Skip to content
Back

Privacy Policy

Last updated: March 2026

Overview

dictate& ("we", "our", or "us") is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal data when you use our voice dictation application and website. The dictate& application is live and in active use.

Data We Collect

Account Data

When you sign in with Microsoft OAuth via Supabase Auth, we collect your name, email address, and Microsoft account identifier. This data is used to authenticate you and associate your work with your account. Microsoft's own privacy policy governs data held by Microsoft.

User Profile

We store your profession (e.g. barrister, solicitor), country, and subscription status to personalise your experience and manage billing.

Audio Recordings

Voice dictations are recorded on your device and uploaded to our EU-based storage (Supabase Storage, Dublin). Recordings are stored encrypted so you can play them back alongside the transcript. You can delete any recording at any time; all recordings are deleted when you close your account.

If your dictations contain personal data about third parties — such as client names, health information, or legally privileged material — that data is classified as special category data under Article 9 GDPR. In that context, dictate& acts as a data processor on your instructions, and you remain the data controller responsible for ensuring you have an appropriate legal basis to process that data through our service. See "Data Controller and Processor Roles" below.

Transcripts and Documents

Transcribed text, formatted documents, action items, summaries, and other task data are stored in our EU-based database (Supabase PostgreSQL, Dublin). You control this data — you can edit, export, or delete it at any time.

Files and Folders

If you use the file management feature, uploaded files and folder structure are stored in EU-based storage (Supabase Storage, Dublin). Files are subject to the same retention and deletion rights as other data.

Workspace Data

Workspace names, membership records, and invitation data are stored in our EU-based database to support multi-user collaboration features. Members of a shared workspace can see workspace-level content; access is limited to members you invite.

Billing Data

Subscription and payment data is processed by Stripe. We store a Stripe customer ID and subscription status in our database. Full payment card details are never stored on our servers.

Operational Logs

We maintain server-side diagnostic logs to monitor service health, investigate errors, and ensure reliability. These logs contain request identifiers, timestamps, performance metrics (such as response times and processing durations), and anonymised account identifiers. Operational logs do not contain the content of your dictations, documents, or audio recordings. These logs are stored within the EU (Supabase, Dublin) and are retained for the minimum period necessary to diagnose service issues, currently no longer than 7 days, and then automatically deleted.

Analytics

With your consent, we use PostHog (EU Cloud, Frankfurt) to collect anonymised usage analytics and error reports. Session replay, where enabled, captures UI interactions only — it does not capture the content of your dictations or documents. You can opt out at any time from your account settings. Analytics are not collected before you provide consent.

Legal Bases for Processing

We process your personal data on the following lawful bases under Article 6 GDPR:

  • Contract performance (Article 6(1)(b)) — account data, audio recordings, transcripts, documents, workspace data, and user profile data are processed to provide the service you have contracted for.
  • Legitimate interest (Article 6(1)(f)) — operational logs containing request identifiers, timestamps, and performance metrics are processed to maintain service reliability, diagnose errors, and protect the security of the service. These logs do not contain dictation content and are retained for the minimum period necessary to diagnose service issues, currently no longer than 7 days, and then automatically deleted.
  • Legal obligation (Article 6(1)(c)) — billing and transaction records are retained to comply with Irish Revenue and VAT obligations.
  • Consent (Article 6(1)(a)) — usage analytics and session replay via PostHog are processed only with your explicit consent, which you can withdraw at any time.

Where your dictations contain special category data (Article 9 GDPR) — such as health information or legally privileged material belonging to third parties — we process it solely on your instruction as a data processor. You, as data controller, are responsible for establishing an appropriate Article 9(2) basis for that processing.

Data Controller and Processor Roles

dictate& acts as a data controller for account, profile, billing, and analytics data — we determine the purpose and means of processing that data.

For the content you dictate — including any personal data relating to third parties such as clients or patients — dictate& acts as a data processor on your instructions. You are the data controller for that content and are responsible for ensuring you have the appropriate legal basis to process it through our service.

Professional users who regularly process client personal data using dictate& should contact us at hello@dictateand.com to obtain a Data Processing Agreement (DPA), as required under Article 28 GDPR.

