Privacy Policy
Dictaro is built so your voice never leaves the EU and is never stored on disk. This page explains exactly what data we collect, why, and how long we keep it.
1. Who we are
The data controller for Dictaro is MEDIA.COM Slovakia s.r.o., a company registered in the Slovak Republic. Operations are run from Bratislava.
| Controller | MEDIA.COM Slovakia s.r.o. |
|---|---|
| Registration (IČO) | 35 880 791 |
| Country | Slovak Republic (EU member state) |
| Privacy contact | privacy@dictaro.eu |
| General support | support@dictaro.eu |
2. What data we collect
2.1 Account data
- Email address — used as your login and to send transactional notifications.
- Display name — optional, only what you provide.
- Password — stored as a salted hash, never in plain text. If you sign in with Google or Discord we receive only your email and provider-issued ID, not the password.
- Preferred language — used to localise emails and the dashboard.
2.2 Trial signup data
Before account creation you can request a free trial. We collect your name and email so we can send you the invitation link. If you do not complete signup we keep the request for up to 12 months in case you return, then delete it.
2.3 Service usage data
- Transcription counts — number of API calls per API key per month (used to enforce free-tier quotas and bill paid plans once they launch).
- Timestamps — when each call was made.
- Client name — a label you assign to each API key so you can tell devices apart in the portal.
- IP address — recorded only in short-lived security logs to detect abuse.
2.4 Audio you dictate
Your audio is never written to disk. When you press the hotkey, the desktop app streams the recording over HTTPS to our Whisper server in Slovakia, the server transcribes it in memory, returns the text, and discards the audio. We keep no copies, no waveforms, no spectrograms — nothing.
3. Where your data lives
Everything stays in the European Union.
| Speech-to-text | Slovakia — Whisper large-v3 on a self-hosted GPU server |
|---|---|
| Account & auth | Supabase (Frankfurt, Germany — EU region) |
| Edge / DDoS | Cloudflare (EU edge nodes; tunnel from origin, no public origin IP) |
| Email delivery | Mailcow self-hosted in EU |
4. Legal basis for processing (GDPR Art. 6)
- Contract performance — providing the service you signed up for: account, transcription API, dashboard, billing.
- Legitimate interest — security and abuse prevention (IP logs, rate limiting, hashed audit trail).
- Consent — only for optional product update emails. You can opt out at any time.
- Legal obligation — keeping invoices for the period required by Slovak tax law (10 years) once paid plans launch in Q2 2026.
5. How long we keep things
| Audio recordings | Never written to disk — discarded the moment transcription completes |
|---|---|
| Transcripts | We do not retain copies; only the requesting client receives the text |
| Account data | While your account is active, plus 30 days after you request deletion |
| Usage counters | 12 months for billing reconciliation, then aggregated and personal IDs removed |
| Trial signups | 12 months from request, then deleted |
| Email logs | 30 days, then deleted |
| Invoices (post-monetisation) | 10 years per Slovak tax law |
6. Your rights under GDPR
You have the right to:
- Access — get a copy of all data we hold about you (Art. 15).
- Rectification — correct anything inaccurate (Art. 16).
- Erasure — delete your account and associated data, subject to the retention rules above (Art. 17).
- Portability — receive your data in a machine-readable format (Art. 20).
- Restriction — pause processing while a dispute is resolved (Art. 18).
- Objection — object to processing based on legitimate interest (Art. 21).
- Withdraw consent — for any processing that depends on consent (Art. 7).
- Lodge a complaint — with the Slovak Office for Personal Data Protection (dataprotection.gov.sk) or your local supervisory authority.
Send any request to privacy@dictaro.eu. We respond within 30 days.
7. Sub-processors
We use a small number of EU-based providers. They process data only on our instructions and under written agreements that match GDPR requirements.
| Cloudflare | CDN, DDoS protection, edge tunnel |
|---|---|
| Supabase (Frankfurt) | Authentication, account database |
| Mailcow (self-hosted EU) | Transactional email delivery |
If we add or change sub-processors we will update this page.
8. Cookies
The marketing site uses no tracking cookies. Once signed in, the dashboard sets a single session cookie that is essential for keeping you logged in. There is no third-party advertising or cross-site tracking. When we add web analytics it will be a privacy-friendly, cookieless tool (Plausible) — we will update this page when that goes live.
9. Children
Dictaro is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, please contact us and we will delete the account.
10. International transfers
All processing currently happens inside the EU. If we ever need to transfer personal data outside the EU we will use the European Commission's Standard Contractual Clauses and notify you in advance.
11. Changes to this policy
We may update this policy as the service grows. Material changes will be announced by email to active users at least 14 days before they take effect. The "Effective" date at the top of this page always reflects the current version.
12. Contact
Questions, requests, or complaints about privacy go to privacy@dictaro.eu.