Privacy Policy
GigaDuck
Last Updated: April 1, 2026
GigaDuck OÜ Tallinn, Estonia
Overview
GigaDuck is a voice transcription and personal memory app that converts your speech to formatted text and, optionally, stores personal facts you dictate. This policy explains what data we collect, how we use it, and your rights.
Key Points:
- Your audio is sent to third-party AI providers for transcription and may be retained by them for up to 30 days for abuse monitoring (see Section 3)
- In Transcription and Translation modes, we do not store your audio or text on our servers
- When you use the Memory feature, personal facts you dictate are extracted and stored on our servers so you can retrieve them later. You can view and delete your memories at any time.
- We do not require an account — you’re identified only by an anonymous device ID
- Our database is hosted in the EU (Ireland); AI processing occurs in the EU and the US
1. Information We Collect
Data We Process
| Data | Stored by us? | Purpose |
|---|---|---|
| Voice recordings | No | Sent to AI providers for transcription, not stored on our servers |
| Transcribed text | No | Returned to you, not retained on our servers |
| Memory content | Yes | Personal facts you dictate in Memory mode, stored for later retrieval. Includes extracted entities (names, places, organizations) and temporal information (dates, recurring events). |
| Memory embeddings | Yes | Numeric vector representations of your memory content, used for semantic search. Not human-readable. |
| Transaction ID | Yes | Anonymous device identifier for rate limiting |
| Usage analytics | Yes | App improvement, debugging, rate limit tracking |
| Active app name | Yes (analytics) | The name of the app you were using when you triggered a transcription, used for context-aware formatting and service improvement |
| Country code | Yes (analytics) | Your device’s country setting (e.g., “DE”), used for locale-aware formatting and analytics. Not precise location. |
| App settings | Device & iCloud | Your preferences (language, formatting options), synced across your devices via iCloud |
| Personalization vocabulary | Device & iCloud | Optional: your name, addresses, and custom words — entered by you for spelling accuracy. Sent to Groq as part of formatting (see Section 3). Synced via iCloud. |
Data We Do NOT Collect
- Email or contact information (name and addresses are only stored if you voluntarily enter them in personalization settings)
- Device identifiers (no IDFA, no fingerprinting)
- Precise location data (no GPS coordinates, no city-level geolocation). We collect only your country code for locale formatting.
- Contacts, photos, or other sensitive data
2. How We Use Your Information
We process your data for:
- Service delivery — Transcribing your voice recordings and returning formatted text
- Memory storage and retrieval — Extracting personal facts from your speech, storing them, and retrieving relevant memories when you ask questions (Memory feature only)
- Rate limiting — Tracking usage against your subscription tier (10/week free, unlimited Pro)
- Service improvement — Understanding usage patterns and fixing issues
- Fraud prevention — Detecting abuse of the service
- Personalization — Using your vocabulary (name, addresses, custom words) to improve spelling accuracy in transcriptions
Legal Basis (GDPR):
- Contract performance (Article 6(1)(b)) — Processing is necessary to provide the transcription and translation service you requested
- Consent (Article 6(1)(a)) — When you use the Memory feature, your deliberate act of dictating facts for storage constitutes consent to the processing and retention of that personal data. You can withdraw consent at any time by deleting your memories in the app or requesting full data erasure.
- Explicit consent for special categories (Article 9(2)(a)) — The Memory feature may process sensitive personal data (such as health information) if you choose to dictate it. Your deliberate act of speaking this information for storage constitutes explicit consent.
- Legitimate interest (Article 6(1)(f)) — Analytics and fraud prevention
3. Third-Party Services
We use the following services to provide GigaDuck:
Mistral AI (Primary Speech-to-Text)
Your voice recordings are sent to Mistral AI for transcription using their Voxtral Mini model.
- What they receive: Audio file, target language
- What they do NOT receive: Your identity or transaction ID
- Data retention: Mistral retains inputs for up to 30 rolling days for abuse monitoring, then permanently deletes them. They do not use paid API inputs or outputs for model training.
- Location: Mistral AI is headquartered in Paris, France. Processing occurs in the EU by default.
- Privacy: Mistral AI Privacy Policy
Groq, Inc. (Text Formatting and Memory Processing)
Your transcribed text is sent to Groq for AI-powered formatting (grammar, punctuation, context-aware styling). In Memory mode, Groq also receives your transcribed speech along with up to 10 relevant existing memories as context, and extracts personal facts and answers your questions.
- What they receive: Transcribed text, formatting preferences, active app name, personalization vocabulary (name, addresses, custom words — if you have entered them). In Memory mode: transcribed speech and relevant stored memories.
- What they do NOT receive: Your identity or transaction ID
- Data retention: Groq does not store inputs or outputs by default. They do not use API data for model training.
- Location: Groq, Inc. is headquartered in Mountain View, California, USA, with processing infrastructure in Helsinki, Finland.
- Privacy: Groq Privacy Policy
Google LLC (Embedding Generation — Memory Feature)
When you use the Memory feature, your transcribed text and extracted facts are sent to Google’s Gemini API to generate semantic embedding vectors. These vectors enable searching your memories by meaning rather than exact words.
