Privacy Policy

1. Introduction

Done Typing ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you use our browser-based voice-to-text transcription service (the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

For questions regarding this Privacy Policy, please contact us at privacy@donetyping.com.

2. Information We Collect

2.1 Audio Data

When you use the Service, you may grant permission for us to access your device's microphone. Audio data is captured through your browser's Web Audio API and transmitted to our backend infrastructure for real-time processing and transcription generation.

Audio Processing and Storage: Audio data is transmitted to our backend servers solely for the purpose of generating transcriptions. We do not store, retain, or archive audio files after processing is complete. Audio data exists only during the active transcription session and is immediately discarded upon completion.

2.2 Account Information

If you choose to create an account, we collect certain information through Google OAuth authentication. This includes your email address, full name as provided by Google, and your profile picture or avatar URL. This information is stored and managed by our authentication provider, Supabase, Inc. We do not collect or store passwords.

Why we collect this information: We require your email address to identify your account and communicate with you about your account status or service changes. Your name and avatar help personalize your experience and display your identity within the Service interface. Without this information, we cannot provide account-based features such as extended recording limits or cross-device session management.

2.3 Transcription History

Transcription text and associated timestamps are stored locally in your browser using localStorage. This data remains on your device and is not transmitted to or stored on our servers. You may clear this data at any time through your browser settings.

2.4 Newsletter Subscription Data

If you subscribe to our newsletter, we collect your email address and record the source of your subscription (such as the newsletter signup form or pricing page) to help us understand how users discover our communications.

2.5 Technical and Usage Data

We automatically collect certain technical information when you use the Service, including your browser type and version, operating system, device type, IP address, pages you visit, features you use, and session duration. This data is collected through Google Tag Manager for analytics and service improvement purposes.

3. How We Use Your Information

3.1 Service Provision

We use the information we collect to provide voice-to-text transcription services, process audio data in real-time, generate and display transcription results, and authenticate users while managing their sessions. This processing is essential to deliver the core functionality of the Service.

3.2 Communication

If you provide your email address, we may use it to send you newsletters and product updates if you have subscribed, respond to your inquiries and support requests, and notify you of significant service changes that may affect your use of the Service.

3.3 Analytics and Improvement

We analyze usage patterns and technical data to improve the Service, diagnose technical issues, and enhance user experience.

4. Data Storage and Security

4.1 Storage Locations

Your information is stored in several locations depending on the type of data. Transcription history, including text and timestamps, is stored exclusively in your browser's localStorage on your device. Authentication data such as your email address, name, and avatar is stored by Supabase, Inc., our authentication and database service provider. Newsletter subscriber data is stored by ConvertKit (Kit), our email marketing service provider. Audio data is processed in real-time on our backend servers and is not retained after processing.

Supabase Data Handling: Supabase stores your authentication data on their secure servers. They maintain this data as long as your account remains active with us. If you revoke your Google OAuth authorization or delete your account, Supabase will remove your authentication data from their systems in accordance with their data retention policies. Supabase may retain certain logs and metadata for security and operational purposes as required by their infrastructure management, but this does not include the content of your transcriptions or audio data.

ConvertKit Data Handling: When you subscribe to our newsletter, ConvertKit stores your email address and subscription preferences on their servers. They maintain this information until you unsubscribe or we terminate our relationship with them. ConvertKit operates under their own privacy policy and data processing agreements, which govern how they handle subscriber data and respond to deletion requests.

Backend Infrastructure: Our backend servers receive audio data via encrypted WebSocket connections for real-time transcription processing. This data exists only in temporary memory during the active transcription session and is never written to persistent storage. Once the transcription is complete and the results are sent back to your browser, all audio data is immediately purged from our servers.

4.2 Security Measures

We implement appropriate technical and organizational measures to protect your information. All audio transmission occurs over WebSocket Secure (WSS) encryption. We use the OAuth 2.0 protocol for authentication and HTTPS encryption for all data transmission between your browser and our servers. Session management is handled through secure HTTP-only cookies.

Encryption Standards: All data transmitted between your browser and our servers uses TLS 1.2 or higher encryption. Authentication tokens are stored in HTTP-only cookies, which prevents JavaScript access and reduces the risk of cross-site scripting attacks. Audio data streams are encrypted end-to-end between your device and our backend infrastructure.

