Privacy Policy

The short version: what you need to know

• Your voice stays on your device. Transcription happens entirely on your iPhone, iPad, or Mac using Whisper AI. Your audio recordings are never sent to any server.
• Your notes are encrypted. AES-256-GCM encryption, EU-hosted (Ireland), with a zero-access architecture.
• AI processing is limited and transparent. Only note text (never audio) is sent to OpenAI or Groq for summarisation features, under strict DPAs that prohibit training on your data.
• We use a small set of vendors. 20 handle your data, the rest are internal tools. Full list on our vendor transparency page.
• Your rights are real. Delete, export, restrict, or port your data anytime. Email privacy@cleftnotes.com or dpo@cleftnotes.com.

Simplified privacy promise

• Your notes are yours. We never train AI on your data, sell your information, or access your private notes without permission.
• Security first. Encryption everywhere, local AI processing, secure EU cloud storage.
• Minimal data. We collect only what is needed to make Cleft work. No tracking, no ads, no data brokers.
• EU hosting. Your data stays in the EU (Ireland) with GDPR protection.
• No tracking. No cross-app tracking, no advertising IDs, no targeted ads. Ever.
• Your control. Access, export, or delete your data anytime. No questions asked.

Questions? privacy@cleftnotes.com.

Section 1: Data collection & usage summary

What we collect

Voice & content:

• Voice recordings (audio files)
• Transcripts generated from your recordings
• Notes, summaries, tags, and custom instructions
• App preferences and settings

Account information:

• Email address (for authentication)
• User ID (account identifier)
• Subscription status

Usage analytics:

• Feature interaction events (app launches, note creation, sharing)
• Performance metrics (transcription speed, app responsiveness)
• Crash reports and diagnostic data
• Device information (for analytics, not advertising)

What we don’t collect

• Photos or videos
• Location data (precise or coarse)
• Contact lists from your device
• Health or fitness data
• Browsing history outside the app
• Advertising identifiers (IDFA)
• Payment card details (handled by Apple/RevenueCat)
• Search history (processed locally only)

How we use it

Core functionality: transcribe your voice recordings using on-device AI (Whisper model); store and sync your notes across your devices (iOS, macOS, watchOS); provide search, organization, and editing features; enable optional public note sharing (when you choose to share); and manage your account and subscription.

Service improvement: analyze usage patterns to improve features (anonymous aggregates); monitor performance to optimize transcription speed and app responsiveness; track crashes and errors to fix bugs and improve stability; and understand which features are most valuable to users.

Customer support: provide assistance when you contact us, troubleshoot technical issues, and answer questions about your account.

What we don’t do

• Never train AI models on your data. Whisper runs entirely on your device, with no cloud AI training.
• Never sell your information.We don’t sell data to advertisers, data brokers, or marketing companies.
• Never share without permission. Your data stays private, except the required service providers listed below.
• Never track you across other apps or websites. No cross-app tracking, no IDFA collection.
• Never access your private notes. We can only see your data if you explicitly request support.
• Never use your data for advertising. Cleft is ad-free with no targeted advertising.

Section 2: How we protect your data

Technical safeguards

Encryption: TLS/HTTPS encryption for all data transfers (in transit); AES-256-GCM encryption for stored data on AWS (at rest, with authenticated encryption); secure authentication tokens (no plain-text passwords). Algorithm: AES-256-GCM (NIST-approved, used by governments and financial institutions). Key management: AWS-managed keys with automatic rotation.

Local AI processing: voice transcription happens entirely on your device using the Whisper AI model; audio is processed locally before any optional cloud storage; the Whisper model runs completely offline with no external AI service calls; no audio data is sent to OpenAI or any other AI cloud service.

Secure cloud storage: AWS infrastructure in the EU (Ireland, eu-west-1 region); industry-standard security practices; data segregation per user account; redundant backups with encryption; CloudFront CDN for fast, secure content delivery.

Organizational measures

Access controls: limited employee access to user data (need-to-know basis only); multi-factor authentication for internal systems; regular access audits and reviews; strict vendor agreements requiring data protection.

Security practices: regular security audits and vulnerability assessments; vendor agreements requiring GDPR/CCPA compliance; incident response procedures and breach notification protocols (Irish DPC within 72 hours, affected users without undue delay); secure software development lifecycle (code reviews, testing).

Privacy by design

Minimal data collection: we only collect data necessary for app functionality; no data collection for advertising or tracking purposes; optional features (like public sharing) are opt-in, not default.

Default privacy settings: notes are private by default (not public); public sharing requires explicit user action; microphone access requires explicit permission; analytics data is aggregated and anonymized.

Regular data deletion: you can delete your account and all data at any time; deleted data is permanently removed immediately upon request; temporary audio files are deleted after successful transcription (unless you choose Keep Audio).

Section 3: Your privacy rights

You can always:

• Access your data. Request a copy of all data we have about you.
• Export everything. Download your notes, transcripts, and audio files in portable formats.
• Delete your account. Permanently remove all your data from our systems (immediate deletion).
• Correct inaccuracies. Update your email, display name, or preferences.
• Opt out of communications. Unsubscribe from marketing emails (if any).
• Request data portability. Get your data in a machine-readable format (JSON, Markdown).

How to exercise your rights:in-app via Settings > Account > Privacy & Data; by email at privacy@cleftnotes.com; or by contacting our DPO at dpo@cleftnotes.com. Response time: within 30 days (usually much faster).

GDPR rights (EU/UK residents)

If you are in the European Economic Area (EEA) or United Kingdom, you have additional rights under GDPR:

• Right to be informed: this privacy policy and transparent data practices.
• Right to access: request all personal data we hold about you.
• Right to rectification: correct inaccurate or incomplete data.
• Right to erasure (right to be forgotten): delete your data under certain conditions.
• Right to restrict processing: limit how we use your data.
• Right to data portability: receive your data in a portable format (JSON, Markdown).
• Right to object: object to data processing for specific purposes.
• Right to withdraw consent: withdraw consent at any time.
• Rights related to automated decision making: we don’t use automated decision-making that significantly affects you.

Automated decision-making (GDPR Article 22): we do NOT use automated decision-making or profiling that produces legal or similarly significant effects concerning you.

Right to lodge a complaint: UK residents can contact the Information Commissioner’s Office (ICO); EU residents can find their local authority via the European Data Protection Board.

Legal basis for processing: contract performance (Article 6(1)(b)), to provide the Cleft service you signed up for; legitimate interests (Article 6(1)(f)), to improve our service, prevent fraud, and ensure security; consent (Article 6(1)(a)), for optional features like public note sharing, LLM summaries, and Notion integration.

Data Protection Officer: Jonathan Cosgrove, dpo@cleftnotes.com.

CCPA/CPRA rights (California residents)

If you are in California, you have rights under CCPA and CPRA:

• Right to know: what personal information we collect, use, disclose, and sell.
• Right to access: request a copy of your personal information (up to twice per year).
• Right to deletion: request deletion of your personal information.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale/sharing: we don’t sell or share your data.
• Right to limit use of sensitive personal information: we don’t collect sensitive personal information as defined by CPRA.
• Right to non-discrimination: equal service and pricing regardless of privacy choices.

Important CCPA/CPRA disclosures. Sale of personal information: we do NOT sell your personal information. Never have, never will. Sharing for behavioral advertising: we do NOT share your personal information for targeted ads; Cleft is completely ad-free. Sensitive personal information: we do NOT collect sensitive personal information (SSN, precise geolocation, racial/ethnic origin, health data, etc.). Financial incentives: we do NOT offer financial incentives in exchange for personal information.

How to exercise CCPA rights: email privacy@cleftnotes.com. Response time: within 45 days (may extend to 90 days with notice).

Section 4: Who we share data with

Service providers (data processors). The vendors that handle your data:

Core infrastructure:

• AWS (Amazon Web Services): cloud hosting, storage, CDN (EU Ireland, eu-west-1). DPA on file.
• CloudFront (AWS): content delivery network for fast, secure access.
• Cloudflare: CDN, DDoS protection, and hosting for our website. DPA on file.

AI & processing:

• OpenAI: text summarization and formatting ONLY (never audio). DPA on file with SCCs.
• Groq: fast LLM inference for text processing (alternative to OpenAI). DPA on file.
• Whisper (on-device): voice transcription runs locally on your device, with no cloud processing.

Payments & subscriptions:

• Apple App Store: payment processing (Apple handles all payment data).
• RevenueCat: subscription management and entitlements. DPA on file.
• Stripe: legacy payment processing (for pre-App Store accounts only). DPA on file.

