Privacy Statement for ListenUp Dictation

Last updated July 11, 2025

This Privacy Statement explains how ListenUp Dictation (our macOS application, companion websites, and future mobile/desktop versions) collects, uses, and shares your personal information. It also describes your privacy rights and how you can exercise them. We aim to use clear language and include icons and hyperlinks for easy navigation. The only binding version of this Privacy Statement is this English version.

Short Privacy Notice

• Local‑only speech recognition. Your raw audio never leaves your Mac.
• Ephemeral text post‑processing. A transient, encrypted copy of the transcript (plus cursor context and active‑app name) is sent to our LLM API and deleted as soon as the polished result returns.
• Minimal data collection. We store only account data, usage metrics, billing records and any diagnostics you choose to send.
• No sale or sharing for ads. We never sell personal data or share it for cross‑context behavioural advertising.
• Global privacy rights respected. Delete, access or correct your data in‑app or by e‑mail; we also honour Global Privacy Control signals.

See the full Privacy Statement below for details.

(The summary above is provided for convenience and does not contain all details. Please read the full Privacy Notice below for complete information.)

---

📖 Introduction

Welcome to the Privacy Statement for ListenUp Dictation. Here we explain in detail what personal data we collect, how we use it, with whom we share it, and the rights and choices you have. This policy applies when you use the ListenUp Dictation macOS application, our websites (including any companion or promotional sites), and any related services or future versions on other platforms (collectively, the “Service”).

We are committed to protecting your privacy and complying with all applicable privacy laws, including the EU/EEA and UK General Data Protection Regulation (GDPR), the Dutch Telecommunicatiewet and ePrivacy Directive (for cookies and electronic communications), Brazil’s Lei Geral de Proteção de Dados (LGPD), and the various U.S. state privacy laws such as the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar laws in Virginia, Colorado, Connecticut, Utah, Texas, Montana, Oregon, Delaware, Iowa, North Dakota, New Jersey, Tennessee, Indiana, Kentucky, Florida, Louisiana, and others. We have designed this Privacy Statement to meet the requirements of these laws and to be transparent about our privacy practices.

Controller & Contact

ThoFlow AI
Stalmeesterstuin 3
2761 HS Zevenhuizen
Nederland

General privacy mailbox: [email protected]

We cooperate with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and have not appointed a Data Protection Officer.

Important: By using our Service, you acknowledge that you have read and understood this Privacy Statement. If you do not agree with our practices, please do not use the app or related services. We may provide additional notices about privacy to you in certain situations (for example, “just-in-time” notices inside the app for specific features), which should be read together with this Privacy Statement.

📋 Personal Data We Collect

We limit our collection of personal data to what is relevant and necessary for the purposes described in this policy, adhering to the principle of data minimization as required by GDPR and other privacy laws. We regularly review our data collection practices to ensure we collect only the minimum personal data necessary for each specific purpose. In this section, we explain the categories of personal data we collect and the sources of that data.

1. Information You Provide Directly:

• Account and Contact Data: If you create an account on our website or app, purchase a subscription, or sign up for our newsletter, we may collect personal identifiers such as your name, email address, and other contact details you provide. For example, we collect your email when you subscribe to updates or when you contact support. We use this information to manage your account and communicate with you.
• Payment Information: If you purchase a subscription from us (outside of the Apple App Store), you will provide payment details. Our current subscription tiers are: Monthly Plan (12.50/month), Annual Plan (125/year), and Lifetime Plan (250 one-time payment, limited-time offer). Note: We do not store full credit card numbers or payment account details on our servers. Payments are handled by secure third-party payment processors (Stripe), who process your payment information. We only receive limited information from them (such as a confirmation of payment, partial card information like last four digits, and your name or email) to record your purchase.
• Support Inquiries and Feedback: If you contact us for support (through email [email protected] or via a contact form) or provide feedback, we will collect whatever information you choose to include in your message. This could include your email address, the content of your message, and any attachments or screenshots you send. We use this to respond to you and resolve any issues.
• Newsletter or Marketing Sign-Up: If you opt to receive our newsletter or marketing emails, we collect your email address (and perhaps your name) to send you updates. We will only send you such communications with your consent (for example, if you subscribed via our website or explicitly agreed). You can unsubscribe at any time by clicking the unsubscribe link in those emails or contacting us.

2. Information We Collect Automatically:

• Device and App Usage Data: When you use the ListenUp Dictation app or visit our website, we may automatically collect certain information about your device and how you use the Service. This includes technical details like your device model, operating system version, app version, and device identifiers (anonymized installation ID). For example, the app might record what version of macOS you have or what language settings you use, to ensure compatibility and correct functionality. We also may collect information about your interactions with the app (such as the features you use and the timestamps of use) in order to understand usage patterns and improve the product. We do not permanently collect or store the content of your dictation or any files you dictate into. A transient copy of the transcript and limited context is transmitted to our servers for real‑time refinement and is automatically deleted once processing is complete.
• Website Analytics Data: On our websites, we use analytics tools to collect data about your browsing actions. This can include your IP address, browser type, pages viewed, and the date/time of visits. For instance, we might know that a visitor from a certain region accessed our FAQ page. This information helps us analyze web traffic and improve our site’s design and content. Where required by law, we will ask for your consent before using non-essential cookies or analytics tools. You can refuse or disable these, as described in the Cookies section.
• Cookies and Similar Technologies: We use “cookies” (small text files stored on your browser) and similar tracking technologies (like web beacons or local storage) on our websites to provide and optimize the site. Some cookies are necessary for the site to work (for example, to remember your login or preferences), and we set these without asking for consent. Other cookies, like analytics cookies, are optional and will only be used with your permission where applicable. Cookies are discussed more Cookies and Tracking section of this policy, including how you can manage them.
• Crash and Diagnostics Data: To help us maintain a high-quality, error-free product, ListenUp Dictation may collect crash reports or diagnostic information when the app encounters an issue. For example, if the app crashes or a feature malfunctions, a crash report (which contains technical details about the state of the app at the time, device type, OS version, and possibly snippets of memory or code relevant to the crash) can be generated. We do not collect these reports without your permission. On macOS, you may be prompted to send an anonymized crash report to us. If you agree, we receive this data to investigate and fix the problem. Crash reports do not intentionally include your personal content, but they might inadvertently contain a fragment of data from app memory at time of crash. We treat crash data as personal data just in case, and we protect it accordingly. You can always choose not to send a crash report.
• Subscription and Activation Data: If you use a paid edition of ListenUp Dictation, the app will need to verify your subscription status. During activation or periodic subscription checks, the app may send us data such as your a hashed device identifier (to enforce device limits on the subscription), and the app version. We collect this information to confirm that your copy is valid and to keep track of subscription status (for example, ensuring your subscription is active and not used on more devices than allowed). This data is used solely for subscription management and fraud prevention. It may include your IP address and device identifier at the time of activation. We do not use this information for any purpose other than verifying your entitlement to use the app and preventing unauthorized use.

3. Information from Third Parties: We generally do not obtain personal data about you from third-party sources, except in a few situations:

• App Store/Platform Data: If you downloaded the ListenUp Dictation app from the Apple App Store or Google Play Store, we may receive certain information from that platform. For example, Apple may provide us general aggregated data about app installs or sales. If you make an in-app purchase via Apple, we receive confirmation of purchase and an anonymous order ID, but we do not receive your full financial information from Apple. Apple may also inform us of your region or language settings (non-personal, used to localize the app). All such platform-provided data is governed by that platform’s privacy policies as well.
• Referral or Marketing Partners: We currently do not use third-party marketing lead providers. In the future, if we run a promotion with a partner or get referred subscribers, we would ensure any such data sharing is transparent and lawful. If, for instance, you sign up through a referral link or affiliate, we might get information like a referral code. But at this time, any third-party source of user data is very limited or none. We will update this policy if that changes.
• Public Sources: We do not collect information about individuals from public databases or social media for marketing. If you engage with our social media pages (like commenting on our posts), we might see your public profile name, but we don’t systematically collect or store that in our systems.

4. Special Categories of Data: We do not intentionally collect any “special” or sensitive personal data about you, unless you choose to provide it. This includes data like race, ethnicity, political opinions, religious or philosophical beliefs, health information, genetic or biometric data, etc. ListenUp Dictation does not need such information for its operation. Biometric data notice: The app processes audio to text, but we do not use those audio inputs to identify you or for any biometric analysis; it’s purely for transcription on the fly, and we do not retain the audio. We also do not collect precise geolocation data (we might infer city or country from your IP for service localization or legal compliance, but we don’t actively track your GPS location).

Audio and Dictation Content: To reiterate, any voice data or content you dictate using ListenUp remains on your device and is processed in-device by our speech-to-text engine. We never upload your audio. After your device finishes the local transcription, the resulting text—together with limited context (text before/after the cursor, any selected text, and the active app name)—is securely transmitted to our servers for split‑second post‑processing by our AI. All such data is automatically deleted immediately after the refined text is returned to your device. The only other time your dictated content would leave your device is if you choose to export or share it manually.

