Privacy Policy
Version 1.1 · Effective 14 April 2026 · Last updated 14 April 2026
This privacy policy explains how Speakto ("we", "us", "our") collects, uses, stores, and discloses personal information across our suite of products: SpeaktoClients, SpeaktoClients, and SpeaktoFinance (collectively, "the Services"). This policy applies to all platforms on which the Services are available, including iOS, Android, macOS, and web.
We are committed to complying with the Australian Privacy Act 1988 (including the Australian Privacy Principles), the New Zealand Privacy Act 2020 (including the Information Privacy Principles), and the EU General Data Protection Regulation where applicable.
1. Shared Backend Infrastructure
Speakto operates three integrated products which share a common backend infrastructure. Data you provide to one product may be accessed by our shared backend systems to provide the integrated experience. For example, a contact name detected in SpeaktoClients may be available to SpeaktoClients for CRM linking. You can control cross-product data sharing in your account settings.
2. Information We Collect
2.1 Account Information (All Products)
When you create an account, we collect your name, email address, and authentication credentials. If you subscribe to a paid plan, payment details are processed by Stripe and are not stored on our servers.
2.2 SpeaktoClients
- Voice recordings — audio captured during transcription sessions
- Transcriptions — text generated from your voice recordings
- AI-generated summaries and enhanced notes — produced by automated processing of your transcriptions
- Contact names detected — names identified within your transcriptions
- Device contacts — accessed only with your explicit opt-in consent, used to improve contact linking accuracy
- Google account data (optional) — when you connect a Google account, we access the minimum profile, calendar, email-send, and Drive.file scopes required to deliver the integrations you enable. We never read your Gmail inbox or access Drive files outside those we create. See Section 5.1 for details.
2.3 SpeaktoClients
- Client names and contact details — names, email addresses, phone numbers, and addresses you enter
- Notes and CRM data — client notes, tags, categories, and relationship metadata
- Communication history — records of client interactions you log
2.4 SpeaktoFinance
- Financial records — expense and income entries you create
- Tax-related information — categorisations and summaries relevant to tax reporting
- Receipts — images or documents you upload
2.5 Automatically Collected Information
We collect device type, operating system version, app version, crash logs, and anonymised usage analytics to improve the Services. We do not collect location data.
3. Purpose of Collection
We collect and use your personal information to:
- Provide, maintain, and improve the Services
- Process voice recordings into transcriptions and enhanced notes
- Generate AI-powered insights, summaries, and financial reports
- Enable cross-product features (e.g., linking detected contacts to your CRM)
- Process payments and manage subscriptions
- Send service-related communications (e.g., account verification, security alerts)
- Comply with legal obligations
Supply of personal information is voluntary. However, if you choose not to provide certain information, some features of the Services may be unavailable to you.
4. Automated Decision-Making and AI Processing
The Services use automated processing in the following ways:
- Voice transcription — your audio recordings are processed by AI models to generate text transcriptions
- Note enhancement — transcriptions are automatically processed to remove filler words, fix grammar, and add paragraph structure
- Voice-to-action detection — transcriptions are scanned to detect action items, times, and contact names. When detected, we may offer to create a calendar event, email, or CRM contact. You always approve each action before it executes.
- Financial insight generation — SpeaktoFinance uses automated analysis to categorise transactions and generate summaries
These automated processes do not make decisions that produce legal effects or similarly significant effects on you. All AI-generated outputs are presented for your review and editing. You may contact us to request human review of any automated output.
5. Disclosure of Information
We share personal information only with the following categories of recipients:
| Recipient | Purpose | Data shared |
|---|---|---|
| OpenAI | AI transcription and text processing | Voice recordings, transcription text |
| Railway Technologies Inc. (running on Amazon Web Services, us-east-1) | Cloud hosting and infrastructure | All data (encrypted at rest and in transit) |
| Stripe | Payment processing | Payment method details, subscription status |
| Google LLC | Calendar event creation, email sending, and Drive export — only when you connect a Google account | OAuth tokens, calendar events you approve, email drafts you approve, Drive files you export |
We do not sell, rent, or trade your personal information to third parties for marketing or any other purpose.
We may disclose personal information if required by law, regulation, legal process, or government request.
