’s Office (ICO).

13. Your data controls

You can control your data directly:

• Audio storage — off by default; enable or disable it in the desktop settings.
• Transcript history — delete individual items or your entire history at any time; you can also disable storage of the raw transcript.
• Redaction / privacy filter — turn on optional redaction so sensitive content (such as passwords, card numbers, or other identifiers) is masked before your text is processed or stored.
• Marketing — opt in or out of product and marketing emails, and unsubscribe from any such email.
• Cookies — manage analytics and other non-essential cookies through the cookie settings on our website.
• Account deletion — close your account to trigger deletion of your stored data as described in Section 10.

14. United States state privacy rights

This Section applies if you are a resident of California or another US state with a comprehensive privacy law. It supplements the rest of this Policy.

Categories collected. In the past 12 months we have collected the categories described in Section 3, namely: identifiers (such as name and email); account and authentication data; commercial information (such as plan and purchase records); internet and usage activity; device and technical information; audio and transcript content you provide; support communications; and inferences drawn from the above.

Purposes and disclosures. We use and disclose these categories for the business purposes in Sections 5 and 8 (providing, securing, and improving the Services; communications; legal compliance; and protection of rights). We disclose personal data to the service providers listed in Section 8.

No sale or sharing. We do not sell your personal data, and we do not share it for cross-context behavioural advertising, as those terms are defined under California and other state laws. We honour opt-out preference signals such as Global Privacy Control (GPC) for any processing that could be considered “sharing”.

Sensitive personal information. We do not use or disclose sensitive personal information for purposes that require an opt-out right under applicable law; we use it only to provide and secure the Services.

Your rights. Depending on your state, you may have the right to know/access, delete, correct, and opt out of sale/sharing or certain profiling, and to be free from discrimination for exercising your rights. To exercise these rights, contact privacy@soundfox.ai or use our contact form. You may use an authorised agent where the law allows; we will verify your identity and the agent’s authority.

15. Children

The Services are intended for adults. They are not directed to anyone under 18, and we do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided us with personal data, contact privacy@soundfox.ai and we will delete it.

16. Changes to this Policy

We may update this Policy from time to time. When we do, we will change the “Last updated” date above, and, if the changes are significant, we will provide a more prominent notice (for example, by email or an in-app notice). Changes take effect when posted unless stated otherwise. Please review this Policy periodically.

17. Contact us

ZeroEnd Technology AB
Company registration number (organisationsnummer): [ORG-NR]
Registered address: [REGISTERED ADDRESS]
VAT number: [VAT NUMBER]
Privacy: privacy@soundfox.ai · Legal: legal@soundfox.ai
Support: soundfox.ai/support/ticket
Supervisory authority (Sweden): Integritetsskyddsmyndigheten (IMY), www.imy.se