# Privacy Policy

> How ParrotPad collects, uses, and protects your personal data. UK GDPR aligned. Last updated 22 May 2026.

This Privacy Policy explains how we handle personal data when you use ParrotPad. It is written to comply with the UK GDPR and the Data Protection Act 2018. If you are in the EEA, equivalent rights under the EU GDPR apply.

## 1. Who we are
ParrotPad is a brand of LemonadeStack. We are the data controller for personal data processed through the ParrotPad desktop application and website.

## 2. What we collect
- **Account data** - name, email, hashed password (or name + email via SSO).
- **Profile and preferences** - role and environment from onboarding; hotkeys, selected microphone, STT provider preference, personal-dictionary entries.
- **Usage data** - for every transcription: user ID, audio duration, provider, model, success/failure, end-to-end latency. We do not log the contents of your speech in usage logs.
- **Transcripts** - the text produced by the STT engine, stored against your account so you can search and reuse it. You can delete any transcript at any time.
- **Technical data** - IP address, user agent, app version, OS - held for diagnostic and security purposes.

## 3. How we use your data
- To provide the dictation service (route audio to a provider and return a transcript).
- To keep transcript history and account settings.
- To apply rate limits and prevent abuse.
- To respond to support enquiries.
- To improve product quality through aggregated, non-identifying metrics.
- To meet legal and accounting obligations.

We do not sell your data. We do not use it for targeted advertising. **We do not use your audio or transcripts to train any machine-learning model**, ours or anyone else's. Our STT sub-processors are engaged on terms that prevent them from training on your content either.

## 4. Lawful basis (UK GDPR Article 6)
- **Contract performance** (Art. 6(1)(b)) for processing audio, returning transcripts, managing subscriptions.
- **Legitimate interests** (Art. 6(1)(f)) for security logging, fraud prevention, high-level product analytics.
- **Legal obligation** (Art. 6(1)(c)) for tax, accounting, lawful requests.
- **Consent** (Art. 6(1)(a)) where you opt in to retain raw audio.

## 5. Audio and transcripts
Audio captured by ParrotPad is sent over TLS to our backend and forwarded to our STT provider. **By default we do not retain audio** after transcription completes. If you explicitly opt in to audio retention in Settings, audio is stored in encrypted object storage with a default 30-day TTL, after which it is deleted. Transcripts are stored against your account until you delete them or close your account.

## 6. Sub-processors
- **Deepgram, Inc.** (US) - speech-to-text. Contract prohibits training on our audio.
- **ElevenLabs, Inc.** (US) - speech-to-text. Contract prohibits training on our audio.
- **Amazon Web Services, Inc.** (UK region by default) - app hosting, database, object storage.
- **Stripe Payments UK Ltd** (UK) - payment processing (when billing is enabled).
- **Postmark** (US) and **Resend** (US) - transactional email.

We notify registered account holders by email at least 30 days before adding a new sub-processor that processes personal data, so you have the opportunity to object.

## 7. International transfers
US sub-processors are covered by the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or adequacy where applicable, with supplementary technical measures (encryption in transit and at rest).

## 8. Retention
- Account and profile data: life of account, deleted within 30 days of closure unless retention is required by law.
- Transcripts: until you delete them or close your account.
- Raw audio: not retained by default; if opted in, 30-day default TTL.
- Usage logs: 12 months, then aggregated or deleted.
- Billing records: 7 years (UK tax law).

## 9. Your rights
Under UK GDPR you have rights to access, rectification, erasure, data portability, objection (legitimate-interest processing), restriction, and consent withdrawal. To exercise any of these, email privacy@parrotpad.ai - we respond within one month. You may also complain to the ICO at ico.org.uk.

## 10. Security
TLS 1.2+ in transit, AES-256 at rest. Bcrypt-hashed passwords. Restricted, logged access to production systems. Personal-data breach notification to you and the ICO within 72 hours of awareness where required by Articles 33 and 34.

## 11. Children
Minimum age 13, or 16 in the EEA. We do not knowingly collect data from children under those ages.

## 12. Changes
Material changes notified by email at least 14 days before they take effect.

## 13. Contact
For any privacy enquiry, email privacy@parrotpad.ai.