Privacy Policy
Last Updated: 27 February 2026
1. Introduction
This Privacy Policy explains how Oppian.com Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use VoxNota, our AI-powered voice note transcription and organisation service (the "Service"). We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (EU GDPR, Regulation 2016/679), the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018.
2. Data Controller
The data controller responsible for your personal data is:
- Company: Oppian.com Ltd
- Contact: privacy@voxnota.com
- Jurisdiction: England & Wales
3. What We Collect and Why
We collect and process the following categories of personal data in order to provide and improve the Service:
3.1 Voice Recordings
When you record a voice note, the audio file is uploaded to our servers. We process this data solely to provide the transcription service you have requested. Audio files are stored in Cloudflare R2 object storage.
3.2 Voice Data and Speaker Identification
When your recordings contain multiple speakers, our transcription provider may analyse voice characteristics to distinguish between speakers (speaker diarisation). This processing is performed by ElevenLabs as part of the transcription service and is used solely to attribute text to the correct speaker in your transcript. We do not create, store, or retain voiceprints or biometric identifiers derived from your voice. Voice analysis data is processed transiently and is not retained after the transcription is complete.
3.3 Transcriptions
Your audio recordings are sent to ElevenLabs for transcription. The resulting text is stored and associated with your account so that you can access, search, and manage your transcribed notes.
3.4 AI-Curated Content
Transcriptions are processed by Cloudflare Workers AI to generate summaries, categories, action items, and date extraction. This AI-curated content is produced to help you organise and act on your notes more effectively.
3.5 Semantic Search Data
Text from your notes is sent to Supermemory, a semantic search service, to enable meaning-based search and note organisation. Only note text and pseudonymised identifiers are shared with Supermemory — no personal information such as your name, email, or voice recordings is transmitted.
3.6 Account Information
If you choose to sign in via Google OAuth, we collect your email address and display name via Firebase Authentication. This information is used to identify your account, sync your data across devices, and communicate with you about the Service.
3.7 Usage Data (Aggregated Analytics)
We use PostHog in cookieless mode to collect aggregated usage analytics. This involves server-side hashing only and does not set any cookies or use localStorage. No personally identifiable information is stored by PostHog. We use this data to understand usage patterns and improve the Service. See Section 5 for further details.
3.8 Device and Browser Information
We collect basic device and browser information (such as user agent strings) as part of normal service delivery. This data is used to ensure the Service functions correctly on your device and to diagnose technical issues.
4. Firebase Authentication (Essential Storage)
VoxNota uses Firebase Authentication to manage user sessions. Firebase Auth sets cookies and tokens that are strictly necessary for the Service to function. Specifically:
- Firebase Auth cookies and tokens keep your recordings tied to your browser session, whether you use VoxNota anonymously or with a signed-in account.
- Without these cookies and tokens, the Service cannot associate your recordings with your session, and core functionality would break.
- Because these are strictly necessary for the provision of the Service, no consent is required under UK GDPR for their use.
5. PostHog Analytics (Cookieless)
We use PostHog for product analytics. Our PostHog implementation operates in cookieless mode, which means:
- No cookies are set on your device by PostHog.
- No data is written to localStorage or sessionStorage by PostHog.
- User identification is performed through aggregated server-side hashing only.
- No cross-site tracking is performed.
- No personally identifiable information is persistently linked to your analytics across sessions by PostHog.
- PostHog is hosted in the European Union.
We use this data for product improvement and to understand aggregate usage patterns. The legal basis for this processing is legitimate interest (Article 6(1)(f) GDPR).
6. Third-Party Data Processors
We share your data with the following third-party processors, each of whom processes data on our behalf and under our instructions:
| Processor | Purpose | Location |
|---|---|---|
| ElevenLabs | Audio transcription | United States |
| Cloudflare Workers AI | AI curation and summarisation | Global edge network |
| Cloudflare R2 | Audio file storage | European Union |
| Cloudflare D1 | Primary database (user data, transcriptions, metadata) | European Union |
| Supermemory | Semantic search (text only, pseudonymised identifiers) | United States (Cloudflare infrastructure) |
| Firebase Auth (Google) | Authentication service | United States |
| PostHog | Aggregated analytics (cookieless) | European Union |
| Fungies.io | Payment processing (Merchant of Record) | European Union |
7. Legal Basis for Processing
We process your personal data under the following legal bases as set out in Article 6(1) of the GDPR:
| Legal Basis | Processing Activity |
|---|---|
| Contract (Article 6(1)(b)) | Providing the transcription service, storing your recordings and notes, generating AI-curated content, enabling semantic search |
| Legitimate Interest (Article 6(1)(f)) | Cookieless analytics (PostHog), service improvement, security monitoring, fraud prevention |
| Consent (Article 6(1)(a)) | Optional features that may be introduced in the future (e.g., marketing communications) |
8. Data Retention
We retain your data in accordance with the following policies:
- Active accounts: Your data is retained for as long as your account remains active and you continue to use the Service.
- Deletion process: We operate a two-phase deletion system. When you delete a note, it is first soft-deleted (marked with a deletion timestamp). A background process then permanently removes the data, including the associated audio file from Cloudflare R2.
- Account deletion: If you request deletion of your account, all associated data (recordings, transcriptions, curated content, and account information) will be permanently removed within 30 days.
- Audio files: Stored in Cloudflare R2 and permanently deleted as part of the two-phase deletion process described above.
9. Your Rights Under GDPR
Under the EU GDPR and UK GDPR, you have the following rights in relation to your personal data:
- Right of access: You may request a copy of the personal data we hold about you (a Subject Access Request).
- Right to rectification: You may request that we correct inaccurate or incomplete personal data.
- Right to erasure: You may request that we delete your personal data ("right to be forgotten"), subject to any legal obligations requiring us to retain it.
- Right to restrict processing: You may request that we limit the processing of your personal data in certain circumstances.
- Right to data portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object: You may object to the processing of your personal data where we rely on legitimate interest as the legal basis.
- Rights related to automated decision-making: You have rights in relation to automated decision-making, including profiling. VoxNota uses AI to generate summaries and categorise notes, but these do not produce legal or similarly significant effects on you.
To exercise any of these rights, please contact us at privacy@voxnota.com. We will respond to your request within one month, as required by law.
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
- EU: Your local data protection authority. A list is available at edpb.europa.eu
10. International Data Transfers
Some of our third-party processors are based outside the United Kingdom. In particular:
- ElevenLabs and Firebase Auth (Google) are based in the United States.
- Cloudflare operates a global edge network and may process data in various jurisdictions.
- PostHog is hosted in the European Union.
Where personal data is transferred outside the European Economic Area or United Kingdom, we ensure that appropriate safeguards are in place, including adequacy decisions and standard contractual clauses (SCCs), in accordance with the requirements of the EU GDPR and UK GDPR.
11. Children's Data
Users under the age of 16 may use VoxNota with the consent of a parent or legal guardian. We do not knowingly collect personal data from children under 16 without parental consent. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data as soon as practicable. If you believe a child under 16 has provided us with personal data without parental consent, please contact us at privacy@voxnota.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify users by posting the updated policy at this page with a revised "Last Updated" date. We encourage you to review this policy periodically.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:
- Email: privacy@voxnota.com
- Company: Oppian.com Ltd
If you wish to make a complaint about how we have handled your personal data, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk.