Privacy Policy

Version 2.1 - Last Updated: May 1, 2026

Introduction

This Privacy Policy explains how Prosody Limited ("we", "us", or "our") collects and uses personal data when you use speaking.app (the "Service"), and the rights you have under data protection law.

We are committed to complying with the EU General Data Protection Regulation ("GDPR") and applicable Irish data protection law.

Who we are

Data Controller: Prosody Limited Place of registration: Ireland CRO registration number: 811167 Registered office: Venture Hub, 136 Capel Street, Dublin, D01 T2C9 Email: hello@speaking.app

If you have privacy questions or want to exercise your rights, contact us at hello@speaking.app.

Data Protection Officer

We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR. We do not carry out large-scale systematic monitoring of data subjects, and we do not process special categories of personal data on a large scale within the meaning of Article 37(1)(c).

Privacy questions and requests should be directed to hello@speaking.app, where they will be handled by the founder.

Scope

This Privacy Policy applies to personal data we process when you:

  • visit our website,
  • create an account,
  • use the Service (including recording or uploading audio),
  • join a cohort, class, accelerator programme, or coaching group through an invite code,
  • contact support,
  • subscribe to a paid plan.

It does not apply to third-party websites or services you may access via links in the Service.

Minimum age

The Service is not intended for children. You must be at least 16 years old to use the Service.

Ireland sets the digital age of consent at 16. By creating an account, you represent that you are at least 16 years old. If we learn that someone under 16 has created an account, we will close the account and delete associated personal data.

If you believe someone under 16 is using the Service, contact us at hello@speaking.app.

Personal data we collect

We collect personal data in the following categories:

Account and profile data:

  • email address,
  • username and account identifiers,
  • authentication data, stored securely through our authentication provider,
  • settings and preferences you choose in the Service,
  • cohort, invite-code, entitlement, and subscription status where applicable.

Audio and content data:

  • audio recordings you upload or record,
  • audio extracted from video files where you upload video for analysis,
  • transcripts generated from your recordings,
  • AI-generated analyses, scores, feedback, summaries, and coaching outputs,
  • session titles, user notes, coach notes, assignments, comments, and related content.

Speech and prosody data:

  • pacing, filler-word, pitch, energy, and prosody-derived measurements,
  • emotional-expression dimension scores generated from voice analysis,
  • speech-pattern classifications such as uptalk detection, where available.

Usage and technical data:

  • device and browser information,
  • IP address (for security, fraud prevention, and infrastructure operation),
  • product usage events (for example, which pages or features you use),
  • diagnostics and error logs.

Support and communications:

  • emails and messages you send to us,
  • in-app feedback, bug reports, and support requests.

Subscription and billing status:

  • plan, subscription status, billing period, and entitlement information,
  • limited billing metadata received from Paddle,
  • we do not store full payment card details.

Is providing data required?

Some personal data is required to use the Service. Providing your email address and authentication credentials is a contractual requirement; without them, we cannot create or operate your account. Recording or uploading audio is voluntary, but if you do not provide audio, the Service has no content to analyse and you cannot use the core features. If you do not provide billing information at checkout, you cannot purchase a paid subscription. If you do not provide data needed to join a cohort, you cannot receive coach feedback. Other data, such as optional notes, feedback messages, and optional public sharing, is voluntary.

Voice recordings and speech analysis

Your voice recording can be personally identifying and may contain sensitive information depending on what you say. We treat voice recordings, transcripts, and speech-derived measurements as personal data and apply the safeguards described in this Policy.

We process recordings, transcripts, speech metrics, and prosody-derived measurements to provide the Service: transcription, speech analysis, AI feedback, coaching features, support, security, and product-quality review. Our legal bases are Article 6(1)(b) (performance of a contract) and Article 6(1)(f) (legitimate interests), as set out in "How we use your data and legal bases" below.

We do not use voice recordings for biometric identification, speaker recognition, or authentication. We do not try to identify you from your voice.

Some speech-analysis features generate vocal-expression or prosody-derived measurements such as pitch, pacing, energy, filler words, uptalk indicators, or emotional-expression dimension scores. These are stored as part of your session results so you can review your feedback. They are shared with processors only where needed to provide the Service, generate AI feedback, maintain security, or comply with law, and are not sold or repurposed outside the Service. They are not used to make automated decisions about you.

