Privacy Policy

The data controller responsible for the processing of your personal data within the meaning of Art. 4(7) DSGVO is: Christian Grieger, Zur Melmke 6, 59846 Sundern, Germany. For all questions regarding data protection, including requests to exercise your rights, please contact us at privacy@echotype.cloud.

We follow a data-minimization principle, collecting only what is necessary to provide and operate the EchoType service. Specifically, we collect: your email address, which serves as your account identifier and our primary means of communicating with you (legal basis: Art. 6(1)(b) DSGVO — contract performance); a cryptographically hashed password for authentication — we never store your password in plain text (legal basis: Art. 6(1)(b) DSGVO); session tokens stored in server-side memory (Redis) to maintain your authenticated session and enforce rate limits — these are automatically deleted when you log out or when they expire (legal basis: Art. 6(1)(f) DSGVO); anonymized usage statistics including word counts, session durations, and minutes used — these are aggregated and cannot be traced back to individual users or their spoken content (legal basis: Art. 6(1)(f) DSGVO — legitimate interest in service improvement); subscription status (free or pro tier) and related billing information (legal basis: Art. 6(1)(b) DSGVO); and, where you have explicitly consented, your newsletter subscription preference (legal basis: Art. 6(1)(a) DSGVO — consent). We may use a local proof-of-work challenge (CAPTCHA) during registration to protect against automated abuse — this runs entirely in your browser and does not transmit personal data to third parties. We do not collect or store any audio recordings, spoken words, transcribed text, or polished text at any point.

EchoType is a voice dictation service. When you press the hotkey and speak, your audio is streamed in real time to a cloud-based speech-to-text (STT) backend for transcription. The resulting text is then sent to a language model for polishing (correcting grammar, removing filler words, improving readability). Both steps happen in transient, in-memory processing only. Neither the audio chunks nor the transcribed or polished text are ever written to disk, logged, cached, or otherwise persisted on our servers or the processors' servers. Once the polished text has been delivered back to your device and typed into your active application, all intermediate data is discarded immediately. We have verified with our processing partners that no audio or text content is retained after the processing request completes. This is a fundamental architectural commitment of EchoType, not merely a policy choice.

We engage the following processors who may process personal data on our behalf. Each processor is bound by a data processing agreement (Art. 28 DSGVO) and processes data only within the scope of our instructions.

Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) — Server hosting. Our application servers are located in Hetzner's data center in Falkenstein, Germany. Hetzner processes server log data and hosts user account data stored on our servers. Legal basis: Art. 6(1)(b) DSGVO (contract performance) and Art. 6(1)(f) DSGVO (legitimate interest in secure hosting). A data processing agreement is in place. Privacy policy: https://www.hetzner.com/legal/privacy-policy

Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) — Speech-to-text transcription and text polishing via Cloudflare Workers AI. Audio chunks are sent to Cloudflare for transcription; the resulting text may be sent to Cloudflare's language model for polishing. All data is processed transiently in memory and is not retained after the request completes. Cloudflare is certified under the EU-US Data Privacy Framework (DPF). Legal basis: Art. 6(1)(b) DSGVO. Privacy policy: https://www.cloudflare.com/privacypolicy/

Groq, Inc. (5700 Tennyson Pkwy, Plano, TX 75024, USA) — Alternative speech-to-text and text polishing backend. When Groq is used as the processing backend, the same transient processing applies: audio and text are processed in memory and are not stored. Groq offers Zero Data Retention configurations. Legal basis: Art. 6(1)(b) DSGVO. Data transfers to the US are covered by Standard Contractual Clauses. Privacy policy: https://groq.com/privacy-policy/

Paddle.com Market Ltd / Paddle.com, Inc. (20 St. Dunstan's Hill, London, EC3R 8HL, United Kingdom) — Payment processing as Merchant of Record (MoR). Paddle handles subscription billing, payment collection, and invoice generation on our behalf. Paddle processes your email address, payment details, billing address, and transaction history. Legal basis: Art. 6(1)(b) DSGVO. Privacy policy: https://www.paddle.com/legal/privacy

We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party tracking technologies. Our fonts are self-hosted — the Next.js framework downloads Google Fonts at build time on the server, so your browser never makes requests to Google or any external font provider. The only cookies we use are essential session cookies required for authentication (logging in, maintaining your session). These are strictly necessary for the operation of the service and are exempt from consent requirements under Art. 6(1)(f) DSGVO. We do not use Google Analytics, Meta Pixel, or any similar tracking tools.