Categories of Personal Information (CPRA Notice at Collection): For California residents and similarly concerned users, here are the categories of personal information about you that ListenUp may collect, as defined by applicable law, and whether we sell or share them:

• Identifiers: Such as your name, email address, account login credentials, IP address, or device IDs. (Collected directly from you or your device. We do not sell or share this information except with service providers who assist us, as described in this policy.)
• Customer Records Information: Such as billing information and purchase history (for example, that you purchased a subscription on a certain date). Payment card details are processed by our payment partner, not stored by us, except possibly a token or last four digits. (Collected from you and payment processor. Not sold or shared beyond service providers.)
• Commercial Information: Records of the products or services you obtained or considered, like which subscription tier you have and how you use the app (usage frequency). (Collected from your activity. Not sold or shared beyond service providers.)
• Internet or Electronic Activity: As explained, data about your interactions with our app/website (device info, logs, cookies, analytics). (Collected from your devices. Not sold; limited sharing with analytics service providers or as required for security.)
• Geolocation Data: We do not collect precise location. We may infer general location (e.g., country or state) from your IP or billing address for tax and legal compliance (for example, to apply correct sales tax or legal rights). (Collected from your use or transaction. Not sold.)
• Sensory Information: Audio or visual information. Our app processes audio for dictation but does not store it. If you send us a screenshot or recording for support, we collect what you send. (Provided by you; not sold.)
• Professional or Employment Information: Not collected (unless you voluntarily tell us something in a support context, but we don't use or need it).
• Education Information: We collect this if you apply for a student discount. This may include your university email address or other documentation you provide to prove your student status. (Collected directly from you; not sold or shared beyond verifying eligibility.)
• Inferences: We do not profile you to derive characteristics. We do not create marketing profiles or personal segments beyond perhaps understanding general usage trends (e.g., “X% of our users use the app 5 hours a week” – which is aggregate). No inferences about individuals are drawn for behavioral advertising or any decisions.

We have collected and used the above categories of personal information for the business purposes described in the next section (such as providing the service, internal analytics, security, etc.) within the last 12 months. We have not sold or shared (for cross-context advertising) any personal information in the last 12 months, and we have no plans to do so.

⚙️ How We Use Your Data (Purposes of Processing)

We use personal data only for lawful and specified purposes. Below we describe these purposes in detail, along with examples. For users in jurisdictions that require it (e.g., EU and similar), we also outline the legal bases for each type of processing in the Legal Bases for Processing section. In general, we use your data in ways that you would expect as a user of the ListenUp Dictation app and our services. We do not use your personal data for any form of automated decision-making that produces legal or similarly significant effects on you, nor for profiling you in a way that is invasive or unexpected.

Provide and Maintain Our Service: We process your personal data to deliver the features and functions of ListenUp Dictation and related services to you. This includes using your data to:

• Operate the App’s Core Functions: This includes (1) converting your speech to text locally on your device and (2) momentarily sending that text plus limited context to our servers for AI post‑processing, then immediately deleting it once the polished result is returned — all to ensure the app functions as intended.
• Create and Manage Accounts: If you register an account or need login credentials, we use your provided information (like email and password) to set up and secure your account, authenticate you when you log in, and keep track of your preferences or settings in the app.
• Process Orders and Payments: When you purchase a subscription, we use the necessary personal data to process that transaction. For instance, we (through our payment partner) will use your payment info to complete the charge, and use your name/email to send you an order confirmation or invoice. We maintain records of your purchases to know what level of service you are entitled to (e.g., Monthly vs. Annual plan) and for accounting purposes. For users on a free trial, we also track the amount of dictation time used to manage trial limits. Free trial users are limited to 15 minutes of dictation usage before requiring a paid subscription.
• Provide Customer Support: If you reach out for help or feedback, we will use the information in your request (and your contact details) to assist you. For example, if you email saying you have trouble with dictation accuracy, we may use your email to communicate back and forth and any diagnostic info you provide to resolve the issue.
• Send Service Communications: We may send you administrative or service-related messages, such as an email to verify your account, notifications of important changes (like updates to our terms or privacy policy), or alerts about your subscription (e.g., reminder of an upcoming renewal). These communications are necessary for the provision of services and are not promotional in nature. You cannot opt out of receiving these service communications if you continue to use the service, because they are important for the operation of the service (but we will keep them relevant and minimal).

Improve and Develop Our Services: We continually work to improve ListenUp Dictation’s performance, accuracy, and user experience. To do this, we may process data about how you use the app and websites:

• Analytics and Performance: We analyze aggregate user behavior and feedback. For example, we might look at usage logs to see if a new feature is being used frequently or if the app’s dictation function tends to lag under certain conditions. This helps us identify what works and what might need improvement. Any analytics we perform on usage data is generally on an aggregate or pseudonymized basis (we do not use it to profile you individually). We might also measure the effectiveness of our user interface (like how quickly users complete a dictation session or access a certain command) to refine design.
• Research and Development: We may use certain information, like error logs or crash reports, to debug and improve the reliability of the app. For instance, crash data helps us find and fix software bugs. Similarly, if we collect anonymized information on how the AI model is handling different accents or languages (without any personal content), we could use that to improve dictation accuracy for those languages. In some cases, we may develop new features by studying how users interact with existing ones (e.g., noticing many users turn on a particular setting might inform us that setting should be default).
• AI Model Enhancement (Local): ListenUp Dictation is powered by AI/ML models (including large language or speech models) that run locally. We may update these models over time to improve functionality. Importantly, although a transient copy of your transcript is routed through our servers for real‑time post‑processing, we do not use that data to train our models or for any other secondary purpose without your explicit consent. If we ever were to use any user data for improving our AI (for example, collecting anonymous snippets to improve speech recognition), we would ask for opt-in consent. By default, improvements to our AI are done either locally on your device or using synthetic data and general datasets, not your private dictations. Any telemetry or usage info we collect for improvement is focused on performance metrics (like latency, error rates) rather than your content.
• Legitimate Interests & Balancing: When improving our product, we rely on our legitimate interest in understanding user needs and fixing issues. We always balance this against your privacy. For instance, if we use usage data, we try to aggregate or pseudonymize it. If you object to any analysis of your usage, you have the right to do so as explained in the Your Rights section, and we will honor such objections unless overriding interests apply.

Communicate with You (Customer Service and Updates): We use your contact information to interact with you:

• Support Responses: As noted, if you email us or submit a support form, we’ll respond using your email and information about your issue. We might ask you for additional details if needed to resolve your problem.
• Feedback Requests: After a support issue is resolved, we might send a one-time email asking if everything is good or requesting feedback on the support experience. This is purely to improve our customer service.
• Product Updates and Tips: If you are a customer or you signed up to receive our newsletter or tips, we will send you emails about new features, tips to get the most out of ListenUp, or other news about our product. We strive to make these communications helpful and not too frequent. Marketing emails are typically sent no more than once per week, with product updates sent as needed for major releases or security updates. You will not receive marketing emails unless you have given consent (for example, by subscribing on our website or opting in during account creation). And you can opt out anytime (unsubscribe link is at the bottom of each email, or you can contact support to be removed).
• Legal or Policy Notices: We might send notices as required by law, such as notifications of a data breach (hopefully never needed, but if legally required we will inform you), or updates to terms that have significant impact on how you use the service. These are important notices and not marketing.

Security and Fraud Prevention: We process certain data to protect the rights, property, or safety of our users, ourselves, and others.

• Authentication and Account Security: Data like your login credentials and device info may be used to detect unusual login attempts or to implement features like two-factor authentication (if we offer it). This helps secure your account.
• Monitoring for Fraud/Misuse: We keep an eye out for potential abuse of our app or website. For example, we may log IP addresses to prevent a malicious actor from repeatedly trying to access our services or to mitigate DDoS attacks on our website. If we suspect that an account is being used in violation of our terms (e.g., someone trying to reverse-engineer our model), we may analyze relevant data (like activation logs) to investigate.
• Preventing Illegal Activity: Should we detect activity that could be illegal – for instance, attempts to hack our systems – we may process and share data (with authorities or security experts) to stop that. We also may use your data to enforce our Terms of Service or to defend against legal claims.

Legal Compliance: We will use or disclose your information where necessary to comply with legal obligations.

• Regulatory Compliance: For example, keeping proper transaction records for tax and accounting purposes. If you purchase something, we retain data like purchase amount, currency, billing country, and possibly your address if provided, to fulfill financial regulations and audit requirements.
• Law Enforcement Requests: If we receive a lawful subpoena or court order, we may need to provide data to authorities. Before doing so, we will verify the request’s legitimacy and scope. When possible and lawful, we would notify you of such requests.
• Dispute Resolution and Enforcement of Rights: If we are involved in litigation or a legal dispute with you or a third party, we might need to use your data as evidence (for example, logs showing your use of the software if relevant to a claim). We will also use data as necessary to enforce our agreements (e.g., to collect due fees or to address breaches of terms).

With Your Consent (Optional Uses): In cases where we want to use your data for a purpose that is not already justified under other bases, we will ask for your consent. For instance:

• If we ever wish to share a user testimonial or case study that includes personal info (like your name, quote, or photo), we will only do so if we have your explicit consent.
• If we plan any new data collection that is not covered by this policy, we will describe it and obtain your consent where required by law or where we think it’s the right thing to do.

We will not use your personal data for purposes that are incompatible with the ones listed above without updating you and, if necessary, obtaining your consent.

