Privacy & GDPR

Privacy Policy

How Dictata collects, processes, and protects personal data plus GDPR rights for every user.

December 15, 2025

Privacy Policy

Last updated: December 15, 2025

1. Introduction

This Privacy Policy describes how we collect, use, disclose, and protect your personal data when you use our application (the “App”) and related services (collectively, the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable laws. By using the Service, you acknowledge that you have read this Policy.

Controller:
Kirill Zolygin (sole proprietor)
Grunewaldstraße 91, 10823 Berlin, Germany
Email: info@dictata.com

If you have any questions about privacy or wish to exercise your rights, contact us via the above email or postal address.

2. Personal Data We Collect

We collect the following categories of data:

  • Account & Authentication Data: Email address, account status (trial/paid, service mode), and magic-link login tokens. We do not store passwords.
  • Identity Checks for Abuse Prevention: When you finish a free trial we may store a one-way cryptographic hash of your email address solely to prevent multiple free trials (see Sections 4 and 7).
  • User Inputs & Content: Text prompts, audio recordings, transcripts, and outputs necessary to provide AI features. We only retain these transiently while fulfilling your request; long-term history (if enabled) is stored locally on your device.
  • Usage & Technical Data: Device type, operating system, IP address, timestamps, request counts, word counts, error logs, and other telemetry that helps us secure and operate the Service.
  • Payment & Billing Data: Subscription tier, billing country, invoices, LemonSqueezy order IDs, and payment status. LemonSqueezy, our merchant of record, collects and processes your payment method; we never see full card details.
  • Support Communications: Messages you send to our support channels and metadata necessary to resolve your request.
  • Cookies & Analytics Data: Online identifiers collected via cookies or similar technologies when you visit our website (see Section 5).

We do not intentionally collect special-category data (e.g., health information). Please avoid submitting such data through the Service.

3. How We Use Your Data & Legal Bases

PurposeDataLegal Basis (GDPR)
Provide and maintain the Service (account creation, magic-link login, routing prompts to AI providers, saving preferences)Account data, authentication tokens, user inputs, device infoArt. 6(1)(b) – performance of a contract
Process subscriptions and issue invoicesAccount data, billing data, LemonSqueezy metadataArt. 6(1)(b) and Art. 6(1)(f) – performance of a contract and our legitimate interest in receiving payment
Communicate with you (login links, service notices, support responses)Email, usage contextArt. 6(1)(b) (service communications) / Art. 6(1)(f) (support)
Enforce Terms, prevent fraud/abuse (including hashed email list for free-trial enforcement)Usage metrics, hashed identifiers, logsArt. 6(1)(f) – legitimate interest in protecting our Service
Improve and develop features (aggregated statistics, crash diagnostics)Anonymized or aggregated usage dataArt. 6(1)(f) – legitimate interest in improving the Service
Analytics/marketing via cookiesCookie identifiers, device infoArt. 6(1)(a) – consent
Compliance with legal obligations (tax, accounting, regulatory inquiries)Billing data, invoices, correspondenceArt. 6(1)(c) – legal obligation

We will request additional consent before using your data for any purpose incompatible with this table.

4. Cookies, Analytics, and Tracking

We use cookies and similar technologies on our website. Essential cookies are necessary for basic functionality (e.g., remembering your login) and rely on our legitimate interest. Non-essential cookies (analytics/marketing) are used only with your consent through our cookie banner.

  • Google Analytics 4 (GA4): Measures website traffic. IP addresses are truncated in the EU. Data may be stored on Google servers in the EU or US.
  • Meta Pixel: Tracks conversions from Facebook/Instagram campaigns; controlled per your Meta privacy settings.
  • Microsoft Clarity: Provides anonymized session insights (clicks, scrolls) to improve usability.
  • Other Testing Tools: From time to time we may test additional analytics tools; we will update this Policy before enabling any new trackers.

You can withdraw cookie consent via our banner, adjust browser settings, or install opt-out extensions (e.g., GA opt-out add-on). Refusing cookies may limit some website features.