If a future feature uses voice data to identify or authenticate a person, or otherwise requires explicit consent under Article 9 GDPR, we will ask for a separate explicit consent before enabling that feature.

You can delete individual recordings at any time, or delete your account, which will hard-delete all audio recordings associated with your account (see "Deleting your account" below).

How we access and use your data internally

Prosody Limited currently has one employee, the founder. The founder has technical administrative access to the Service infrastructure and can therefore access, in principle, all data stored in the Service: account profiles, audio recordings, transcripts, AI analyses, and usage logs.

This access is used in practice for:

  • operating and supporting the Service (for example, debugging a failed transcription, responding to a support email),
  • reviewing a sample of recordings, transcripts, and AI outputs to monitor and improve the quality of feedback the Service produces,
  • generating cohort-level reports for programme partners, in aggregated and de-identified form.

The founder does not review every recording. However, individual recordings, transcripts, and analyses may be reviewed when needed for the purposes above. Access is logged at the database and infrastructure layer.

Your data is not used to train third-party or general-purpose AI models. We have configured our AI integrations, or rely on their default API terms, so that your audio, transcripts, and AI outputs are not used to train or fine-tune their AI models. Providers may still process data as needed to provide the requested service, maintain security, prevent abuse, or comply with law.

If you would prefer that the founder not review your recordings or transcripts as part of the internal quality-improvement process described above, email hello@speaking.app and we will exclude your account from that review going forward. Your data will continue to be processed for the operational purposes set out in "How we use your data and legal bases" below.

Cohorts, coaches, and programme administrators

If you join speaking.app via a cohort invite code (for example, an accelerator programme, a class, or a corporate training group), the designated coach for that cohort can:

  • view your cohort profile, including your username and email,
  • view your practice sessions, including audio playback, transcripts, and AI analyses,
  • write coach notes about your sessions,
  • assign practice tasks to you and review your completion of those tasks.

The coach role is granted to the programme administrator who issued your invite code. The founder of Prosody Limited may also hold an administrative coach role across cohorts for support and operational purposes.

Joining via an invite code is voluntary. If you do not want a coach to see your data, do not join via an invite code; you can use the Service as an individual user without coach visibility. You may also leave a cohort at any time, which removes the coach's ongoing access to new sessions you create after leaving.

We do not currently grant separate dashboard access to programme administrators outside the coach role. If we add such access in future, we will update this Privacy Policy and notify affected users.

How we use your data and legal bases

We process personal data only where we have a lawful basis under GDPR.

| Purpose | Data used | Legal basis | |---|---|---| | Create and manage your account | Account, profile, authentication, settings | Contract (Article 6(1)(b)) | | Provide speech analysis and AI feedback | Audio, transcripts, prosody data, AI outputs, user notes | Contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)) | | Provide cohort and coaching features | Account profile, cohort membership, sessions, recordings, transcripts, analyses, coach notes, assignments | Contract and legitimate interests | | Provide paid subscriptions | Account, subscription status, billing metadata | Contract and legal obligations | | Security, abuse prevention, debugging, and reliability | Logs, IP address, technical data, account activity, session diagnostics | Legitimate interests (Article 6(1)(f)) | | Internal product review and quality improvement | Recordings, transcripts, analyses, error cases, feedback quality samples | Legitimate interests, with opt-out as described above | | Service communications | Email address, account status, support messages | Contract and legitimate interests | | Transactional email delivery | Email address and message content | Contract and legitimate interests | | Legal, accounting, tax, and compliance | Account, billing, transaction, support, and legal records | Legal obligations (Article 6(1)(c)) | | Marketing emails, where used | Email address and marketing preferences | Consent where required, or legitimate interests where permitted by law |

Our legitimate interests include keeping the Service secure, fixing bugs, improving the quality of feedback, understanding whether features work, preventing abuse, supporting users, and operating cohort features. We have assessed these interests against your rights and freedoms and consider the processing proportionate, given the limited scale of internal review, the access logging at the infrastructure layer, and your ability to opt out of internal review by emailing us. You can object to processing based on legitimate interests at any time (see "Your rights" below).