⚖️ Legal Bases for Processing

For individuals in the European Economic Area (EEA), United Kingdom, Brazil, and other jurisdictions that require a “legal basis” for processing personal data, we want to explain on what grounds we process your information. We generally rely on the following legal bases:

• Performance of a Contract: When we process data that is necessary to provide you with the service you requested, we do so on the basis that it is necessary for the performance of our contract with you (the terms of service you accept by using ListenUp). For example, when we use your email and password to log you in, or process your payment and subscription details, that’s under contract necessity. If you are using the app under a free trial or similar, we treat the processing as necessary to take steps at your request prior to entering into a contract (since you intend to use the service which will involve a contract).
• Legitimate Interests: We process certain data for our legitimate business interests. This includes our interest in improving and securing our services, communicating with you, and running a successful, safe business. For instance, collecting crash reports to improve the app, or using analytics to understand usage patterns, are things we do for legitimate interests. When we rely on this basis, we ensure that our interests are not overridden by your rights and interests. We perform a legitimate interest assessment for such processing. Example: We have a legitimate interest in marketing our products to existing customers, so we might send you an occasional product update email. We balance this by giving you a clear opt-out and only sending what’s relevant, thus respecting your rights. If you have questions about how we weighed our interests against your privacy, we’d be happy to explain more – just contact us. And remember, you have the right to object to processing based on legitimate interest (see Your Rights below), and we will respect such objections unless we have compelling grounds or a legal requirement to continue.
• Consent: In some cases, we rely on your consent. For example, for sending promotional newsletters to a new user who isn’t an existing customer, we would use consent (you’d have to opt-in). Similarly, for non-essential cookies on our site in jurisdictions that require consent, we rely on consent. If we ever request access to something like your microphone or files through the OS permissions, that’s also done based on your consent (and you can revoke it via your device settings). Where we rely on consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing that happened already, but it will stop that processing going forward. For example, if you unsubscribe from marketing emails (withdraw consent), we will stop sending them.
• Legal Obligation: When processing is necessary for us to comply with a law, we do so on this basis. For instance, retaining transaction records for the legally required period, or providing information to authorities when we’re legally compelled, is done under legal obligation. Another example is honoring your data subject rights – handling your deletion or access request involves processing your data to comply with GDPR or LGPD, which is a legal duty for us.
• Vital Interests: This is rarely applicable for us, but if ever there’s a situation where processing your data is necessary to protect someone’s life or physical safety (vital interests), we could rely on that legal basis. (For example, if we became aware through a support interaction that someone is in immediate danger and we had to alert authorities with available info.)
• Public Task: This generally doesn’t apply to our private company, as it’s meant for official authority or public interest tasks, which we do not perform.

For Brazilian LGPD compliance, our processing fits into several of the legal bases provided by Article 7 of the LGPD, which largely mirror the above (such as consent; contract performance; legal obligations; exercise of rights in judicial, administrative, or arbitration procedures; legitimate interests, etc.). We ensure that we identify an appropriate LGPD basis for all processing of data from Brazil. Typically it will be contract (to provide the service), legitimate interests (for improvements and security), or consent (for optional uses), and sometimes legal obligation.

If you have any questions about the legal bases on which we collect and use your personal data, please contact us. In cases where legitimate interest is our basis, we can provide you with information on our balancing test. Legitimate Interest Assessments (LIAs) are conducted for each processing activity and summaries are available upon request at [email protected].

🍪 Cookies and Tracking

We display a GDPR‑style banner with three toggles:

1. Strictly‑Necessary (always on) – listenup_dictation_session for log‑in and Cloudflare security cookies.
2. Analytics (opt‑in) – Google Analytics & Tag Manager (IP anonymised), Mixpanel, Hotjar and Firebase Crash/Performance.
3. Marketing (opt‑in) – Meta Pixel and LinkedIn Insight Tag.

The banner requires active consent for non-essential cookies - we do not set these cookies unless you explicitly click "Accept" or toggle them on. Refusing non‑essential cookies does not block access to the site. You may change your choice any time via the banner or by accessing Cookie Settings in our website footer.
Google Analytics opt‑out: https://tools.google.com/dlpage/gaoptout

What Are Cookies? Cookies are small text files placed on your browser or device by websites you visit. They allow the website to recognize your device and store some information about your preferences or past actions. Similar technologies include web beacons (tiny images or scripts that detect if a user has viewed a page or email), local storage (which stores data in your browser), and SDKs (in mobile apps).

Types of Cookies We Use:

• Necessary Cookies: These are essential for our site to function properly. For example, if our site has a login, a cookie will keep you logged in as you navigate between pages. Other necessary cookies remember your cookie preferences (so we don’t keep asking you) or enable core features. Without these, the site may not work correctly. These cookies do not require consent under most laws, but we still want you to know they exist. We only use what is needed and keep their data limited.
• Preferences Cookies: These cookies remember your choices to give you a more personalized experience. For instance, a cookie might remember what language you selected or other UI customizations. If you’re in the EU, we will treat these similar to necessary cookies if they are truly minor, but if not essential, we’ll ask for consent to set them.
• Analytics Cookies: We use Google Analytics to collect information about how visitors use our website. The information gathered includes things like which pages are visited, how long visitors stay, how they got to our site (e.g., via a search engine or link), and any errors encountered. This helps us improve our content and site navigation. We configure these tools to respect privacy as much as possible (for example, by anonymizing IP addresses when feasible). Wee do not load analytics cookies until you have given consent via the cookie banner. You can opt out of analytics by declining cookies or by using browser opt-out tools (for example, Google offers a browser add-on to opt out of GA, and there’s the global privacy control which we respect as described below).
• Advertising Cookies: We do not use advertising cookies or trackers on our sites. We do not serve third-party ads on our website, so we have no cookies meant for advertising or cross-site tracking for marketing. We also do not currently use retargeting cookies (which follow you to advertise our service elsewhere). If this ever changes, we will update this policy and seek appropriate consent. But as of now, you should not see any cookies on our site that collect data for advertising.
• Social Media Plugins: Our site may have simple links to our social media pages (Twitter, LinkedIn, Instagram, etc.), but we do not embed social media “like” buttons or feeds that drop their own cookies, and we do not allow those platforms to track you through our site. Clicking our social media icons will simply navigate you to those external sites, at which point their privacy policies apply.

Cookie Consent and Management: When you first visit our website from certain jurisdictions, you will see a cookie notice banner. This banner allows you to consent to or reject non-essential cookies (like analytics). If you choose “Accept,” you’re allowing us to use all cookies described as optional. If you choose “Reject” or “Preferences,” we will not set those optional cookies (or we’ll only set the ones you specifically allow in a preferences center). You can also always change your mind by accessing our Cookie Settings (there is a link in our footer to adjust cookie preferences).

If you ignore the banner and continue using the site, we will not treat this as consent for any non‑essential cookies. Optional cookies (such as analytics) will remain disabled until you actively select “Accept” (or otherwise grant consent) in the banner or the Cookie Settings panel. The banner will remain visible or re‑appear to remind you until you make an explicit choice.

Browser Settings: In addition to our site controls, you can manage cookies through your web browser settings. Most browsers allow you to block or delete cookies. You can usually find these options in the browser’s “Options” or “Preferences” menu. Note that blocking all cookies might make some websites (including ours) not function fully. You could choose to block third-party cookies (those set by domains other than listenupdictation.com) while allowing first-party cookies (set by our site) to balance functionality and privacy.

Global Privacy Control (Opt-Out Signals): We honor “Do Not Track” or similar universal opt-out signals where applicable. Specifically, if your browser or extension is set to send a Global Privacy Control (GPC) signal, which indicates you do not want your personal information to be sold or shared, our website will treat that as a valid opt-out request under applicable laws. In practical terms, if we detect a GPC signal from your device:

• We will not set any cookies that would be considered a “sale” or “sharing” of personal information (we don’t have such cookies, as noted, but this is our policy).
• We will treat it as if you opted out of any data sale/sharing. Since we don’t sell data anyway, this mainly reinforces that stance.
• We will still display the cookie banner, but if we detect a valid GPC signal we will default all non‑essential cookies—including analytics— to off. You may override this by actively opting in via the banner or Cookie Settings.
• If any future advertising/third-party trackers were present, GPC would tell us to disable them for your visit, which we would comply with.

This automatic honor of GPC is part of our compliance with laws like CPRA (in California) and the Colorado Privacy Act which mandates recognition of such signals by July 2024. We believe in giving you easy, global ways to control your data. (For those not familiar, Global Privacy Control is a setting you can enable in certain browsers or extensions that broadcasts a “do not sell/share” preference to websites you visit. For more info, see globalprivacycontrol.org – no login required, it’s a simple browser feature.)

Do Not Track (DNT): Older browsers had a “Do Not Track” signal. Aside from GPC, most industry responses to DNT were inconsistent. We treat DNT similarly – if we detect a Do Not Track header from your browser, we will assume you prefer not to be tracked for marketing or analytics. Again, we don’t do marketing tracking, and we already require opt-in for analytics. So effectively DNT would mean we definitely won’t enable analytics for you without consent.

Third-Party Websites and Tracking: Our website may contain links to third-party websites (for example, a blog post might link to an external article, or our support page might link to documentation on another site). If you click those, you will be subject to their cookies and tracking, not ours. We are not responsible for how other sites handle your privacy. We advise you to review the privacy policies of any external sites you visit. We do not share your personal data with third-party sites, but if you go to them, they may independently collect data from you.

Email Tracking: If you subscribe to our newsletter or marketing emails, we may use a minimal tracking technique to know if you opened an email or clicked a link. We do this to gauge engagement and optimize our communications (for example, to send more relevant content). You can disable image loading in your email client if you don’t want us to know if you opened an email, or simply unsubscribe if you prefer not to receive any such communications.

In summary, our stance is to be transparent and conservative with tracking: we only deploy what we need, we ask permission where required, and we respect your browser-based choices.

For more details or specific questions about our use of cookies and tracking technologies, feel free to contact us.