Data Location & International Transfers

All personal data is stored and processed within the European Union:

  • Ireland (Dublin) — Application hosting, database, and file storage (Supabase)
  • Sweden (Stockholm) — AI transcription and document processing (Azure OpenAI)
  • Germany (Frankfurt) — Usage analytics (PostHog EU Cloud)

Our third-party processors (Supabase, Microsoft, Stripe, PostHog, Vercel) are incorporated outside the EU but operate EU-based infrastructure for our data. Where any transfer of personal data to a third country occurs, it is governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR, providing equivalent safeguards to EU data protection law.

Third-Party Processors

We use the following third-party data processors, each operating under a Data Processing Agreement and, where applicable, Standard Contractual Clauses:

  • Supabase — Database and file storage (Dublin, Ireland)
  • Microsoft Azure OpenAI — AI transcription and document processing (Sweden Central)
  • Stripe — Payment processing (EU-compliant, SCCs in place)
  • PostHog EU Cloud — Analytics and error monitoring (Frankfurt, Germany) — consent-gated
  • Vercel — Web hosting (Dublin, Ireland)

Your dictation content is processed only by Supabase (storage/database) and Azure OpenAI (transcription/formatting). It is not shared with Stripe or PostHog.

How We Use Your Data

We use your data solely to:

  • Provide and operate the dictate& application
  • Transcribe and format your voice dictations
  • Manage your account, workspace, and subscription
  • Monitor and maintain service reliability (via operational logs)
  • Improve the service (with your consent, via analytics)
  • Respond to support requests
  • Meet our legal and financial obligations

We do not use your dictations or documents to train AI models. Your data is not sold, rented, or shared for advertising or marketing purposes.

Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Row-level security on all database tables
  • Access controls and authentication on every request
  • Regular security assessments

Data Breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission (Ireland) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 GDPR.

Your Rights

Under GDPR, you have the right to:

  • Access — obtain a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data (account deletion is available in-app)
  • Portability — receive your data in a structured, machine-readable format (Article 20; data export is available in-app)
  • Restriction — ask us to restrict processing of your data in certain circumstances (Article 18)
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — withdraw consent for analytics at any time without affecting prior processing

We will respond to all rights requests within one month of receipt. If a request is complex or we receive a high volume, we may extend this by a further two months and will notify you accordingly.

To exercise any right, contact us at hello@dictateand.com or use the in-app account settings.

Cookies & Analytics

The dictate& website uses no tracking cookies. We use PostHog EU Cloud (Frankfurt) for cookieless analytics — pageviews and form interactions — only after you accept via the privacy banner shown on your first visit. Your preference is stored in your browser's local storage. You can decline or clear it at any time.

The dictate& application uses PostHog EU Cloud for analytics (custom events, error monitoring, and — where explicitly enabled — session replay of UI interactions) only after you provide explicit consent via the in-app consent prompt. Session replay does not capture the content of your dictations or documents. You can withdraw consent at any time from account settings.

Data Retention

We retain your data for as long as your account is active. When you delete your account, all personal data — including audio recordings, transcripts, documents, and workspace data — is permanently deleted within 30 days. You can also delete individual items at any time from within the application.

Waitlist email addresses submitted via the website are retained until you request removal. To be removed from the waitlist, contact us at hello@dictateand.com.

An exception applies to billing and transaction records, which are retained for 7 years from the date of the transaction in accordance with Irish Revenue and VAT obligations. This data is limited to transaction metadata (amounts, dates, Stripe references) and does not include your dictation content.

Operational logs (request identifiers, timestamps, and performance metrics) are retained for a short period and automatically deleted. These logs do not contain dictation content.

Contact & Supervisory Authority

For any privacy-related questions, rights requests, or to obtain a Data Processing Agreement, contact us at:

hello@dictateand.com

Our supervisory authority is the Data Protection Commission (Ireland). You have the right to lodge a complaint with the DPC at dataprotection.ie.

We use cookieless analytics (PostHog, Frankfurt) to understand how people discover dictate&. No cookies, no cross-site tracking, EU-only. Privacy policy.