Automated processing and AI

The Service uses automated systems and third-party AI processors to generate speech feedback. A typical recording is processed as follows:

  1. the recording is uploaded to our storage provider;
  2. audio is sent to a speech-to-text provider to generate a transcript;
  3. audio or selected audio segments are sent to a voice and prosody analysis provider to generate vocal-expression measurements;
  4. transcripts and analysis metadata are sent to an AI feedback provider to generate coaching feedback, scores, summaries, and recommendations;
  5. the results are stored in your account and displayed in the app.

These outputs are coaching and educational tools. They may be inaccurate or incomplete and should not be relied on as the sole basis for high-stakes decisions.

We do not use automated processing to make decisions that produce legal effects or similarly significant effects on you under Article 22 GDPR. AI outputs do not determine your access to the Service, your account status, or any legal entitlement. They are feedback tools only.

Your data is not used to train third-party or general-purpose AI models. The transcription, voice analysis, and AI feedback providers we use are configured (or operate by default) so that your inputs and outputs are not used for model training or fine-tuning by them.

Cookies and similar technologies

We use only strictly necessary cookies and storage for authentication, security, checkout, and user-requested preferences. We also use PostHog for product analytics in a cookieless, memory-only, EU-resident configuration with no session recording, no heatmaps, and IP excluded from captured events.

We do not use analytics cookies, advertising cookies, third-party marketing cookies, cross-site tracking, retargeting, session replay, or heatmaps.

For full details, see our Cookie Policy.

Sharing and disclosures

We do not sell your personal data.

We share personal data with the following categories of third-party processors, who process it only on our instructions and under contractual obligations:

| Category of processing | Provider | Location | Data shared | |---|---|---|---| | Database, authentication, file storage, realtime infrastructure | Supabase | EEA (AWS Frankfurt) | All account, content, and analysis data | | Backend hosting | Railway | USA | API traffic and processing data | | Frontend hosting and edge delivery | Vercel | USA (with EU edge) | Web traffic and request data | | Speech-to-text transcription (primary) | ElevenLabs | USA | Audio recordings | | Speech-to-text transcription (fallback) | Deepgram | USA | Audio recordings, where fallback is used | | Voice and prosody analysis | Hume.ai | USA | Audio recordings or selected audio segments | | AI feedback generation (large language models) | OpenAI | USA | Transcripts, analysis metadata, prompts, generated outputs | | Cookieless product analytics and feature flags | PostHog | EU | Anonymous usage events (logged-out); identified events with IP excluded (logged-in) | | Transactional email delivery | Resend | USA | Email address and message content | | Payments and billing (merchant of record) | Paddle | UK / EU | Email, billing data, subscription status |

Your data is not used to train third-party or general-purpose AI models. The transcription, voice analysis, and AI feedback providers above are configured (or operate by default) so that your inputs and outputs are not used for model training or fine-tuning by them.

In addition, we may disclose data:

  • if required by law, court order, or to protect rights, safety, and security,
  • as part of a merger, acquisition, reorganisation, financing, or sale of assets, subject to appropriate safeguards and the new controller honouring this Privacy Policy or notifying you of any changes,
  • to a designated coach or programme administrator if you have joined via a cohort invite code (see "Cohorts, coaches, and programme administrators" above),
  • if you enable optional public sharing features, in which case the published information may be visible to others.

International transfers

Your account profile, authentication data, audio recordings, transcripts, and AI analyses are stored in the European Economic Area (Frankfurt, Germany, on AWS eu-central-1 via Supabase). Our cookieless product analytics (PostHog) is also EU-resident.

