Data Processing Agreement

Effective May 24, 2026Last updated May 24, 2026

This document is both a plain-language guide to how Cleft handles your data and our formal Data Processing Agreement (DPA) for customers and compliance teams who need processing documentation on file.

Controller and processor relationship

You (Data Controller): you control the personal data in your notes, recordings, and account.
Cleft (Data Processor): we process your data solely to provide voice-to-text services, on your instructions.
Legal basis: processing based on legitimate interests (service provision) and consent where applicable.

We only collect and process the data essential to delivering the service. Your content is never used to train AI models and is never shared with advertisers. This DPA covers the processors that handle personal data. For the complete roster, including business-operations vendors that handle no personal data, see our vendor transparency page.

Data categories and how they are processed

Audio recordings

What we collect: audio files when you press record.

How it is processed: audio stays on your device while you record; transcription runs on-device using the Whisper model; audio is never sent to a server for transcription. If you choose Keep Audio, the recording is stored encrypted in your account for cross-device access and download; otherwise the temporary audio file is deleted after a successful transcription.

Who has access: AWS (encrypted hosting only, no content access) and you (full ownership, with download and delete rights).

Transcripts and text

What we collect: the text versions of your recordings.

How it is processed: generated on your device, then, only when you ask for an enhanced note, the text (never the audio) is sent to an AI provider for summarization and formatting, and synced to your account for cross-device access.

Who has access: OpenAI (primary text processing, text only, never audio), Groq (backup text processing, text only), and AWS (encrypted hosting only). AI providers receive only text, never your audio recordings, and your data is never used to train their models.

Account information

What we collect: email address (for authentication), display name, app preferences and settings, and device information (for sync).

Who has access: AWS (secure hosting), HubSpot (customer support interactions only), and Mailerlite (marketing newsletter delivery, opt-in only). You can export, modify, or delete this data at any time.

Website and forms

What we collect: form submissions, contact and support requests, and scheduling information for consultations.

Who has access: Fillout (form building and scheduling data), Namecheap (domain registration and DNS), and Cloudflare (CDN, DNS, and website performance for our public site). These vendors help us run our website and respond to inquiries.

Integrations and automation

What we collect: the integration data flows and connected-app permissions you configure.

Who has access: Nango (manages the OAuth authorization tokens for integrations you connect, such as Notion, handling authorization only, not your note content) and Zapier (only the data flows you explicitly configure). You control every data flow and can disable integrations at any time.

Usage analytics

What we collect: anonymous feature-usage patterns, performance metrics, crash reports (no personal content), and documentation page views.

Who has access: Fathom Analytics (privacy-first website analytics), TelemetryDeck (anonymous in-app analytics, no PII), Sentry (crash reporting, no personal content), and Metabase (internal, aggregated analytics only). All analytics are anonymous and contain no personal content or notes.

Payment information

What we collect: subscription status and purchase history. We never see or store your actual payment details (card numbers and the like); that is handled entirely by the payment processors.

Who has access: Apple (App Store subscriptions), Stripe (web payments, PCI compliant), and RevenueCat (subscription management).

How your data flows

Recording to note. You record audio (stays on your device), it is transcribed on-device with the Whisper model, and, if you request an enhanced note, the transcript text (never audio) is sent to OpenAI or Groq for formatting. The final note is saved to encrypted AWS storage and synced to your devices over an encrypted connection.

Data at rest. Notes, transcripts, and account data are stored encrypted on AWS; AI providers store nothing (they process text and return a result); your device holds a local cache and your preferences.

Data in transit. Device-to-AWS and AWS-to-AI-provider traffic is encrypted with TLS; payment processing connects you directly to the processor and bypasses our servers; analytics are anonymous and aggregated.

Where your data is stored

Primary storage is in the European Union: AWS eu-west-1 (Dublin, Ireland) stores all user data on GDPR-compliant infrastructure with AES-256 encryption. Processors outside the EU (OpenAI and Groq in the United States for text processing, RevenueCat and Sentry in the United States) operate under Data Processing Agreements with Standard Contractual Clauses.

Your data rights

Full ownership: you own all notes, transcripts, and audio files; export everything at any time; delete individual items or your entire account. No vendor lock-in.
Complete control: choose what syncs, manage communication preferences and integration permissions, and request deletion of specific data.
Transparency: know exactly who processes your data, see every vendor relationship, and request copies of vendor DPAs.
Privacy by design: no advertising or tracking, no data sales, and no AI training on your content. GDPR and CCPA compliant.

Data minimization and retention

We follow strict data-minimization principles: we collect only what core functionality requires, use data only for stated purposes, and limit vendor access to the functions each vendor needs.

Retention. Account data, audio, transcripts, and notes are retained while your account is active and until you delete them (or delete your account). When you delete your account, all personal data is deleted immediately, with no backup retention; third-party processors are instructed to delete your data per their retention policies. Temporary audio files are deleted after a successful transcription unless you choose Keep Audio, and anonymized crash reports are retained for 90 days. Financial records are kept only as long as the law requires.

Compliance and audit rights

Audit rights: customers may audit our data-processing activities on reasonable notice.
Compliance support: we assist with your GDPR, CCPA, and other regulatory compliance requirements.
Documentation: this page serves as your DPA. Bookmark, download, or print it for your compliance records.
Updates: we notify customers of material changes to our data-processing practices.

Incident response and security

Notification. We notify affected customers within 72 hours of discovering a security incident, with containment, investigation, remediation, and a detailed incident report.

Technical and organizational measures. All data is encrypted in transit (TLS) and at rest (AES-256). We use role-based access controls, multi-factor authentication, and regular access reviews, on SOC 2-aligned cloud infrastructure with monitoring and redundancy, and provide regular security training for our team.

Questions about data processing?

Data Protection Officer: Jonathan Cosgrove, Founder, COO and Data Protection Officer, at dpo@cleftnotes.com. For DPA requests, include “DPA” in the subject line.

Privacy and compliance: privacy@cleftnotes.com for DPA questions, audit requests, compliance documentation, and general privacy questions. To request a copy of the personal data we hold about you, or its deletion, email either inbox.