5. Third Parties & Processors

We do not sell your personal data. We share it only with trusted processors or independent controllers as described below:

  • AI Infrastructure:
    • OpenAI (OpenAI, L.L.C.) – Handles prompts for the Cloud (Global) mode and user-supplied BYOK keys. OpenAI may retain API request logs for up to 30 days for abuse monitoring but does not use them to train its models without opt-in.
    • Microsoft Azure OpenAI Service (Microsoft Ireland Operations Ltd.) – Handles prompts for Cloud (EU) mode using GPT-4.1-mini and GPT-4o-mini-transcribe deployed in EU regions. Prompts and completions stay within the chosen EU geography; only flagged content may be stored in Azure’s region-specific abuse-monitoring data store. Human review, if required, is performed by staff located in the EEA. We will enter Microsoft’s standard DPA as soon as our sole proprietorship registration is finalized and will make it available upon request.
  • Supabase Inc. – Hosts our application backend (currently Frankfurt, EU). Stores login emails, subscription metadata, and configuration data.
  • LemonSqueezy, Inc. – Merchant of record/payment processor. Stores billing details, processes VAT, and issues invoices. We receive only order IDs, amounts, and tax country information.
  • Email & Communication Tools: Services we use to send transactional emails or respond to support tickets (e.g., a transactional email provider). These providers act under our instructions.
  • Analytics & Marketing Partners: Google, Meta, Microsoft Clarity (as detailed above) operate as independent controllers for cookie data once you consent.
  • Professional Advisors & Authorities: Tax advisors, accountants, or legal counsel when necessary, and governmental or law-enforcement bodies when legally required.

Each processor is contractually bound to process data only according to our instructions and to implement appropriate security measures.

6. Data Retention

  • Account data: Stored while your account is active. Deleted within 30 days after you close your account unless retention is required by law. The hashed email list for free-trial enforcement is deleted once we no longer need it for fraud prevention.
  • User inputs/content: Only stored transiently to fulfill the request (usually minutes). Long-term history remains on your own device unless you export it.
  • Usage logs: Security logs (including IP addresses) are typically retained for up to 30 days unless needed for investigations.
  • Billing records: Retained for 10 years to comply with German/EU tax law.
  • Analytics data: Retained by the respective providers according to their default schedules (e.g., GA4 user-level data ~14 months); we keep only aggregated reports.
  • Support correspondence: Retained for the life of the support ticket and up to 24 months afterward for audit purposes.

When the retention period ends, data is deleted or irreversibly anonymized.

7. International Data Transfers

Although we host most core systems in the EU, some partners process data outside the European Economic Area:

  • OpenAI (USA) – for Cloud (Global) and BYOK usage.
  • LemonSqueezy (USA) & Meta/Google – store analytics/payment information in the US or other third countries.
  • Email providers or support tools – may operate globally, depending on the vendor.

Wherever data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) combined with supplementary technical measures (encryption, access controls). For transfers based on your explicit choice (e.g., selecting Cloud (Global)), we rely on your explicit consent under Art. 49(1)(a) GDPR.

8. Data Security

We apply administrative, technical, and organizational measures to protect your data, including TLS encryption, access controls, monitoring, and regular security reviews. Despite our efforts, no method of transmission or storage is 100% secure, so we cannot guarantee absolute security.

9. Your Rights

Under GDPR you have the right to:

  1. Access your personal data (Art. 15).
  2. Rectify inaccurate data (Art. 16).
  3. Erase your data (“right to be forgotten”) (Art. 17).
  4. Restrict processing (Art. 18).
  5. Data portability for information you provided (Art. 20).
  6. Object to processing based on legitimate interests (Art. 21).
  7. Withdraw consent at any time where processing is based on consent (e.g., cookies).
  8. Lodge a complaint with your local supervisory authority. Our lead authority is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, Germany).

To exercise any rights, email info@dictata.com. We may ask for verification before fulfilling your request.

10. Children’s Privacy

The Service is intended for users aged 18 and older. We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the App or email. The “Last updated” date reflects the latest revision. Continued use of the Service after changes take effect means you accept the new Policy.

12. Contact

If you have questions, requests, or concerns about privacy, contact:

Kirill Zolygin
Email: info@dictata.com
Address: c/o Opus Grunewaldstraße 91, 10823 Berlin, Germany