Skip to content
SECURITY & COMPLIANCE

Built for data you can't afford to lose

Legal privilege. Patient confidentiality. Professional obligations. dictate& is designed from the ground up for the data standards your profession demands.

EU-only processing

Audio recordings, transcripts, and account data are processed and stored within the EU. Dublin for hosting and storage. Stockholm for AI transcription.

Encrypted everywhere

TLS 1.3 in transit. AES-256 at rest. Your dictation is encrypted from the moment it leaves your phone to the moment you read the document.

Audio stored securely, under your control

Audio recordings are stored encrypted in EU infrastructure (Dublin) so you can play them back at any time. You can delete individual recordings or request full account deletion at any time.

No US data transfer

Dictation data is not routed through, stored in, or processed in the United States or any non-EU jurisdiction.

No training on your data

Your dictations are not used to train AI models. Your client's case details, patient information, and privileged material stay private.

Access controls

Authentication on every request. Role-based access. Regular security assessments. Your data is only accessible to you.

Where your data goes

  1. 1

    You dictate on your phone

    Audio is transmitted over an encrypted connection (TLS 1.3). If you're offline, the recording stays on your phone until you have signal.

  2. 2

    Audio is transcribed in Stockholm (EU)

    AI transcription runs on EU infrastructure in Sweden. Your audio is not used for model training. The recording is then stored encrypted in Dublin so you can play it back at any time.

  3. 3

    Document is formatted and stored in Dublin (EU)

    Your structured document is stored encrypted at rest in Ireland. You control it — review, edit, export, or delete at any time.

  4. Dictation data stays within the EU

    At no point does your dictation data leave the European Union. Analytics (PostHog EU, Frankfurt) and payment processing (Stripe) are EU-compliant third-party processors — your dictation content is never shared with them.

GDPR compliance

dictate& is a data processor under GDPR. You (the professional) are the data controller for any client or patient information you dictate. We process that data solely to provide the transcription and formatting service, and for no other purpose.

Lawful basis: performance of a contract (Article 6(1)(b))
Data Processing Agreement available on request
Data subject access requests honoured within 30 days
Right to erasure: delete your data at any time
Data portability: export your documents in standard formats
No automated decision-making or profiling
Data breach notification within 72 hours
Supervisory authority: Data Protection Commission (Ireland)

For legal professionals specifically

Legal professional privilege imposes obligations that go beyond standard GDPR. Barristers and solicitors handling privileged material need to know that their tools don't create data protection exposures.

dictate& addresses this directly: EU-only processing eliminates the risk of privileged material being routed through US infrastructure (and the CLOUD Act jurisdiction issues that come with it). Audio recordings are stored encrypted in EU infrastructure under your control — you retain the ability to play back, review, or permanently delete them at any time. No model training on your data means your client's case details don't end up improving a commercial AI product.

For more on how this applies in practice, see our article on GDPR and voice dictation for Irish lawyers.

Security questions

Where exactly is my data stored?

Application hosting, database, and file storage are in Dublin, Ireland. AI transcription processing is in Stockholm, Sweden. Both are within the EU.

Is my audio kept after transcription?

Yes. Audio recordings are stored encrypted in EU infrastructure (Dublin) so you can play them back alongside the transcript. You can delete any recording at any time, and all recordings are deleted when you close your account.

Is my data used to train your AI?

No. Your dictations, transcripts, and documents are never used for model training. Your data is used solely to provide the service to you.

Can I delete all my data?

Yes. You can delete individual documents or request full account deletion at any time. We honour erasure requests in line with GDPR Article 17.

Do you have a Data Processing Agreement?

Yes. A DPA is available on request for firms and practitioners who need one for their compliance records. Contact hello@dictateand.com.

What happens if there's a data breach?

We notify affected users and the Data Protection Commission within 72 hours, as required by GDPR Article 33. Our incident response process is documented and tested.

For the full legal details, see our Privacy Policy.

We use cookieless analytics (PostHog, Frankfurt) to understand how people discover dictate&. No cookies, no cross-site tracking, EU-only. Privacy policy.