🤝 How We Share Your Data

We do not sell your personal data to third parties. We also do not share your information with third parties for their independent marketing or advertising purposes. However, we do share some information with others in the following contexts, all for legitimate operational reasons or as required by law:

1. Service Providers (Processors/Subprocessors): We use trusted third-party companies to help us run ListenUp Dictation. These service providers only process your data on our behalf and under our instructions – they are not allowed to use your data for their own purposes. We ensure we have appropriate agreements (like Data Processing Agreements) in place with each of them to safeguard your information, as required by GDPR and other laws. A list of our current subprocessors and their safeguards is available upon request at [email protected]. Our key service providers include:

• Hetzner Online GmbH – hosting in Germany (data stays in EEA)
• Stripe – payments (SCCs + Data Privacy Framework)
• SendGrid (Twilio) – marketing e-mails (SCCs + DPF)
• Amazon SES (us-east-1) – transactional e-mails (SCCs + DPF)
• Google Analytics / Tag Manager – site analytics (SCCs + DPF, IP anonymisation)
• OpenAI LLC – large-language-model API (SCCs + DPF; receives only text prompts, no audio)
• Anthropic – large-language-model API (SCCs + DPF; receives only text prompts, no audio)
• Google Cloud AI / Gemini – LLM API (SCCs + DPF)
• Google OAuth 2 & Apple Sign-in – social log-in providers
• Meta Pixel, LinkedIn Insight Tag – optional marketing pixels (SCCs + DPF)
• Mixpanel – product analytics (SCCs + DPF)
• Sentry – error logging (SCCs + DPF)
• Cloudflare – CDN & security (SCCs + DPF)
• Firebase – crash/performance telemetry (SCCs + DPF)
• Hotjar – UX recordings (SCCs + DPF; IP pseudonymised)

Additional context about specific providers:

• Cloud Hosting and Infrastructure: We may host our website, databases, and servers on cloud platforms (for example, Amazon Web Services or similar providers). This means if you create an account or we store your email/support tickets, that data might reside on their servers. They act as our processors to store and transmit data as needed for the service. We apply encryption and access controls to data stored in the cloud.
• Payment Processors: As mentioned, for handling payments we rely on third-party payment gateways (Stripe). These processors get your payment details directly to process transactions. We receive limited info back (like confirmation tokens). They are contractually obligated to secure your data and only use it for payment processing. We do not have access to your full credit card info when using these services.
• Email and Communications Services: We might use an email service provider to send transactional emails (Amazon AWS) or marketing emails (Sendgrid.). These providers would handle your email address and the content of emails we send to you. They are not allowed to spam you or use your email for anything aside from sending our communications. Similarly, if you submit a support form on our site, the backend will use Amazon AWS SE to deliver it to us.
• Analytics Tools: We use Google Analytics, which processes certain usage data as explained in the Cookies section. We configure this tool not to receive unnecessary personal info (for example, we don’t send your name or email to Google Analytics). It might receive your IP and user agent, but we anonymize IP. This provider is restricted from using the data for its own purposes – for example, Google Analytics data is governed by Google’s policies and is not used to identify individual users to them, it’s aggregated for stats. We also consider analytics as a service provider usage.
• Crash Reporting and Diagnostics: We use Sentry as a third-party crash reporting service. As our processor, Sentry receives crash data, including error logs and device information, to provide us with bug reports. Sentry is contractually bound to keep this data secure and confidential.
• Newsletter/Mailing Platform: If you subscribed to our newsletter, your email and name might be stored in a mailing platform (Sengdrid). They simply help us manage the mailing list and send out emails. They do not independently contact you outside of what we schedule.

We maintain an updated list of our subprocessors which you can request from us. These processors typically are located in the United States or European Economic Area. Whenever we share data with them, we do so under the safeguards described in International Data Transfers below if they are overseas.

2. Within Our Company/Affiliates: ListenUp Dictation is a small operation. If in the future we establish affiliated companies or hire employees/contractors, your data may be shared within our organization and with personnel who need to know it to perform their job (e.g., a support agent who needs to access your support ticket). All personnel are bound by confidentiality and this privacy policy. If we ever expand internationally with a local branch, that branch might handle data as needed (still under this policy’s terms).

3. Business Partners (Non-Service Providers): At this time, we do not have any co-marketing or data-sharing partnerships. If we ever co-sponsor a project or event and you sign up, we would clarify how data is shared at that point. We will not share your information with another company for their independent use without telling you and obtaining consent if required. For example, if we did an integration with another app and you wanted to link accounts, that would be your choice and we’d explain what data flows. But by default, your data stays with ListenUp and its processors.

4. Legal Disclosures: We may disclose your personal information if required to do so by law or in response to valid requests by public authorities (e.g. a court or government agency). Specifically:

• Law Enforcement: If we receive a subpoena, court order, or other legal process requesting your data, we will evaluate the request and only comply if it’s legally valid. We will attempt to narrow it if it’s overly broad. Unless prohibited, we will try to inform you if your data is sought this way. However, we might be forbidden from notifying you in some cases (e.g., a government order under seal).
• Regulators: We might share necessary information with data protection authorities or other regulators if required (for example, if you lodge a complaint and the regulator requests details).
• To Protect Rights and Safety: We may share information to enforce our terms of service or other agreements, or to investigate potential violations. We will also share data as needed to detect, prevent, or address fraud, security, or technical issues. For instance, if someone is attempting to hack into our services, we might share relevant logs with cybersecurity experts or law enforcement. If a user is engaged in illegal activities that threaten others (e.g., using our service for harassment, which is hypothetical given our service type), we might report that along with whatever data is necessary.
• Legal Claims: If we are involved in a lawsuit or legal process where your data is relevant (either we’re suing someone or being sued), we might need to produce your data as evidence. We will only do what is necessary and within the confines of law.

5. Business Transfers: If ListenUp Dictation (the company or its assets) is involved in a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the successor or new owner as part of that transaction. If such a transfer occurs, we will ensure the new entity is bound to respect your personal data in a manner consistent with this Privacy Statement. We will notify you (for example, via email and/or a prominent notice on our website or in-app) of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information in that event. For example, if another company acquires us, you may choose to delete your data if you do not wish to be subject to the new company’s policies (though ideally they will honor this same policy until you agree to changes).

6. Aggregated or De-Identified Data: We may share information that has been aggregated (combined with data of many users) or de-identified (stripped of personal identifiers) in such a way that it cannot reasonably be used to identify you. For instance, we might publish usage statistics on our website (“Over 1,000 hours of dictation done with ListenUp this month!”). Or we might share aggregated insights with a research partner or in a blog. This kind of data does not personally identify any individual and is not considered personal data under many laws. We ensure that any such sharing is irreversible (meaning it’s not just pseudonymous but truly anonymized, when possible).

7. No Selling or Sharing for Behavioral Advertising: To re-emphasize our stance as required by certain laws: We do not “sell” personal information for monetary consideration, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined under laws like the CPRA. This includes all categories of personal information listed earlier; none are sold or shared in that manner. We also do not knowingly allow third parties to collect your personal information on our sites or app for their own advertising purposes (for example, we don’t embed third-party ad scripts that siphon your data). Therefore, we do not have the kind of third-party data disclosures that would trigger the requirement of a “Do Not Sell or Share” button on our website. If this ever changes, we will implement such mechanisms and update this policy accordingly. Moreover, we confirm that we have not sold or shared personal information in the past 12 months.

• For clarity under various state laws: “Sale” is broadly defined (especially in California) to include any exchange of data for something of value. We do not do that. “Sharing” under CPRA means sharing for targeted advertising. We do not do that either. Any exchanges of data we engage in are purely service-oriented (e.g., with our processors) or at your direction (e.g., if you ask us to transfer data).
• We also do not use or disclose sensitive personal information for any purpose other than what is necessary to provide our services or as otherwise permitted by law. In plain terms, if any data we collect falls under “sensitive” (for example, account login credentials, or precise location if we ever got it, or a government ID if you ever gave one for verification), we use it only for the service you expect. We don’t use sensitive data to infer characteristics about you or for showing ads. Under CPRA, because we only use sensitive info for essential purposes, consumers do not have a right to limit our use of it (since we’re already limiting ourselves to the allowed purposes).

8. With Your Consent: If you instruct us or explicitly consent to us sharing your information with a third party, we will do so. For example, if we introduced a feature where you can export your transcription to a third-party service (like store your dictated text directly to a Google Docs), that action is under your control and essentially your consent to send that data to that third-party. Another example: if we wanted to feature your story or testimonial on our site alongside a third party (say, a joint case study with a disability advocacy group about how ListenUp helps users), we’d only share your info in that context with your full agreement.

In all cases of sharing, we strive to be transparent and cautious. We share the minimum required data for the purpose at hand, and we evaluate the third parties’ privacy measures.

If you have questions about a particular third party or service provider with whom your data might be shared, please contact us. We can provide more specifics and are happy to clarify how your data flows.

🌍 International Data Transfers

• All production data are hosted on Hetzner servers in Germany (EEA).
• Transfers to U.S. providers (Stripe, Cloudflare, OpenAI, Google Cloud AI, etc.) rely on 2023 Standard Contractual Clauses plus the EU‑U.S. Data Privacy Framework.
• Transfer‑Impact Assessments are reviewed annually; a public summary is available on request.
• No data flows to the United Kingdom; therefore ThoFlow AI does not appoint a UK Article 27 representative.

If You’re in the EU/EEA or UK: Whenever we transfer personal data out of the EEA or the United Kingdom to a country that is not deemed by the European Commission (or UK government) to provide an adequate level of data protection, we will ensure a proper legal transfer mechanism is in place. The primary mechanisms we use are:

• Standard Contractual Clauses (SCCs): These are contractual commitments approved by the European Commission (and recognized in the UK) that bind the recipient of the data to protect it according to EU privacy standards. For example, if we use a US-based service provider like an email service, we sign SCCs with them to oblige protection of your EU personal data.
• Data Privacy Framework (DPF) Certification: We strive to work with service providers who participate in frameworks like the EU-U.S. Data Privacy Framework (and UK extension, if applicable) or Swiss-U.S. framework, which means they have committed to a certain level of privacy compliance. If a provider is certified under the DPF (or its successor for UK/Swiss), we may rely on that as our transfer safeguard.
• Adequacy Decisions: If your data is sent to a country that the EU (or UK) has deemed “adequate” from a privacy standpoint, that transfer is permitted. For example, if we store some data in Canada or Japan, those countries currently have adequacy decisions from the EU.
• Derogations (if applicable): In some cases, we might rely on exceptions allowed by law (such as your explicit consent to a specific transfer, or transfer necessary for the performance of a contract with you). This is usually on a case-by-case basis and not routine.

