← Back to VoiceBrain

Privacy Policy

Last updated: June 4, 2026

1. Who we are

VoiceBrain ("the Service") is operated by Total-Mat Consulting SRL, registered in Romania. For privacy questions or to exercise any rights described below, contact us at luciansecara@gmail.com.

2. What we collect

We collect only what we need to operate the Service:

  • Account data — your email address and name (from the sign-in provider). Optional profile data you add.
  • Voice memos — the audio recordings you create, their transcripts, and the structured items (tasks, ideas, events, notes) extracted from them.
  • Integration tokens — when you connect Todoist, Google Calendar, or Notion, we store OAuth access tokens encrypted at rest so we can send items on your behalf. Tokens are deleted when you disconnect.
  • Payment metadata — Lemon Squeezy (our Merchant-of-Record) handles all card data. We receive only the email, customer ID, subscription status, and order metadata needed to grant access.
  • Diagnostic logs — server logs (IP, request path, status code) retained for up to 30 days for security and debugging.

3. How we use it

  • To run the core product (transcribe, extract, send).
  • To process payments via Lemon Squeezy.
  • To respond to support requests.
  • To send account-related email (login links, billing receipts). We do not send marketing email without explicit consent.

4. Who we share it with

We do not sell your data. We rely on a small set of processors, each bound to confidentiality and security obligations:

  • OpenAI (United States) — voice memos and transcripts are sent to Whisper for transcription and to GPT-4o-mini for extraction. OpenAI's API terms prohibit training on our data.
  • Clerk (United States) — authentication and user identity.
  • MongoDB Atlas (EU region) — primary database for memos, items, and tokens.
  • Vercel (United States, EU edge) — hosting and Blob storage for audio files.
  • Lemon Squeezy (Merchant of Record) — payment processing, invoicing, VAT compliance.
  • Integration providers you opt into (Todoist, Google, Notion) — receive only the items you explicitly Send to them, plus what their OAuth grant requires.

5. International transfers

Several processors above are based in the United States. We rely on the EU-US Data Privacy Framework and standard contractual clauses where applicable.

6. Retention

We keep your data as long as your account is active. When you delete a memo, the audio file is removed from Vercel Blob and the database record is deleted. When you close your account by emailing us, everything is deleted within 30 days, except minimal billing records we are legally required to keep.

7. How we protect your data

We apply technical and organizational safeguards appropriate to the sensitivity of the data we hold:

  • Encryption in transit — all traffic between your device and the Service is protected with TLS (HTTPS).
  • Encryption at rest — voice memos, transcripts, and database records are stored on encrypted infrastructure (MongoDB Atlas and Vercel Blob).
  • Token protection — OAuth tokens for Todoist, Google, and Notion are additionally encrypted with AES-256-GCM before being written to the database, and are deleted when you disconnect or close your account.
  • Access controls — access to production systems is restricted to authorized personnel and protected by authentication. Each account can access only its own memos, items, and tokens.
  • Monitoring and minimization — we monitor diagnostic logs for abuse, apply security updates, and retain data only as long as needed (see Retention above). We never sell your data or use Google user data to train AI/ML models.

8. Your rights (GDPR)

If you are in the EU/EEA you have the right to access, rectify, export, delete, or restrict processing of your personal data, and to object to processing or lodge a complaint with your national data protection authority. To exercise any of these, email luciansecara@gmail.com. We respond within 30 days.

9. Cookies and storage

We use first-party cookies for authentication (set by Clerk) and a small amount of localStorage to remember UI preferences (e.g. whether you dismissed the install-the-app banner). We do not use third-party advertising trackers.

10. Children

VoiceBrain is not intended for children under 16. We do not knowingly collect personal data from them.

11. Changes

If we materially change this policy we will update the date above and notify active users by email at least 14 days before the change takes effect.

12. Google API Services User Data Policy

VoiceBrain's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we request the Google Calendar scope only to create events on your behalf when you press Send to Google Calendar on an item. We do not read, store, or share your existing calendar data. We do not use Google user data to develop, improve, or train generalized AI/ML models. We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you. We do not allow humans to read Google user data unless we have your explicit consent, it is needed for security purposes (such as investigating abuse), or to comply with applicable law. We never use Google user data for advertising.