Data Protection Policy

← Back to Voice Room
Last updated: November 21, 2025

This Data Protection Policy explains how Coded Thinking Oü, a company established in Estonia ("we", "us", "our"), processes personal data when you use our voice-chat application ("Service"), in accordance with the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act (Isikuandmete Kaitse Seadus).

By using the Service, you consent to the processing activities described here.

1. Data Controller

Coded Thinking OÜ

Registry code: 16607448

Sakala tn 7-2, 10141 Tallinn, Estonia

Contact: koren@codedthinking.com

2. Categories of Data We Process

2.1. Audio Data

  • We do not store audio recordings.
  • Audio is transmitted to our speech-to-text processor in real time and discarded immediately after transcription.

2.2. Text Data (Chat Messages)

We store:

  • The text transcripts of your chat sessions.
  • Stored text is not associated with your user ID.
  • Each message is linked only to a non-reversible hash identifier that cannot be used to re-identify you.

2.3. User Responsibility & Automated PII Removal

  • You are responsible for not including personal data or identifiable information in your conversations.
  • We perform automated detection and attempted removal of PII, but:
    • This process is not guaranteed to be complete, and
    • We accept no liability for personal data included by you.

3. Purposes of Processing

We process text data for the following purposes:

  1. Provision of the Service, including speech-to-text transcription and AI-driven features.
  2. Quality assurance, troubleshooting, and security monitoring.
  3. Improvement of our algorithms and AI models, including training and evaluation.
  4. Research and development to enhance the Service.
  5. Improvement of other products and services offered by our company.
  6. Detection and prevention of abuse, including automated scanning for PII.

We never sell or publicly disclose your messages to any third party.

4. Legal Basis for Processing

Explicit Consent (GDPR Art. 6(1)(a))

Processing is based primarily on your explicit consent, given by:

  • starting a chat or submitting audio/text,
  • agreeing to this Policy,
  • and continuing to use the Service.

Because messages are stored in an anonymized form not linkable to individuals, further processing for research and model training may also fall outside the GDPR's scope under Recital 26, to the extent that no personal data remains.

5. Data Retention

  • Audio: Not stored at any time; discarded immediately after transcription.
  • Text transcripts: Retained for research, model improvement, and product development unless you request deletion of your user account. (Anonymized transcripts already incorporated into research or training materials cannot feasibly be removed.)

6. Data Recipients and Processors

We use third-party service providers ("processors") to support:

  • speech-to-text conversion,
  • hosting and infrastructure,
  • natural-language processing,
  • and other operational functions.

All processors act under Data Processing Agreements (DPAs) in accordance with GDPR Art. 28. We do not publicly list individual vendors in this Policy for security and confidentiality reasons. A copy of the current list of processors can be requested by contacting us at the address in Section 1. Processors act only under our instructions and do not use your data for their own purposes.

7. International Transfers

Some processors may operate outside the EU/EEA. In such cases, transfers rely on:

  • Adequacy decisions, or
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

You consent to these transfers when using the Service.

8. Security Measures

We apply technical and organizational measures including:

  • pseudonymization by hashing,
  • no storage of raw audio,
  • access control,
  • automated detection of potential PII.

However, we cannot guarantee that users will not voluntarily disclose personal data in their chats.

9. Your Responsibilities

  • Do not input personal or identifying information.
  • Understand that automated PII removal is not perfect.
  • Use the Service lawfully and responsibly.

10. Your GDPR Rights

Depending on the data we hold and whether it is linked to your identity, you have rights including:

  • withdrawal of consent,
  • access (where applicable),
  • rectification,
  • erasure of your user account,
  • restriction of processing,
  • objection,
  • and the right to lodge a complaint with the Estonian Data Protection Inspectorate (AKI).

Contact us to exercise any rights.

11. Changes to This Policy

We may update this Policy periodically.

Material changes will be communicated via the Service.