Analytics & monitoring:

• TelemetryDeck: privacy-first analytics (no personal data, differential privacy). German hosting.
• Fathom Analytics: cookieless website analytics (no personal data).
• Sentry: crash reporting and error tracking. DPA on file.

Integrations & identity:

• Nango: OAuth integration management (Notion connection). DPA on file.

Communication:

• Amazon SES (AWS): transactional email delivery (account, billing, and security notifications). Covered by the AWS DPA.

Data access, deletion, and portability requests are handled by email at privacy@cleftnotes.com (the previous third-party request form has been retired).

Data Processing Agreements (DPAs) on file: OpenAI, Groq, AWS, RevenueCat, Stripe, Nango, Cloudflare, Sentry.

Internal tools (vendors that don’t handle your data). These tools are used for development, business operations, and internal communication only. They never access, process, or store your personal data: GitHub, Xcode, TestFlight, CocoaPods, SwiftLint, Cursor, Claude Code (development); Figma (design); Linear, Notion (internal), Mintlify (project management); Slack, Discord (communication); Stripe (dashboard only), App Store Connect, Google Workspace (business); OpenAI (policy drafting only), Claude (documentation) (legal); Buffer (marketing); Docker, Vercel (infrastructure).

We never share with: advertisers, data brokers, marketing companies, or anyone else without your permission.

For complete vendor transparency including DPA status, data shared, and privacy links for every vendor, see our vendor transparency page.

Section 5: Data retention & deletion

How long we keep your data. Active accounts: account data is retained while your account is active; audio recordings are retained until you delete them (or delete your account); transcripts and notes are retained until you delete them (or delete your account); analytics data is aggregated and retained for service improvement (no PII after aggregation).

Deleted accounts:all personal data is immediately deleted upon account deletion request; no backup retention (we don’t keep shadows or copies); third-party processors are notified to delete your data per their retention policies.

Automatic deletion: temporary audio files are deleted after successful transcription (unless you choose Keep Audio); authentication tokens expire and are deleted after a session ends; crash reports (anonymized) are retained for 90 days for debugging.

Legal retention: financial records are retained as required by law (typically 6 to 7 years for tax records); data required by court order or legal proceedings is retained as mandated.

Section 6: International data transfers

Where your data is stored. Primary storage: European Union (Ireland). AWS eu-west-1 (Dublin, Ireland) stores all user data; GDPR-compliant infrastructure with AES-256-GCM encryption; subject to EU data protection law (strongest in the world).

Data processors outside the EU: OpenAI (United States), text processing only, DPA with Standard Contractual Clauses; Groq (United States), backup text processing, DPA with SCCs; RevenueCat (United States), subscription management; Sentry (United States), server-side error monitoring, DPA with SCCs.

Data processors inside the EU: TelemetryDeck (Germany), privacy-first analytics; user data stored on AWS eu-west-1 (Ireland).

Transfer safeguards: Standard Contractual Clauses (SCCs) for US transfers; EU-US Data Privacy Framework (where applicable); Data Processing Agreements with all vendors; encryption in transit (TLS) and at rest (AES-256-GCM); regular compliance reviews.

Section 7: Children’s privacy

Cleft is intended for users aged 16 and older.

• We do not knowingly collect personal information from anyone under 16.
• If we discover we have collected data from a child under 16, we will delete it immediately.
• Parents or guardians can contact privacy@cleftnotes.comto request deletion of a child’s data.
• We comply with COPPA (US), GDPR Article 8 (EU), and equivalent children’s privacy laws in all jurisdictions.
• The App Store age rating reflects our 16+ policy.

Section 8: Tracking, advertising & Do Not Track

We do NOT: use cookies to track you (see our Cookie Policy); collect advertising identifiers (IDFA/GAID); engage in cross-app or cross-site tracking; use targeted or behavioral advertising; participate in advertising networks; or share data with ad exchanges or data brokers.

Do Not Track (DNT):we honor Do Not Track browser signals. However, since we don’t track users anyway, DNT has no practical effect on our service.

App Tracking Transparency (ATT):Cleft does not request ATT permission because we don’t track users across apps or websites. We have no advertising SDK or tracking pixels.