5.1 Google API Services (Limited Use)
Speakto's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect a Google account to Speakto, we request the following Google OAuth scopes:
| Scope | Feature in Speakto | Why it's needed |
|---|---|---|
openid, email, profile | Sign in with Google | Identify your account and display your name and email |
https://www.googleapis.com/auth/calendar.events | Calendar integration | Create calendar events from action items detected in your voice notes. We only create events you explicitly approve. |
https://www.googleapis.com/auth/gmail.send | Email drafting | Send email drafts you have reviewed and approved inside Speakto. We never read your inbox. |
https://www.googleapis.com/auth/drive.file | Document export | Save notes you choose to export into Google Drive files that our app creates. We cannot access any other files in your Drive. |
How we handle Google user data:
- We only use Google user data to provide the features listed above and to improve those specific features.
- We do not use Google user data for advertising, marketing, resale, or training generalised AI/ML models.
- We do not transfer Google user data to any third party except as necessary to provide and improve the features (for example, transient processing by our cloud infrastructure provider Railway Technologies Inc., which runs on Amazon Web Services), for security purposes, or to comply with applicable law.
- We do not allow humans to read Google user data unless (a) we have your explicit consent, (b) it is necessary for security purposes such as investigating abuse, (c) it is required by law, or (d) the data has been aggregated and anonymised such that it cannot be linked back to any individual Google user.
- Revoking access: You can disconnect your Google account at any time inside Speakto (Settings → Integrations → Google → Disconnect) or by visiting myaccount.google.com/permissions and removing Speakto's access. Revocation immediately invalidates our tokens and blocks further access.
Google user data is stored encrypted at rest and in transit, retained only while required to provide the features you have enabled, and deleted within 30 days of account deletion or disconnection (whichever is earlier).
6. Overseas Data Transfer
Your data is processed and stored on servers located in the United States (AWS us-east-1 region), operated by Railway Technologies Inc. AI processing is performed by OpenAI, also based in the United States. When you connect a Google account, Google processes data in accordance with its own privacy policy and data residency practices.
We take contractual steps to ensure overseas recipients handle your data consistently with Australian Privacy Principles (APP 8) and New Zealand Information Privacy Principles. These steps include data processing agreements that require recipients to protect your data to a standard comparable to Australian and New Zealand privacy law.
7. Data Security
We implement the following security measures to protect your personal information:
- Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS 1.3
- Encryption at rest — data stored on our servers is encrypted at rest
- Credential storage — on-device secrets (including Google OAuth tokens) are stored using platform-native secure storage (Keychain on Apple platforms, EncryptedSharedPreferences on Android)
- Password hashing — account passwords are hashed using bcrypt and are never stored in plaintext
- Access controls — internal access to personal data is restricted to authorised personnel on a need-to-know basis
- No logging of sensitive data — authentication tokens, payment details, and personally identifiable information are excluded from application logs
8. Data Retention
- Active accounts — your data is retained for as long as your account is active and you use the Services
- Voice recordings — audio files used for transcription are retained for 90 days after processing to allow re-processing requests, then automatically deleted
- Google user data — retained only while your Google account is connected. Upon disconnection or account deletion, tokens are revoked immediately and associated cached data is deleted within 30 days.
- Account deletion — when you delete your account, all associated personal data is permanently deleted from our servers within 30 days. Backups containing your data are purged within 90 days
- Legal obligations — we may retain certain records for longer periods where required by law (e.g., financial records for tax compliance)
9. Your Rights
You have the right to:
- Access your personal information held by us
- Correct inaccurate or incomplete personal information
- Delete your personal information (subject to legal retention requirements)
- Export your data in a portable format
- Withdraw consent for optional data collection (e.g., device contacts access, Google account connection) at any time
- Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or the New Zealand Office of the Privacy Commissioner if you believe your privacy has been breached
For EU residents, you additionally have the right to restrict processing, object to processing, and not be subject to solely automated decision-making with legal effects.
To exercise any of these rights, contact us at contact@speaktoclients.com.
10. Cookies and Tracking
The Speakto web application uses essential cookies required for authentication and session management. We do not use third-party advertising or tracking cookies. Anonymised usage analytics may be collected to improve the Services.
11. Children's Privacy
The Services are not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or through an in-app notification at least 14 days before the changes take effect. Continued use of the Services after the effective date constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this policy or wish to make a privacy request:
Email: contact@speaktoclients.com
Speakto
Nelson, New Zealand
For unresolved concerns, you may contact:
- Australia: Office of the Australian Information Commissioner — oaic.gov.au
- New Zealand: Office of the Privacy Commissioner — privacy.org.nz
This policy is governed by the laws of New Zealand and Australia. Version 1.1.