Account data (email, subscription status) is retained for as long as your account remains active. Anonymized usage statistics (word counts, session durations, minutes used) are retained indefinitely for service analytics — these contain no personal information and cannot be linked to individual users or their spoken content. Payment and billing records are retained for 10 years as required by § 147 of the German Fiscal Code (Abgabenordnung, AO). Upon account deletion, all personal data associated with your account is permanently and irreversibly removed from our systems within 30 days. Records that must be retained for tax law compliance are anonymized so they can no longer be linked to you.

Under the EU General Data Protection Regulation, you have the following rights with respect to your personal data:

Right of access (Art. 15 DSGVO) — You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data along with details of the processing.

Right to rectification (Art. 16 DSGVO) — You may request correction of any inaccurate personal data we hold about you.

Right to erasure (Art. 17 DSGVO) — You may request deletion of your personal data. We will comply unless retention is required by law (e.g., tax-related record-keeping obligations under § 147 AO).

Right to restriction of processing (Art. 18 DSGVO) — You may request that we restrict the processing of your data while a dispute about accuracy or legality is being resolved.

Right to data portability (Art. 20 DSGVO) — You may request to receive your personal data in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another controller.

Right to object (Art. 21 DSGVO) — You may object to the processing of your data based on legitimate interests (Art. 6(1)(f) DSGVO). We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to lodge a complaint (Art. 77 DSGVO) — You have the right to lodge a complaint with a supervisory data protection authority if you believe that the processing of your data violates the DSGVO.

Automated decision-making (Art. 22 DSGVO) — We do not engage in automated individual decision-making or profiling as defined in Art. 22 DSGVO. No decisions that produce legal effects or similarly significantly affect you are made solely by automated means.

To exercise any of these rights, please contact us at privacy@echotype.cloud. We will respond to your request within one month. In complex cases, this period may be extended by up to two additional months (Art. 12(3) DSGVO).

You can download a complete copy of all personal data we hold about you at any time through the EchoType website dashboard. This fulfills your right to data portability under Art. 20 DSGVO. The export includes your account information, subscription history, and anonymized usage statistics.

You may request account deletion at any time via the dashboard. When you request deletion, your account is immediately deactivated, any active subscription is cancelled, and you receive a confirmation email. You have 14 days to change your mind — simply log in again to reactivate your account. After 14 days, all personal data associated with your account is permanently and irreversibly deleted, as described in Section 6 (Data Retention). This process fulfills your right to erasure under Art. 17 DSGVO.

During registration, you may optionally consent to receiving our newsletter. This consent is entirely voluntary and is collected separately from the registration process. The legal basis for sending the newsletter is Art. 6(1)(a) DSGVO (your consent). You may withdraw your consent at any time by contacting privacy@echotype.cloud or by using the unsubscribe link included in every newsletter email. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

We may update this Privacy Policy from time to time to reflect changes in our service, legal requirements, or data processing practices. In the event of material changes, we will notify you via email before the changes take effect. Continued use of EchoType after the updated policy becomes effective constitutes acceptance of the revised terms. We recommend reviewing this page periodically to stay informed about how we protect your data.

For any questions, requests, or complaints regarding data protection, please contact us at privacy@echotype.cloud.

You also have the right to lodge a complaint with a supervisory data protection authority at any time. The competent authority for EchoType is:

Landesbeauftragte für den Datenschutz und Informationsfreiheit Nordrhein-Westfalen Kavalleriestraße 221 40210 Düsseldorf https://www.ldi.nrw.de