We also perform Transfer Impact Assessments as needed, evaluating whether the laws of the destination country might impinge on the effectiveness of our safeguards (for instance, we consider U.S. laws around government access when sending data to U.S. providers). Where needed, we implement additional technical and organizational measures – such as encryption in transit and at rest, limiting what data is exported, etc. – to ensure the data receives an equivalent level of protection to what it has in Europe.

If You’re in Brazil: Similar principles apply under the LGPD. If we transfer your data outside of Brazil, we will do so only to countries with adequate protection as determined by Brazilian authorities, or under contractual clauses or other safeguards recognized by LGPD (like standard clauses, international cooperation, etc.), or in reliance on your consent or other authorized grounds. As of the date of this policy, Brazil’s ANPD is evaluating adequacy and standard clauses; in the meantime, we treat our SCCs and frameworks for EU as also covering Brazilian data, as they set a high standard.

If You’re in Other Regions: For example, if you’re in Canada, your data might be stored in the U.S. and Europe; Canadian privacy laws allow this as long as we provide appropriate protection and notice (which we do via this policy). If you’re in a region like Asia or Australia, similar considerations apply – we ensure compliance with any cross-border rules of that jurisdiction (like APEC Cross-Border Privacy Rules if applicable, though we are not currently certified in that).

Service Provider Locations: To be transparent, here are some of the typical locations of our key service providers:

• Our main servers (for website, licensing, etc.) may be in data centers in the European Union (Germany) or in the United States.
• Our email/newsletter service (if U.S.-based) might store data in the USA.
• Payment processing for non-App Store purchases might involve data centers in the USA (Stripe’s servers).
• Google Analytics may transfer data to the USA or other locations, although we try to use EU servers when possible and IP anonymization.
• Apple (for App Store distribution) will process data in accordance with their global infrastructure (often in the USA and other countries) – note, your interactions with Apple’s platform are under Apple’s privacy terms, but any data Apple shares with us (like crash diagnostics if you opted into Apple’s analytics) might transit from Apple’s servers to us.

Whenever your information is moved to a different country, it may be accessible to law enforcement and national security authorities in that country under its laws (for example, data stored in the US can be accessed by US authorities under certain conditions). We have accounted for this in our risk assessments and, as mentioned, we use encryption and other means to protect data from unauthorized access.

If you would like more information about cross-border transfers or to obtain a copy of the relevant safeguards we have in place (like the SCCs), please contact us at our privacy email. We may provide excerpts of contractual terms for confidentiality reasons but we will do our best to answer your questions.

Note for UK Users: Since Brexit, the UK requires its own transfer mechanisms. We typically use the EU SCCs plus the UK’s International Data Transfer Addendum or the new UK International Data Transfer Agreement if applicable. Practically, this means your UK data gets the same level of protection as EU data in transfers.

In summary, regardless of where your data is processed, we apply the same level of care and security. We enforce this through contracts with our processors and through internal policies. Your data will always be handled in accordance with this Privacy Statement, even if local laws might not be as strict in some jurisdictions. That’s our commitment to you.

🗄️ Data Retention

| Data type | Retention rule | | ----------------------- | -------------------------------------------------------------------- | | Raw audio & transcripts | Never leave the device | | Usage metrics & logs | Deleted automatically when the user deletes the account | | Account profile | Stored while the account is active; erased or anonymised on deletion | | Billing & tax records | 7 years (statutory NL requirement) | | Encrypted back‑ups | Rolling 7‑day window |

• Account Information: If you create an account, we will keep your account data (like your name, email, login credentials, subscription info) for as long as your account is active. If you request to delete your account or if your account has been inactive for a long period, we will delete or anonymize the information associated with your account, except where we need to keep it for legitimate business or legal purposes (see below). “Inactive for a long period” generally means 2 years of no logins or subscriptions, but we may check in with you via email before deletion. You always have the ability to delete your account sooner by using the in app functionality or by contacting us.
• Subscription and Purchase Records: We retain records of your purchases and subscriptions (e.g., subscription type, purchase date, transaction ID) for a period required by financial and tax regulations. In the Netherlands (and generally EU), we need to keep financial records for 7 years for tax audit purposes. So, while your account may be deleted, we might still keep an invoice or payment record associated with an internal customer ID or order number for that period. However, we will not keep more personal info than needed – typically just what the law requires (like transaction logs, not your full profile if it’s deleted).
• Support Communications: If you contact support, we may retain the correspondence (emails, support tickets) and our responses for up to 2 years after resolution of the issue, in case you have follow-up questions or a recurring issue, and to train our support team (e.g., refer to previous solutions). If you want us to delete a particular support email that contains personal data, let us know and we will do so unless it’s needed for our legal protection (e.g., evidence of advice given).
• Marketing Emails: If you have subscribed to our newsletter, we will retain your email on our mailing list until you unsubscribe. Once you unsubscribe, we will immediately stop sending you emails, and we will remove your contact from our active mailing list. We may, however, keep a record of your unsubscribe request (email address and the fact you opted out) indefinitely (or as required by anti-spam laws) to ensure we don’t accidentally re-add you. This is managed by the email platform automatically.
• Analytics Data: Analytics data on our website is generally stored in aggregate form. Raw analytics logs might be retained for a short period (14 months) and then either deleted or aggregated. We don’t keep identifiable web analytics longer than necessary. Some aggregated reports might be kept longer, but those contain no personal identifiers.
• Crash Logs and Diagnostics: Crash reports and diagnostic logs will be retained as long as needed to analyze and fix the related issue. Often, once an issue is resolved, we might keep the crash log for historical record or product improvement. Typically, crash logs are kept for up to 2 years, as they help us see if an old bug re-surfaces. If they contain any personal data, we treat them confidentially. If you want a specific crash report involving your data deleted, you can request that (though note, crash logs usually don’t have user identity info attached, they are keyed by random IDs).
• Subscription Activation Data: Data about subscription activation (like device ID, subscription usage) is retained for the duration of the subscription validity, and a little beyond (to detect abuse patterns). We may purge or anonymize device-specific data after, 2 years from last activity. But high-level records (e.g., that a certain subscription was sold and used) we keep longer for business records and anti-fraud tracking.
• Legal Holds: Sometimes, if we are dealing with a legal issue (like a dispute or an investigation), we might need to retain certain data beyond our normal retention period until that issue is resolved. We will put that data on a “legal hold” to prevent deletion. Once it’s resolved, we’ll promptly delete if no longer needed.
• Deleted Data: When you delete data (for example, if you delete your account or request deletion of specific info), we will remove it from active use. However, it may remain in our backups or archives for a short period. We maintain backups of our systems for reliability and disaster recovery. Backup copies are protected and only accessed if needed for restoration. We have processes to eventually delete or overwrite old backups. Typically, complete purge from backups might occur within 30-90 days, depending on backup rotation cycles.
• Anonymized Data: If we anonymize data (so it’s no longer personal), we may retain that indefinitely, as it ceases to be personal data. For example, general usage statistics devoid of user identification might be kept for trends.

In summary, we aim to keep your personal data for no longer than necessary. When we no longer have a legitimate need to keep your data, we will either delete it or irreversibly anonymize it. If deletion is not immediately possible (for instance, if the data is in backups), we ensure it’s isolated and protected until deletion is feasible.

Your Deletion Requests: You have the right to request deletion of your data (as detailed in the Your Rights section). When you do, we will erase the data from our active systems and instruct our processors to do the same, barring any exceptions under law. There are exceptions such as where we need to keep data for legal reasons (e.g., tax records, as mentioned) or if the data is necessary to exercise or defend legal claims. We will inform you if any such exception applies when fulfilling a deletion request.

If you have specific questions about our retention periods for different data types, you can contact us at [email protected].

🔒 Data Security

We understand that the security of your personal data is important. We take a variety of technical and organizational measures to protect your information from unauthorized access, alteration, disclosure, or destruction. However, it’s important to note that no method of transmission over the internet or method of electronic storage is 100% secure, so we cannot guarantee absolute security. But we make it a top priority to stay up-to-date with best practices and to promptly address any security issues.

