Privacy Policy

This policy describes how Vcloudio ("we", "us", "our") collects, uses, and protects your personal data when you use our voice transcription and text normalization service, including our website at vcloudio.ai, mobile apps, and desktop app (collectively, the "Service").

1. Data controller

Vcloudio is operated by Devasoft, based in Bulgaria. For questions about this policy or your data, contact us at [email protected].

2. Data we collect

2.1 Account data

When you register, we collect:

• Email address
• Password (stored as a bcrypt hash, never in plaintext)
• Marketing consent preference
• Invite code used (if applicable)

2.2 Audio data

When you use the transcription feature, audio is streamed to our servers in short segments. Audio is transcribed locally on our own servers using self-hosted speech-to-text software. Your audio is never sent to any third party. Audio is processed in real time and is not stored after transcription is complete. We do not retain recordings.

2.3 Transcription and processed text

The text output from transcription, normalization, formatting, and translation is transmitted back to your device and is not stored on our servers.

2.4 Usage analytics

We collect anonymized usage events to understand how the Service is used:

• Feature usage (transcription, formatting, translation, desktop relay)
• Session metadata (audio duration, text length, language used)
• Login events and last active timestamp

Our website uses Umami, a self-hosted, cookieless analytics platform. Umami collects page views and basic visit data without setting cookies or storing personal identifiers. All analytics data is processed on our own EU servers.

With your consent, we also use Microsoft Clarity for heatmaps and session recordings to understand how visitors interact with our website. Clarity uses cookies and is operated by Microsoft Corporation. You can accept or decline Clarity via the cookie banner shown on your first visit. For more information, see Microsoft's Privacy Statement.

2.5 Client error logs

The mobile and desktop apps may send error logs to help us diagnose issues. These include error messages, platform information, app version, and debugging context. Logs are not designed to contain audio or transcription content, though debugging context may include technical details about the operation that failed.

2.6 Contact form

If you contact us through the website, we collect your name, email, and message. Contact form submissions are sent to us via email and are not stored in our database.

3. How we use your data

• To provide and operate the Service
• To authenticate you and manage your account
• To send transactional emails (verification, account notices)
• To diagnose errors and improve reliability
• To understand usage patterns and improve the product
• To send marketing communications (only with your consent)

4. Legal basis for processing (GDPR)

• Contract performance: account management, service delivery
• Legitimate interest: usage analytics, error logging, security
• Consent: marketing communications

5. Data sharing

We use third-party service providers in the following categories:

• Infrastructure hosting (EU) — servers, database, and speech-to-text processing
• AI text processing (EU) — normalization, formatting, and translation of transcribed text
• Network security — DDoS protection, DNS, and TLS proxy
• Email delivery — transactional emails (verification, contact form)

Audio is transcribed on our own servers and is never shared with any third party. Text sent for AI processing is handled via stateless API calls and is not retained by the provider. No personal identifiers (email, user ID) are included in these calls.

We do not sell your data. We do not share your data with third parties for advertising purposes. A list of specific sub-processors is available upon request.

6. Data location

Our servers are located in Germany (GDPR-compliant, ISO 27001 certified infrastructure). Audio transcription runs entirely on our servers. Text processing is handled by an EU-based provider in France. All core data processing and storage remains within the European Union. Transactional email delivery uses a provider with EU data processing safeguards in place.

7. Data retention

• Account data: retained while your account is active, deleted upon account deletion
• Audio: not stored (processed in memory, discarded immediately)
• Transcription text: not stored on our servers
• Usage events: retained while your account is active
• Error logs: retained while your account is active, deleted upon account deletion
• Refresh tokens: expire after 30 days, deleted on logout
• Desktop relay messages: transmitted in real time via in-memory message relay, not persisted

8. Your rights

Under the GDPR, you have the right to:

• Access your personal data (data export available in your account)
• Rectification of inaccurate data
• Erasure of your data (account deletion available in your account)
• Restrict processing of your data
• Data portability (export your data in JSON format)
• Object to processing based on legitimate interest
• Withdraw consent for marketing at any time

To exercise these rights, use the in-app account features or contact [email protected].

9. Security

We protect your data with encryption in transit (TLS), hashed passwords (bcrypt), hashed tokens (SHA-256), and infrastructure-level protections (Hetzner firewall, Cloudflare proxy). Access to production systems is restricted.

10. Children

The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact [email protected].

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by a notice on the Service. Continued use after changes constitutes acceptance.

12. Contact

For privacy-related questions or requests:
Email: [email protected]
Or use our contact form.