Access Controls: We limit access to user data to only those employees and contractors who require it to perform their job functions. All personnel with access to systems containing user data are bound by confidentiality agreements and undergo security training. We maintain audit logs of access to sensitive systems and regularly review these logs for unauthorized access attempts.

Third-Party Security: Our service providers (Supabase and ConvertKit) maintain industry-standard security practices including SOC 2 compliance, encryption at rest and in transit, and regular security audits. However, we cannot guarantee the security of data stored by third parties, and you should review their respective security documentation for complete information.

4.3 Data Retention

We retain different types of information for different periods. Audio data is not retained at all—it is processed in real-time and immediately discarded. Transcription history remains in your browser's localStorage until you clear your browser data. Account data is retained until you delete your account or revoke your Google OAuth authorization. Newsletter subscription data is retained until you unsubscribe. Analytics data is retained according to Google Analytics retention policies.

Account Deletion Process: When you revoke Google OAuth authorization through your Google Account settings, your authentication data is marked for deletion in Supabase. Supabase typically completes this deletion within 30 days, though certain metadata may be retained longer for legal or security purposes as permitted by their privacy policy. If you wish to expedite this process or ensure complete deletion of all account-related data, you may contact us at privacy@donetyping.com.

Backup and Recovery:Supabase maintains backups of authentication data for disaster recovery purposes. These backups are retained for a limited period (typically 30 days) and are automatically purged according to Supabase's backup retention schedule. Your transcription history stored in localStorage is not backed up by us and exists only on your device.

Legal Retention Requirements: In certain circumstances, we may be required to retain data for longer periods to comply with legal obligations, resolve disputes, or enforce our agreements. Such retention would only apply to minimal necessary data and would be subject to appropriate security measures.

5. Third-Party Services

We use the following third-party service providers to deliver the Service:

5.1 Supabase, Inc.

Purpose: Authentication, user management, and session storage.
Data Processed: Email addresses, names, avatars, authentication tokens.
Privacy Policy: https://supabase.com/privacy

5.2 Google LLC

Purpose: OAuth authentication and analytics via Google Tag Manager.
Data Processed: Profile information (with your consent), usage analytics.
Privacy Policy: https://policies.google.com/privacy

5.3 ConvertKit (Kit)

Purpose: Email newsletter management and delivery.
Data Processed: Email addresses, subscription preferences.
Privacy Policy: https://kit.com/privacy

5.4 Backend Infrastructure

Purpose: Real-time audio processing and transcription generation.
Data Processed: Audio data (processed in real-time, not retained).

6. Your Rights and Choices

Depending on your location, you may have various rights regarding your personal data. You may request access to the personal data we hold about you, and you may request a copy of your transcription history by accessing your browser's localStorage.

6.1 Access to Your Data

You have the right to request information about what personal data we hold about you. Since most of your data is stored locally in your browser or managed by third-party services (Supabase for account data, ConvertKit for newsletter subscriptions), the process for accessing this data varies by data type.

Transcription History:Your transcription history is stored locally in your browser's localStorage under the key "stt_history". You can access this data directly through your browser's developer tools or by using JavaScript in your browser console. We do not have access to this data and cannot provide it to you because it never leaves your device.

Account Data: To access the personal data stored in your Supabase account (email, name, avatar), you can view this information in your user profile within the Service interface. If you require a comprehensive export of all account data, including metadata not visible in the interface, please contact us at privacy@donetyping.com. We will respond to such requests within 30 days and provide the data in a commonly used electronic format (such as JSON or CSV).

Newsletter Data: ConvertKit maintains your subscription information. You can contact ConvertKit directly at their support email or contact us, and we will facilitate your request to access this data.

6.2 Correction of Your Data

If you believe any personal data we hold about you is inaccurate or incomplete, you have the right to request correction. Since we do not maintain a user-editable profile system beyond what is provided by Google OAuth, the primary method to update your account information is to update your Google Account information, which will then be reflected in our Service upon your next login.

For newsletter subscription information (such as correcting an email address), please contact us at privacy@donetyping.com and we will coordinate with ConvertKit to update your information.

6.3 Deletion and Revocation

You may delete your data through several methods. To delete your transcription history, clear your browser's localStorage or use your browser's data clearing features. To remove your account data, revoke Google OAuth authorization through your Google Account settings, which will remove your authentication data from our systems. To unsubscribe from newsletters, click the unsubscribe link in any newsletter email or contact us at privacy@donetyping.com.

