Privacy Policy
The short version.Your transcripts are stored encrypted on your device, not on our servers. Your voice passes through our transcription pipeline for a few seconds and is never stored. Our servers keep word counts, never words. We don't sell data, we don't run advertising trackers, and you can delete your account and everything in it yourself.
1. Who we are
Dictopad is operated by Maico Labs (Pty) Ltd, a company registered in South Africa ("we", "us"). We are the responsible party under the Protection of Personal Information Act (POPIA) and the data controller under the EU General Data Protection Regulation (GDPR) for the processing described here. Our Information Officer can be reached at [email protected].
2. What we collect — and what we deliberately don't
We collect
- Account information: your email address and name, handled by our authentication provider when you sign up.
- Usage counts: the number of words and seconds you transcribe each month, and request counts. Numbers only — used for fair-use limits and to run the service.
- Billing status: your subscription state (trialing, active, cancelled). Payment itself is handled by Paddle, our merchant of record — we never see or store your card details.
- Waitlist and support emails: if you join the waitlist or write to us.
- Security telemetry: IP addresses processed for rate limiting and abuse prevention, stored only in hashed form.
We deliberately do not collect
- Your transcripts. The text of what you dictate is stored encrypted in your own browser, on your device. It is never written to our databases. We verify this claim with automated tests before every release.
- Your audio. Recordings are processed transiently and never stored server-side.
- Behavioural advertising data. No ad trackers, no third-party advertising cookies, no sale of personal information — ever.
3. How your dictation actually flows
When you record, your audio travels over an encrypted connection (TLS) to our server, which passes it — without storing it — to a US-based speech-to-text infrastructure provider operating under a data processing agreement with a zero-data-retention configuration: your audio and its transcript are not retained by that provider after processing. The text returns to your browser, where it is encrypted (AES-256-GCM) and stored locally on your device. If you use the optional Polish feature, your transcript text is processed under the same transient, zero-retention arrangement.
The encryption key for your local history is held on our servers and supplied to your browser only when you are signed in — so we hold a key but never your words, and your device holds your words but cannot reveal them without your login.
Because your history lives only on your device, it can be removed by clearing your browser data, and it does not follow you between devices. Use the export function for anything you need to keep.
4. Service providers and cross-border transfers
We share personal information only with the service providers needed to run Dictopad, each bound by a data processing agreement: authentication (Clerk), database and backend (Convex), payments and tax (Paddle, as merchant of record), transactional email (Resend), network security and DNS (Cloudflare), server hosting (US), and a US-based speech-to-text infrastructure provider as described above. A complete, current subprocessor list is available on request from [email protected].
Some of these providers process data in the United States and other countries outside South Africa and the European Economic Area. Where that happens, we rely on contractual safeguards — data processing agreements incorporating standard contractual clauses or an equivalent adequacy mechanism — as required by section 72 of POPIA and Chapter V of the GDPR.
5. Why we process your data (lawful bases)
- To provide the service (performance of a contract): transcription, your account, billing status, usage limits.
- Security and abuse prevention (legitimate interest): hashed-IP rate limiting, fraud prevention.
- Waitlist and product updates (consent): you can withdraw at any time via the unsubscribe link in any email.
- Legal obligations: tax and financial records are handled by Paddle as merchant of record.
6. How long we keep things
- Transcripts: not held by us at all. On your device, you control retention (1 hour to forever) in settings.
- Usage counts: while your account is active, then deleted within 90 days of account deletion.
- Account data: until you delete your account.
- Waitlist emails: until launch communications are complete or you unsubscribe, whichever comes first.
- Support correspondence: up to 2 years.
- Hashed security logs: 90 days.
7. Your rights
Under POPIA and the GDPR you may access, correct, export, or delete your personal information, object to processing, and withdraw consent. Account deletion is built in: deleting your account removes your account record, usage counts, and encryption key from our systems and cancels your subscription. For anything else, email [email protected] — we respond within 30 days.
You may also lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za or, if you are in the EU/EEA, with your local supervisory authority.
8. Cookies
Dictopad uses strictly necessary cookies only: authentication session cookies and security (CSRF) tokens. We do not use advertising or cross-site tracking cookies. Any visitor analytics we run are aggregate and cookie-free.
9. Security
Everything travels over TLS. Local history is encrypted with AES-256-GCM. Our API enforces authentication, input validation, rate limiting, and CSRF protection, and we log security events with hashed IPs only. No system is perfectly secure — but our architecture means that even in a worst-case breach of our servers, your transcripts are not there to be taken.
10. Breach notification
If a breach affecting your personal information occurs, we will notify the Information Regulator and affected users as required by POPIA section 22 and, where applicable, the GDPR's 72-hour notification requirement.
11. Children
Dictopad is not directed at children under 18, and we do not knowingly process children's personal information.
12. Changes
If we change this policy materially, we will notify you by email or in the app before the change takes effect. The "last updated" date at the top always reflects the current version.
13. Contact
Maico Labs (Pty) Ltd, South Africa · [email protected] (privacy and data rights) · [email protected] (everything else)