Here are some key aspects of our security program:

• Encryption: We use encryption to protect data in transit and at rest. Any sensitive data transmitted between your device and our servers (for example, when you log in or send us information) is protected by HTTPS (TLS encryption). This means that data is encrypted such that it cannot be easily intercepted or read in transit. For data at rest, we encrypt personal data stored in databases or storage systems, especially sensitive fields. For instance, passwords are stored as salted cryptographic hashes.
• Access Controls: We restrict access to personal data to authorized personnel who need it to perform their job duties. Our team follows the principle of least privilege – team members only have access to the minimum data required. For example, our support staff may have access to your account information to assist you, but they will not have access to raw analytics that are not necessary for support. Administrative access to systems that store personal data is limited to key personnel and is protected by strong authentication.
• Network Security: We protect our servers and network with firewalls and monitoring. We regularly update our software and dependencies to patch security vulnerabilities. Our website and app backend are hosted on secure platforms that provide robust security features (like DDoS protection, intrusion detection). We also employ network segmentation: separating the database from the public-facing server, etc., so even if the public site is compromised, attackers cannot directly reach sensitive data.
• Testing and Auditing: We conduct periodic security reviews of our systems. This includes code reviews, vulnerability scanning, and occasionally penetration testing to identify potential weaknesses. We also audit access logs to detect any unusual access to personal data. For example, we keep logs of who accessed administrative tools and we review them for any unauthorized or suspicious activity.
• Secure Development Practices: Our development process incorporates security from the start. We follow secure coding guidelines to prevent common vulnerabilities like SQL injection, XSS, CSRF, etc. New features undergo testing including security test cases. We avoid storing data on end-user devices unless necessary, and when we do (like caching something on your app), we rely on secure OS-provided storage.
• Backups and Recovery: We maintain regular backups of critical data to ensure we can recover from any data loss scenario (like a hardware failure or a cyberattack that causes data corruption). These backups are encrypted and stored securely. We also have an incident response plan to quickly respond to security incidents. Part of that plan includes preserving evidence, notifying affected users and authorities as required, and learning from incidents to improve our defenses.
• Employee Training and Policies: We train our team about the importance of data privacy and security. All team members handling personal data are aware of this Privacy Statement and our internal privacy/security guidelines. We have policies in place for how to handle personal data, how to report potential security issues, and how to keep credentials secure. For example, we mandate strong, unique passwords and 2FA on all internal accounts, and we restrict the use of personal data outside our systems (no downloading data to unsecured devices, etc.).
• Physical Security: Although we primarily use cloud services, any physical devices (like laptops) used by our team that might handle personal data are encrypted (full-disk encryption) and secured. Our office is access-controlled. But since we are a small operation, physical data is minimal – most personal data resides in the cloud.
• Third-Party Security: We carefully choose service providers who meet high security standards. We review their security measures (for example, major cloud providers have detailed security documentation and certifications like ISO 27001, SOC 2, etc.). We also ensure via contract that they commit to protecting your data. If a provider suffers a breach affecting user data, they are obligated to inform us promptly so we can take action and notify you if needed.

Security in the App: The ListenUp Dictation app itself processes your voice data locally, as we’ve stated. We ensure that within the app, we use secure APIs and do not expose your data unnecessarily. The app connects to our servers over encrypted channels not only for subscription checks and updates but also to send a temporary, encrypted copy of the transcript and limited context (text before/after the cursor, any selected text, and the active app name) to our large‑language‑model for real‑time refinement. Your audio never leaves your device, and the transcript/context are automatically deleted from our servers the instant the polished result is returned. If you choose to insert or paste your dictation into another application, that still happens locally via the system clipboard or input events; the brief refinement step is the sole server interaction involving your content.

User Responsibilities: You also play a role in keeping your data secure. We urge you to use a strong, unique password for your accouns and to keep your login credentials confidential. If you suspect any unauthorized access to your account, please notify us immediately. Also, be aware that emails and messages purportedly from us should be handled carefully – we will never ask for your password via email, and any links we send will be clearly from our domain. If you’re ever unsure about a communication, reach out to us at our official contact.

Data Breach Procedures: Despite our best efforts, if a data breach were to occur that affects your personal information, we have a procedure in place. We will promptly investigate and take necessary remedial measures. If the breach is likely to result in a high risk to your rights and freedoms (as defined by GDPR), we will notify the relevant supervisory authority within 72 hours of becoming aware, and also directly notify you without undue delay (typically within 72 hours of determining individual notification is required) (via email or conspicuous notice) with information on what happened and any steps you should take to protect yourself. We would also provide credit monitoring or identity protection services if appropriate (though given the minimal data we hold, scenarios requiring that are unlikely). For less severe incidents, we may still inform you via email or an in-app message as a precaution.

No Guarantee: While we are committed to protecting your data, no system is foolproof. Please understand that using any online service carries some risk. We encourage you to also protect yourself by practicing good security hygiene (keep your devices updated, use antivirus software if appropriate, be wary of phishing attacks, etc.).

If you have any questions about the security of your data or if you notice any vulnerability or incident related to our services, contact us immediately at [email protected]. We appreciate feedback and will act swiftly.

🚸 Children’s Privacy

ListenUp Dictation is not intended for use by children under a certain age. We do not knowingly collect personal data from children without appropriate consent. The relevant age depends on jurisdiction:

• In most regions, including the EU, a “child” for consent purposes is under 16 (though some EU countries set this at 13 to 15).
• In the United States, the Children’s Online Privacy Protection Act (COPPA) applies to children under 13.
• We choose to take a cautious approach: our services are not directed to anyone under 16 years of age, and we do not knowingly allow such individuals to use the app or provide personal information. While we do not actively verify age during registration, users must confirm they are 16 or older when creating an account.

If you are under 16, please do not use ListenUp Dictation or submit any personal information to us (such as your name or email). If you are a parent or guardian and believe that your child under 16 has provided us with personal information or is using our service inappropriately, please contact us at [email protected] so we can take steps to delete the information and (if applicable) close the child’s account.

We do not design features to attract children, and our content is generally business and productivity oriented (nothing that would particularly appeal to young kids). We do not offer games, social community features, or any child-targeted content.

If in the future we decide to tailor any part of our service to a younger audience (for example, an educational version for schools or a special accessibility feature for kids), we will do so in compliance with all applicable laws (including obtaining verifiable parental consent before collecting personal data from children, providing clear disclosures, etc.). As of now, we have no such plans.

For teens between 16 and 18 (or the age of majority in your jurisdiction): Our service can be used by you, but if you are under 18, you should review this Privacy Statement with a parent or guardian to make sure you understand it. Some regions have specific laws for minors’ data rights (like California allows minors under 18 to request deletion of content they posted, which is not quite relevant here since we are not a social platform, but we will honor any such rights if applicable).

We do not sell the personal data of consumers, including minors under 16, as mentioned before. And we certainly do not knowingly sell or share data of minors under 16 without required opt-in consent (which we do not even seek because we don’t target that group).

In summary, children should not be using ListenUp, and we aim to have zero data on children. If we find that we have unintentionally collected data of a child, we will delete it promptly.

✅ Your Rights and Choices

You have various rights regarding your personal data. We believe in empowering you with control over your information. Your rights will depend on your jurisdiction (where you live), but we intend to honor all major privacy rights globally to the extent possible. Below, we outline general rights that apply to many users, then specific rights for certain regions like the European Union (GDPR), United Kingdom, California (CPRA), other U.S. states (Virginia, Colorado, etc.), and Brazil (LGPD).

We will not discriminate against you for exercising any of these rights. For example, we won’t deny you service or charge you a different price just because you exercised your privacy rights (except as permitted by law – e.g., some data is needed to provide the service, so if you ask us to delete all your data, we might not be able to continue providing the service, but that’s a natural consequence, not discrimination).

When you contact us to exercise a right, we will need to verify your identity to ensure we don’t give your data to the wrong person. We might ask you to provide information that matches what we have on file (for example, verifying your email address or asking for a current login, etc.). For certain sensitive requests (like obtaining a copy of your data or deleting an account), we may use a two-step verification (like confirming via email link) to be sure.

Now, let’s break down the rights:

Rights for All Users (General)

These rights generally apply regardless of where you’re located (some are legally guaranteed in certain places, but we offer them more broadly as a courtesy):

• Right to Access: You can ask us to confirm if we are processing your personal data and, if so, request access to that data. This means you can ask for a copy of the personal information we hold about you. This is sometimes called a “Data Subject Access Request.” We will provide you with the information in a portable format (commonly used electronic form). For example, you can email us and say, “I’d like to know what data you have about me,” and we will furnish it – typically things like your account info, contact info, and any other data tied to you. (Note: We might not include data that is confidential business info or legally privileged, but typically personal data tied to you will be provided.)
• Right to Rectification (Correction): If you believe any personal data we have about you is incorrect or incomplete, you have the right to request that we correct it. For instance, if your name is misspelled in our records or you changed email address, you can ask us to update it. In many cases, you can correct some information yourself through account settings (if available), but you can also ask us directly.
• Right to Deletion (Erasure): You can request that we delete your personal data. We will honor such requests, subject to certain exceptions. For example, if you have an account and you want it deleted, we will remove your personal information from our systems (and instruct processors to do so). As noted in the retention section, we might retain minimal info if required (like transaction records or if needed for legal claims), but we’ll inform you if any such exception applies. Once your data is deleted, your account will be closed and you will lose access to the service (which is expected).
• Right to Restrict Processing: This mainly is a GDPR right, but generally, you can ask us to restrict or pause processing of your data in certain situations (for example, if you contest the accuracy of the data, or if you object to our processing based on legitimate interests, we might restrict processing until the issue is resolved). During restriction, we can store the data but not do anything with it unless you consent or for legal reasons. In practice, if you asked for restriction, we would likely just stop using your data for the contested purpose (like if you object to analytics, we’d stop analytics on your data).
• Right to Object: You have the right to object to certain processing of your data. In particular, you can object to processing based on legitimate interests and to processing for direct marketing. If you object to direct marketing, we will immediately stop sending you marketing messages (that’s easy – basically the same as unsubscribing). If you object to processing based on our legitimate interests, we will review your objection and unless we have compelling legitimate grounds that override your rights (or if it’s needed for legal reasons), we will stop or adjust the processing. For example, if you object to us collecting analytics on your usage, we would stop (by, say, giving you an option to opt out entirely if not already, or exclude your data from analytics).
• Right to Data Portability: This is more formally under GDPR and some other laws, but it’s the right to receive your personal data that you provided to us, in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller (where technically feasible). In simpler terms, you can ask for your data in a format that you could import into another service. For ListenUp, this might not be highly applicable (we're not a social network where you'd port your profile to another network), but we can provide your account information and usage data in JSON format suitable for import into other systems. Data export includes account details, subscription information, and usage metrics in a structured format. Portability applies to data you actively provided and that we process by automated means under consent or contract. Practically, it overlaps with the Access right – we’d give you your data, which you can then take elsewhere as you see fit.
• Right not to be subject to Automated Decision-Making: We do not engage in any fully automated decision-making that has legal or similarly significant effects on you (like no algorithm is deciding to deny you service or something without human involvement). Thus this is not applicable. However, if we ever did, you would have the right to human review of such decisions. (For clarity: The AI that transcribes your voice is automated processing, but it’s not making a “decision” about you, it’s providing a service output. And any suggestions it gives you are under your control, not binding decisions about your rights.)
• Right to Withdraw Consent: If we rely on consent to process your data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. For example, if you gave consent for marketing emails, you can withdraw by unsubscribing. If you gave consent for a feature, you can turn it off. If you gave us consent to access something like your microphone (device permission), you can revoke that via your device settings (though note, revoking microphone permission means the dictation app can’t function, since it needs the mic – but that’s your choice).
• Right to Complain: We hope to resolve any concerns you have, but you also have the right to lodge a complaint with a data protection authority or regulator if you believe we have infringed your rights. For EU residents, that could be the Dutch Data Protection Authority (since we’re in NL) or your local supervisory authority. For UK, it’s the Information Commissioner’s Office (ICO). For others, see region-specific notes below. We would appreciate if you’d contact us first to try to resolve the issue, but it’s your right to go to the authorities.