Account Deletion Process:When you revoke Google OAuth authorization: First, navigate to your Google Account settings at myaccount.google.com. Select "Security" from the left menu, then scroll to "Third-party apps with account access." Find Done Typing in the list and select "Remove access." This immediately terminates our access to your Google profile information and marks your Supabase authentication data for deletion. Supabase will complete the deletion within 30 days.

What happens after deletion: Once you revoke authorization, you will no longer be able to access account-based features such as extended recording limits. Your local transcription history remains on your device until you clear your browser data. We cannot delete data from your localStorage as we do not have access to it. If you create a new account with the same email address in the future, it will be treated as a completely new account with no connection to your previous data.

Exceptions to deletion: In some cases, we may be unable to delete certain data immediately due to legal obligations, ongoing disputes, or technical limitations. If this applies to your request, we will inform you of the specific reasons for any delay and provide an estimated timeline for when deletion will be completed.

6.4 Restriction and Objection Rights

Under GDPR and similar privacy frameworks, you may have the right to restrict processing of your personal data or object to certain types of processing. If you wish to exercise these rights, please contact us at privacy@donetyping.com with a detailed description of your request. We will evaluate your request in accordance with applicable law and respond within 30 days.

Please note that restricting processing of certain data (such as authentication data) may prevent you from using account-based features of the Service. If you object to analytics processing, you can disable cookies in your browser settings, though this may affect Service functionality.

6.5 Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance from us. To request a data export, contact us at privacy@donetyping.com. We will provide your account data (email, name, avatar) in JSON format within 30 days.

Limitations on portability: The right to data portability applies only to data you have provided to us based on consent or contract. It does not apply to transcription history stored in your localStorage, as this data never leaves your device and we cannot extract it for you. You can export this data yourself using browser developer tools.

6.6 Marketing Communications

You may opt out of marketing communications at any time by clicking the unsubscribe link in newsletter emails or by contacting us at privacy@donetyping.com.

Unsubscribe process: Every newsletter email we send includes an unsubscribe link at the bottom. Clicking this link will immediately remove you from our mailing list. ConvertKit handles the technical aspects of unsubscription and will typically process your request within 24 hours. You will not receive any further marketing emails after unsubscribing, though you may still receive transactional emails related to your account (such as password reset emails if applicable).

Re-subscription: If you unsubscribe and later wish to re-subscribe, you may do so by submitting your email address again through our newsletter signup form. Note that you may need to confirm your subscription via a confirmation email.

6.7 Browser Controls

You may manage data collection and storage through your browser settings. You can clear localStorage data, delete cookies, disable or revoke microphone permissions, and use private or incognito browsing mode to limit data collection.

7. Cookies and Similar Technologies

We use cookies and similar technologies for authentication and analytics purposes. Session cookies (such as "sb-hhzlrmgopbgzgarsndxn-auth-token.1") maintain your login session. Analytics cookies used by Google Tag Manager track usage patterns and help us improve the Service.

You may manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the Service.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

If you are a parent or guardian and believe that your child under 13 has provided personal information to us, please contact us at privacy@donetyping.com.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction. Specifically, data may be transferred to and processed in the United States (by Supabase, ConvertKit, and Google) and the European Union (by Supabase EU regions).

We ensure appropriate safeguards are in place for such transfers, including reliance on adequacy decisions or standard contractual clauses where required by applicable law.

10. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

Performance of a Contract: We process data necessary to provide the voice-to-text transcription service you requested. This includes processing your audio data to generate transcriptions and authenticating your account.

Consent: Some processing is based on your explicit consent, such as newsletter subscriptions and analytics cookies. You may withdraw consent at any time by contacting us or using the unsubscribe/opt-out mechanisms provided.

Legitimate Interests: We process data necessary for our legitimate interests, such as service improvement, fraud prevention, and ensuring the security of our systems, provided these interests are not overridden by your rights.

Legal Obligation: We may process data when necessary to comply with applicable laws, regulations, or legal processes.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated Privacy Policy on this page, updating the Effective Date at the top of this policy, and providing notice through the Service or via email for significant changes.

Your continued use of the Service after any changes constitutes acceptance of the revised Privacy Policy.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

13. Data Protection Officer

For users in the EEA and UK, you may contact our Data Protection Officer regarding GDPR-related inquiries at privacy@donetyping.com.

14. Supervisory Authority

If you are located in the EEA or UK and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.