Analytics we do use: TelemetryDeck (privacy-first, differential privacy, no personal data, German hosting) and Fathom Analytics (cookieless website analytics, no personal data, Canadian hosting). Both services are fully GDPR/CCPA compliant and designed to protect user privacy.

Additional jurisdiction rights

LGPD (Brazilian residents):you have rights under Brazil’s Lei Geral de Protecao de Dados Pessoais including confirmation and access, correction, anonymization/blocking/deletion, portability, deletion of consent-based data, information about sharing, consent withdrawal, and review of automated decisions. Legal bases: consent (Article 7, I), contract performance (Article 7, V), legitimate interests (Article 7, IX). Contact the ANPD.

PIPEDA (Canadian residents):you have rights under Canada’s Personal Information Protection and Electronic Documents Act including the right to be informed, access, correction, consent withdrawal, and challenging compliance. We comply with PIPEDA’s 10 Fair Information Principles. Contact the Privacy Commissioner.

POPIA (South African residents):you have rights under the Protection of Personal Information Act including access, rectification, deletion, objection, and the right to lodge a complaint. We comply with POPIA’s eight processing conditions. Information Officer: Jonathan Cosgrove (dpo@cleftnotes.com). Contact the Information Regulator.

Australian Privacy Principles: you have rights under the Privacy Act 1988 including access (APP 12), correction (APP 13), anonymity/pseudonymity (APP 2), and the right to complain to the OAIC. We comply with all 13 APPs. Contact the OAIC.

Vietnamese PDPD:you have rights under Vietnam’s Personal Data Protection Decree including the right to know, consent, access, withdraw consent, correct/delete, lodge complaints, claim damages, and self-defence. Contact the PDPC via the Ministry of Public Security.

Bahraini PDPL:you have rights under Bahrain’s Personal Data Protection Law including access, correction, deletion, restriction, portability, objection, and consent withdrawal. Contact the PDPA.

Kazakhstani data protection:you have rights under Kazakhstan’s Law on Personal Data and its Protection including the right to be informed, access, correction, deletion, consent withdrawal, objection, and complaint filing.

For all jurisdictions: email privacy@cleftnotes.com; Data Protection Officer Jonathan Cosgrove (dpo@cleftnotes.com); response time within 30 days.

Section 9: Changes to this policy

Notification: we will notify you of significant changes via email or in-app notification at least 30 days before changes take effect. Minor updates (clarifications, new contact info, typo fixes) are posted here with an updated date. Continued use after changes constitutes acceptance (you can delete your account if you disagree).

Review: we review and update this policy at least annually, or when our practices change. (See the change history at the foot of this page for the version timeline.)

Section 10: Contact & data protection

Privacy inquiries: privacy@cleftnotes.com. Response time: within 30 days (usually much faster, often within 48 hours).

Data Protection Officer: Jonathan Cosgrove, dpo@cleftnotes.com. Responsibilities: oversee data protection compliance, handle data subject requests, manage security incidents, and GDPR/CCPA compliance.

Data access & deletion requests: email privacy@cleftnotes.com. Required information: your email address, type of request (access, deletion, correction, portability, restriction), and verification details. Processing time: within 30 days, usually faster.

Security concerns: report a security issue at security@cleftnotes.com. Please note: Cleft does not operate a bug bounty program. If you are a security researcher, include credentials and a clear description. Automated scanning is not permitted.

Company information: Cleft AI Limited, 3 Ard na Greine, Eaton Brae, Dublin D14 YN25, Ireland. Website: www.cleftnotes.com. Support: learn.cleftnotes.com. Related: Terms of Service, Cookie Policy, Accessibility Statement.

Section 11: Your privacy choices summary

• View your data: Settings > Account > Download Data.
• Delete your account: Settings > Account > Delete Account.
• Export your notes: Settings > Account > Export Data (JSON/Markdown).
• Manage subscription: Settings > Subscription > Manage.
• Revoke microphone access: Device Settings > Cleft > Microphone.
• Update email address: Settings > Account > Email.
• Contact privacy team: privacy@cleftnotes.com.
• File a GDPR/CCPA request: privacy@cleftnotes.com.
• Review the vendor list: vendor transparency page.

Related documents

• Terms of Service: the rules for using Cleft.
• Cookie Policy: how we use cookies.
• Accessibility Statement: our accessibility commitments.
• Vendor transparency: who we work with and why.
• Trust overview: our broader security and privacy approach.