- What they receive: Text content of your speech and stored facts (for vector generation only)
- What they do NOT receive: Your identity, transaction ID, or any other metadata
- Data retention: Google’s paid Gemini API does not use inputs or outputs for model training. Data may be temporarily processed for abuse monitoring per Google’s API terms.
- Location: Google LLC is headquartered in Mountain View, California, USA. Processing may occur in the US and EU.
- Privacy: Google AI Terms of Service
Supabase, Inc. (Backend Infrastructure)
Our backend runs on Supabase, which stores your transaction ID, usage analytics, and Memory feature data.
- What they store: Transaction ID, analytics events (timestamps, success/error status, active app name, country code), and Memory feature data (personal facts, embedding vectors, extracted entities)
- Data location: eu-west-1 (Ireland) — your data stays in the EU
- Privacy: Supabase Privacy Policy
Apple Inc.
We use Apple’s StoreKit for subscription management and iCloud for settings sync.
- What they provide: Transaction ID for identifying your subscription
- iCloud sync: Your app settings and personalization vocabulary are synced across your Apple devices via iCloud Key-Value Storage, subject to Apple’s privacy policy
- Privacy: Apple Privacy Policy
4. Data Storage and Security
Where Your Data Lives
| Data | Location |
|---|---|
| Audio recordings | Not stored by us. Temporarily retained by Mistral AI (up to 30 days) for abuse monitoring. Not retained by Groq. |
| Transcribed text | Not stored by us or our AI providers |
| Memory content & embeddings | Supabase (Ireland, eu-west-1) — encrypted at rest |
| Transaction ID & analytics | Supabase (Ireland, eu-west-1) |
| App settings & vocabulary | Your device (encrypted by iOS/macOS) and iCloud (encrypted by Apple) |
Security Measures
- All data transmitted over HTTPS (TLS 1.3)
- Database encryption at rest (AES-256)
- Row-level security on all database tables
- Memory data isolated per user via row-level security policies
- No human access to request data
- Audio and transcription content never logged on our servers
5. Data Retention
| Data | Retention |
|---|---|
| Voice recordings (our servers) | 0 — never stored |
| Voice recordings (Mistral AI) | Up to 30 rolling days for abuse monitoring |
| Voice recordings (Groq) | 0 — not retained |
| Transcribed text | 0 — not stored by us or our providers |
| Memory content & embeddings | Until you delete individual memories or request full data erasure |
| Transaction ID | Until you request deletion |
| Analytics events | Until you request deletion |
| App settings & vocabulary | Until you delete the app (device) or disable iCloud sync (iCloud) |
6. International Data Transfers
Your data may be transferred outside the European Economic Area:
| Recipient | Location | Safeguard |
|---|---|---|
| Mistral AI | France (EU) | No transfer required — EU-based processing |
| Groq | USA / Finland | EU Standard Contractual Clauses (SCCs) |
| Google (Gemini API) | USA | EU Standard Contractual Clauses (SCCs) |
| Supabase | USA (company) / Ireland (data) | EU Standard Contractual Clauses (SCCs) |
| Apple | USA | Apple’s Standard Contractual Clauses |
These legal mechanisms ensure your data receives equivalent protection outside the EU.
7. Your Rights
Under GDPR, you have the right to:
| Right | How to Exercise |
|---|---|
| Access | Request a copy of your data, including stored memories |
| Rectification | Correct inaccurate data (settings editable in-app) |
| Erasure | Delete individual memories in-app, or use “Delete My Data” in Settings for permanent removal of all data including memories, analytics, and your anonymous identifier |
| Portability | Receive your data in a portable format. Memories are viewable in-app. |
| Withdraw consent | Stop using the Memory feature and delete stored memories at any time |
| Objection | Object to processing based on legitimate interest |
| Restriction | Request we limit how we process your data |
To exercise your rights: Email [email protected] with your transaction ID (found in app Settings). We will respond within 30 days.
Note: We cannot identify you without your transaction ID. If you cannot provide it, we cannot locate your data.
Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
8. Children’s Privacy
GigaDuck is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided us with data, please contact us at [email protected].
9. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by:
- Posting the new policy in the app
- Updating the “Last Updated” date
Continued use of GigaDuck after changes constitutes acceptance of the updated policy.
10. Contact Us
For privacy questions or to exercise your rights:
Email: [email protected]
Company: GigaDuck OÜ Tallinn, Estonia
Summary
- Audio: Sent to Mistral AI for transcription. Not stored on our servers. Mistral may retain for up to 30 days for abuse monitoring.
- Text formatting: Transcribed text sent to Groq for AI formatting, not retained
- Memory: Facts you dictate are extracted by Groq and stored in our EU database. Text is sent to Google Gemini for embedding generation. You can view and delete your memories at any time in the app, or request full data erasure.
- Identity: Anonymous transaction ID only, no account required
- Vocabulary: Optional name/addresses you enter for spelling are sent to Groq and synced via iCloud
- Analytics: Stored in EU (Ireland), includes active app name and country code, used for service improvement
- Your control: Delete individual memories in-app, delete all data via Settings, or contact [email protected]