Now, more specifically by region:

EU/EEA and UK Residents (GDPR Rights)

Switzerland (nFADP) Rights

If you are located in Switzerland, the revised Federal Act on Data Protection (nFADP), effective 1 September 2023, grants you rights comparable to those under the EU GDPR, including the rights to information, data portability and deletion. You may exercise these rights by contacting us at [email protected] or via our EU representative. Swiss users also have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

If you are in the European Union, European Economic Area, or the United Kingdom, your rights include all the ones listed above (access, rectification, erasure, restriction, objection, portability, not to be subject to automated decisions, withdraw consent, complain to authority).

To exercise these, you can contact us at [email protected]. We will respond to your request without undue delay, and at the latest within one month of receipt. We can extend by two further months if the request is complex or we have a high volume of requests, but we will inform you of any extension within the first month. We will provide information on actions taken on your request, or if we do not fulfill it, we will explain why (with legal justification).

Complaints (EU/UK): As mentioned, you have the right to lodge a complaint with a supervisory authority, particularly in the country where you live or work, or where the issue occurred. Our lead authority is likely the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) since we operate in NL. Their website is https://autoriteitpersoonsgegevens.nl and they have contact info there. In the UK, it’s the ICO (ico.org.uk). We sincerely hope we never give you cause to complain, but it’s there if needed.

Representative: Because we are established in the EU (Netherlands), we do not require an EU representative. For UK, since we don’t have a UK office, strictly UK GDPR might require us to appoint a UK representative if we process UK data at scale. We are a small business, but we are mindful of UK rules. If needed, we will appoint one and update this section. Meanwhile, UK users can always reach out to us directly.

California Residents (CCPA/CPRA Rights)

If you are a resident of California, you have specific rights under the California Consumer Privacy Act (as amended by CPRA). Many overlap with the above, but we’ll list them in California terms for clarity:

• Right to Know: You can request that we disclose to you the following: (1) The categories of personal information we have collected about you; (2) The categories of sources from which the personal information was collected; (3) The business or commercial purpose for collecting (or selling/sharing, though we don’t sell/share) personal information; (4) The categories of third parties to whom we disclose personal info; (5) The specific pieces of personal information we have collected about you. Essentially, you can ask for both a general overview and a copy of your specific data. We believe we cover a lot of this in this Privacy Statement already (see earlier sections), but upon request we will provide it specific to you.
• Right to Delete: Similar to above, you can request deletion of personal info we have collected from you. There are certain exemptions under CCPA where we can deny deletion, for example if the info is needed to complete a transaction you requested, to detect security incidents, to comply with a legal obligation, etc. We will outline if any apply. Typically, as we said, we’ll delete unless there’s a compelling reason not to.
• Right to Correct: Under CPRA, you can request that we correct inaccurate personal information we maintain about you. We will take into account the nature of the personal info and the purposes of processing, and make efforts to correct it as directed by you (with verification).
• Right to Opt-Out of Sale or Sharing: You have the right to opt-out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. However, as we have stated, we do not sell or share personal information. So there is no need for you to exercise this right in our case, because we simply don’t engage in those practices. If that ever changes, we will provide a “Do Not Sell or Share My Personal Information” link or mechanism. Right now, any data transfers we do are considered “service provider” or “necessary” uses that are exempt from “sale/share” definitions. We still respect GPC signals for opt-out as described.
• Right to Limit Use of Sensitive Personal Information: CPRA gives you the right to limit the use and disclosure of sensitive personal info (SPI) if a business uses SPI beyond certain core purposes. We do not use or disclose sensitive info (like account login, etc.) for any purposes outside what’s allowed (which are essentially the purposes necessary to perform the service or prevent fraud, etc.). Thus, there is no secondary use of SPI that you’d need to limit. If you still have concerns, you can contact us and we will address them. But basically, we do not use your sensitive data (if any) except to provide you the service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights. This means we won’t deny you our services or charge you different prices, or provide a different level of quality just because you made a privacy rights request. (One caveat: if you delete data that is necessary for the service, like you delete your account entirely, naturally you can’t use the account-based service. That’s not discrimination; that’s a consequence of your request. We won’t, for instance, keep you from using a free feature because you opted out of marketing cookies, etc.)
• Notice at Collection: We have attempted to provide that (the categories of PI and purposes) at the point of data collection. Essentially, this Privacy Statement (especially the summary and the data categories section) serves as our Notice at Collection. When you first interact with our service (like visiting our site or installing our app), you can refer to this notice. We might also provide short form notices in the app if needed (e.g., a pop-up explaining any data collection, which currently is mainly offline, so not applicable).
• Authorized Agent: California law allows you to use an authorized agent to make requests on your behalf. If you want, you can have someone (with written permission from you, or someone with power of attorney) submit a request on your behalf. We will require proof that the agent is authorized by you and may need to verify your identity with them. If we suspect fraud, we may reject the request. If you want to designate an agent, please have them contact us with appropriate documentation.

How to Submit Requests (California): You (or your authorized agent) can submit requests to know, delete, or correct by contacting us at [email protected]. Please indicate that you are a California resident making a “CCPA/CPRA request.” We will verify and respond as described earlier (within 45 days, etc. see below for timing).

Response Timing: Under CCPA, we have 45 days to respond to your request, which can be extended by another 45 days if necessary with notice to you. We’ll do our best to handle it quickly. Access requests for specific info will cover the 12-month period preceding your request (by default), but you can request data beyond 12 months if applicable, and we will provide it unless it’s impossible or unduly burdensome (the law allows some flexibility if the data is stored in a way not easily searchable beyond 12 months, etc. But as a small company, we likely can retrieve it).

Financial Incentives: We want to mention (as CPRA requires) that we do not offer financial incentives or price differences in exchange for your personal information. For example, we don’t have a program where you get a discount for letting us sell your data. If we ever run something like a referral program or a promotion that might be considered a financial incentive related to personal data (like a discount for subscribing to our newsletter), we will provide details and comply with CPRA’s requirements to explain the material terms and how to opt-in. Currently, no such incentives exist.

Virginia, Colorado, Connecticut, Utah, and Other U.S. State Residents

In addition to California, other U.S. states have privacy laws (some in effect, some upcoming). These include:

• Virginia (Virginia Consumer Data Protection Act, VCDPA)
• Colorado (Colorado Privacy Act, CPA)
• Connecticut (CT Data Privacy Act, CTDPA)
• Utah (Utah Consumer Privacy Act, UCPA)
• Texas (Texas Data Privacy and Security Act, TDPSA – 2024)
• Oregon (Oregon Consumer Privacy Act – 2024)
• Montana (Montana Consumer Data Privacy Act – 2024)
• Iowa (Iowa Consumer Data Protection Act – 2025)
• Tennessee (Tennessee Information Protection Act – 2025)
• Florida (Florida Digital Bill of Rights – 2025)
• Louisiana (Louisiana Consumer Data Privacy Act – 2025)
• Indiana (Indiana Consumer Data Protection Act – 2026)
• Kentucky (Kentucky Consumer Data Privacy Act – 2026)
• North Dakota, Delaware, New Jersey, and other recently enacted state laws

We cannot list each in detail here, but broadly, these laws grant very similar rights to what we’ve already described: the right to access, correct, delete, opt out of sales and targeted advertising, and in some cases profiling, plus the right to non-discrimination. We intend to honor those rights for residents of those states, just as we do for California.

One notable addition: Many of these states (VA, CO, CT, etc.) explicitly give you the right to opt out of targeted advertising, sale of personal data, and profiling for significant decisions. We have already stated we don’t sell data or do targeted advertising or such profiling, so by default, you’re opted out. If any question arises, consider yourself opted out. If we ever considered doing targeted ads, we would provide an opt-out mechanism then.

Another notable feature: Some states require a process for you to appeal if we decline to act on a rights request. For example, Colorado and Virginia say if we refuse your request, you can appeal within a reasonable time, and we must respond within 45 days to tell you the outcome of the appeal. Rest assured, we will rarely have a reason to deny a legitimate request. But if we do (say we cannot verify you, or an exemption applies), we will inform you. If you are not satisfied, you may appeal by replying to our decision email or contacting us again indicating that you are appealing our decision. We will have a different person (or a higher level) review the case and respond to you with the appeal determination within 45 days of the appeal request. If we still deny or partially deny, we will provide an explanation and information on how you can contact your state’s Attorney General or consumer protection authority to lodge a further complaint.

For example, Virginia residents can contact the Virginia Attorney General if they have concerns after an appeal. Colorado residents similarly can contact the Colorado AG. We will include those instructions in our appeal response, tailored to your state.

Submitting Requests (Other States): Use the same contact method – email [email protected] – and state that you are, say, a Virginia resident making a request under VCDPA (or just say privacy request and mention your state). We will treat it accordingly.

Verification and Timing: Similar to CCPA, we’ll verify identity (perhaps email verification, etc.) and respond within 45 days (with a possible 45-day extension). For deletion or access requests, these states usually also have a 45-day timeline.

Sensitive Data (Consent): Some states like Colorado and Virginia require opt-in consent to process sensitive personal data (which includes things like precise geolocation, health info, etc.). We do not process sensitive data as defined by those laws except maybe account credentials which are necessary (which might not fall under “sensitive” in those laws except for biometric, sexual orientation, etc., which we don’t have). If we did, by using our service you would be deemed to have given consent for the necessary sensitive processing (like voice data to text could be considered processing of health info if you dictate health info, but we don’t collect or store it; it’s under your control). If ever in doubt, we would seek explicit consent if something clearly sensitive came into play.

Right to Opt Out of Profiling: Some of these laws let you opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not do such profiling. If we ever start any automated processing that could be considered that, we will let you opt out.

Brazilian Residents (LGPD Rights)

If you are in Brazil, the LGPD grants you rights similar to GDPR. Based on Article 18 of LGPD, Brazilian data subjects have the following rights (some of which overlap with ones discussed):

• Confirmation of Processing: You can ask us to confirm whether or not we are processing your personal data. We will transparently confirm if we have data about you and generally what categories.
• Access: You have the right to access the data we hold about you (similar to access above). We will provide, upon request, an electronic or printed copy of your personal data we have, typically free of charge (unless it's repetitive or excessive).
• Correction: You can request the correction of incomplete, inaccurate, or out-of-date data. We will rectify any incorrect data as per your instruction (assuming we can verify the correct info).
• Anonymization, Blocking, or Deletion: For any data that is unnecessary, excessive, or processed in violation of LGPD, you have the right to request anonymization (so it can no longer be attributed to you), blocking (suspending processing), or deletion of that data. Essentially, if we shouldn’t have it or use it, you can make us stop or remove it.
• Data Portability: You can ask for your data in a format that can be transferred to another service or supplier, subject to regulation by the ANPD (Brazil’s authority) and our own commercial/industrial secrets. Practically, similar to the general portability we discussed, we’d give you your data.
• Deletion of Processed Data: You may request deletion of personal data processed with your consent. For example, if at some point we got your consent for something, you can later request deletion of that data. Even without consent, you can request deletion as covered above in “blocking or deletion”.
• Information about Sharing: You have the right to know which public and private entities we share your data with. We have listed categories of recipients in this policy (service providers, etc.). Upon request, we can confirm specific ones relevant to your data.
• Information about Consent: If you provided consent for something, you have the right to get information about the possibility of denying consent and what consequences that would have, as well as the right to withdraw consent. We already inform you that you’re generally not obligated to give consent (we try to rely on other bases or only ask consent for optional things), and if you don’t consent to optional features, the only consequence is you might not get that feature (for instance, not subscribing to the newsletter means you won’t get emails, which is expected). Withdrawing consent won’t negatively affect your use of the app, except for the parts that needed consent (they just won’t function).
• Revocation of Consent: As mentioned, you can revoke consent at any time. We will cease processing the data that was based on consent once you withdraw (unless another legal basis applies for us to keep it, in which case we’d inform you).
• Opposition (Objection): Though not explicitly listed in Article 18, LGPD allows you to object to processing in certain scenarios (similar to GDPR’s right to object, especially if you believe processing is not in compliance with the law). You can contest how we process data, and we will respond with either a remedy or a justification.
• Petition and Complaint: You have the right to petition the ANPD (Autoridade Nacional de Proteção de Dados) regarding our processing of your data. Essentially, if you’re not satisfied with how we handle your request or how we treat your data, you can complain to the ANPD.
• Refusal Consequences: If we ask for your consent for something and you refuse, we will inform you of the consequences of refusal. Typically, the consequence is just that you won’t get the optional service. (For example, if you don’t allow microphone access, consequence is you cannot use dictation. If you don’t consent to marketing emails, consequence is just you won’t receive those emails – which might not be a “consequence” from your perspective, maybe a benefit! But we’ll let you know).

To exercise any LGPD rights, contact us at [email protected]. We will handle it similarly to GDPR requests (within one month, etc., though LGPD sets a generic timeframe of 15 days for responding to certain requests – we’ll strive to meet Brazilian expectations as well). We may need to verify your identity.

We will respond in Portuguese if you prefer, or English if that’s acceptable – let us know your preference.

How to Contact Us for Rights Requests

No matter where you are, the primary way to reach us to exercise your privacy rights is:

• Email: [email protected]

If you send an email, clearly state your request (e.g., “I am requesting deletion of my data under [your country law]”).

We do not charge a fee for handling your request, except under very specific conditions where the law allows it (like if you make repetitive, excessive requests, we might charge a reasonable fee or refuse, but we have not had that issue and hope not to).

We aim to be transparent and helpful in addressing your concerns. If you have any questions about your rights or how to exercise them, feel free to reach out even informally.

Authorized Agents and Power of Attorney (for U.S. State laws)

If you use an authorized agent (someone acting on your behalf):

• We may require proof that you gave them signed permission to act for you.
• We might still ask you to verify your identity directly or confirm that you provided the agent the authority to submit the request. (This is to prevent fraud.)
• For power of attorney, if it’s a formal legal POA, simply provide that documentation.

We treat agent requests with the same seriousness, just adding the verification of the agent’s authority.

---

Summary: Regardless of where you reside, we are committed to honoring your privacy rights. We have structured our practices to comply with stringent regulations like GDPR and CPRA, which in turn covers most aspects of other laws. So if you want to exercise any privacy right, just ask us — we will either fulfill it or explain why we can’t (if, for example, an exemption applies). Your privacy is at the core of ListenUp’s design (remember, we even keep your voice data off our servers by default!). We’re here to listen (pun intended) and respond to your privacy needs.

🔄 Changes to this Privacy Statement

We release a new version whenever we:

• add or replace a processor;
• expand or change the scope of data collection;
• enter a new market or age segment;
• respond to new legal requirements or regulatory guidance.

Major updates trigger an in‑app modal on first launch after the change.
A baseline review is conducted every June. When we make changes, we will:

• Post the updated policy on our website with a new “Last Updated” date.
• If the changes are significant, we will provide a prominent notice. For example, we might display a notice on our website homepage or notify you via email or an in-app alert. Significant changes could include things like using personal data for new purposes, or changes in who we share data with, etc.
• If required by applicable law, we will also seek your consent for certain changes. For instance, if we were to start processing data for a new purpose that requires consent, we’d ask for it.

We encourage you to review this Privacy Statement periodically to stay informed about how we are protecting your information. The “Last Updated” date at the top helps you quickly know if there’s a new version since you last read it.

For minor changes that don’t materially affect your rights (like clarifications or stylistic changes), we may update without a special notice, beyond just posting the new version. Rest assured, we will not reduce your rights under this Privacy Statement without your consent (where required by law).

If you continue to use ListenUp Dictation after a new Privacy Statement has become effective, that will indicate your acceptance of the revised terms (unless otherwise stated). If you do not agree with the changes, you should stop using the services and can request us to delete your data if you wish.

We maintain an archived log of previous privacy policy versions which can be made available for review. The Change Log below provides a summary of updates.

✉️ Contact Us

If you have any questions, concerns, or comments about this Privacy Statement or our data practices, please do not hesitate to contact us:

• Email: [email protected]

(We currently prefer email communication for efficiency. If you need to speak by phone, you can email us to schedule a call.)

We will be happy to answer your questions or address any issues you have. Your trust is extremely important to us, and we want to ensure you feel safe and informed when using ListenUp Dictation.

---

📜 Appendix: Change Log

• Version 1.0 – 12 June 2025: Initial publication of the Privacy Statement for ListenUp Dictation. This is the first comprehensive privacy notice, covering the macOS app, companion websites, and future versions. It includes a short-form summary, full detailed policy, and complies with GDPR, ePrivacy, Dutch Telecommunicatiewet, CPRA/CCPA, and the host of new U.S. state laws (VCDPA, CPA, CTDPA, UCPA, etc.), as well as Brazil's LGPD. It outlines our data practices (especially emphasizing local processing of audio), users' rights, international transfer safeguards, and security measures. All required disclosures from Article 13/14 GDPR and relevant US/Brazil laws are included.

• Version 2.0 – 11 July 2025: Updated privacy statement based on feedback. Key changes include: (1) Simplified short privacy notice with concise bullet points, (2) Added ThoFlow AI as data controller with registered address, (3) Clarified cookie banner implementation with specific cookie categories, (4) Specified data hosting on Hetzner Germany servers and transfer mechanisms, (5) Converted retention periods to clear table format, (6) Added specific triggers for policy updates and baseline review schedule, (7) Added complete list of service providers, (8) Added specific free trial limit disclosure (15 minutes), (9) Added subscription pricing transparency, (10) Added age verification process details, (11) Added DPA availability information, (12) Enhanced cookie consent mechanism details, (13) Added specific breach notification timeframe for users, (14) Specified data export format details, (15) Added marketing email frequency limits, (16) Added explicit data minimization principle reference, (17) Added legitimate interest assessment availability.