To deliver the Service, certain processors transfer or process personal data outside the EEA:

| Processor | Country | Personal data transferred | |---|---|---| | ElevenLabs (transcription) | USA | Audio recordings | | Deepgram (transcription, fallback) | USA | Audio recordings | | Hume.ai (prosody analysis) | USA | Audio recordings or selected audio segments | | OpenAI (AI feedback generation) | USA | Transcripts and analysis metadata | | Vercel (frontend hosting) | USA (with EU edge) | Web traffic data | | Railway (backend hosting) | USA | API traffic | | Resend (transactional email) | USA | Email address and message content |

Where personal data is transferred outside the EEA, we rely on appropriate transfer mechanisms. For our processor relationships, this is generally Module 2 (controller to processor) of the European Commission's 2021 Standard Contractual Clauses, as approved in Commission Implementing Decision (EU) 2021/914. Where a provider acts as an independent controller (for example, Paddle as merchant of record for payment processing), the provider is responsible for its own transfer mechanisms for the processing it independently controls. We have implemented technical and organisational supplementary measures recommended by the European Data Protection Board following the Schrems II ruling, including encryption in transit and access controls.

A copy of the SCCs in place with our processors is available on request at hello@speaking.app.

Data retention

We retain personal data only as long as needed for the purposes set out above.

| Data category | Retention | |---|---| | Account profile (email, username, settings) | While your account is active. Hard-deleted on account deletion. | | Audio recordings | While your account is active and you have not deleted the recording. You can delete individual recordings at any time. Hard-deleted on account deletion. We do not currently run an automatic age-based purge of recordings. | | Transcripts and AI analyses | Tied to the source recording. Deleted when the source recording or your account is deleted. | | Coach notes about you | Until your account is deleted, or you leave the cohort and request deletion. | | Usage and security logs (including IP) | Retained for the period needed for security investigations, fraud prevention, and infrastructure operation, with limited extensions where needed for legal obligations. Provider-level log retention follows each provider's standard cycles. | | Support communications (email) | Retained for as long as needed to handle the request and maintain a reasonable record. | | Subscription and billing records | As required by Irish tax and accounting law (typically 7 years). | | Aggregated or de-identified statistics | Indefinitely, as the data no longer identifies you. |

When you delete your account, the deletion process described in "Deleting your account" below is applied. Personal data may persist in encrypted backups for a limited period after deletion, according to the backup cycles of our infrastructure providers, before being overwritten by routine backup rotation. We do not restore deleted user data from backups except where necessary for security, disaster recovery, or legal compliance.

Deleting your account

You can delete your account at any time from in-app settings, or by emailing hello@speaking.app.

When you delete your account, the following happens within minutes in the live system:

  1. If you have an active paid subscription, it is cancelled immediately via Paddle where possible.
  2. All audio recordings linked to your account are hard-deleted from our storage.
  3. A confirmation email is sent to your account email address.
  4. Your authentication record is hard-deleted from our authentication provider, which triggers cascade deletion of your account profile, practice sessions, submissions, comments, notifications, entitlements, access-code redemptions, challenge participation records, sharing records, and filler-counter sessions.

A small set of records where your input has contributed to aggregate research statistics (your feedback to us, contributions to shared statistics, and contact records) are anonymised rather than deleted, so that your individual identity is removed but the aggregate statistic is preserved.

We may retain billing and tax records as required by Irish law (typically 7 years).

Personal data may persist in encrypted backups for a limited period after deletion, according to the backup cycles of our infrastructure providers, before being overwritten.

Your rights

Depending on your location and applicable law, you may have rights including:

  • access to your personal data,
  • correction of inaccurate data,
  • deletion (where applicable),
  • restriction of processing,
  • objection to processing based on legitimate interests,
  • data portability,
  • withdrawal of consent (where processing is based on consent).

Where we rely on your consent (for example, for marketing communications), you can withdraw your consent at any time using the unsubscribe link in marketing emails or by emailing hello@speaking.app. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise rights, email hello@speaking.app. We may need to verify your identity before acting on a request. We aim to respond within one month, unless the request is complex or we are legally allowed to extend the response period.

You can also delete your account using in-app controls.

Complaints

Prosody Limited is established in Ireland. The Irish Data Protection Commission is our supervisory authority.

You may lodge a complaint with:

  • the Irish Data Protection Commission, if you are in Ireland or your complaint concerns Prosody Limited; or
  • your local supervisory authority in the EEA.

We encourage you to contact us first at hello@speaking.app so we can try to resolve your concern.

Security

We use technical and organisational measures designed to protect personal data, including access controls and encryption where appropriate. No system is perfectly secure, and you use the Service at your own risk.

Personal data breach notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours of becoming aware of the breach, in line with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay, in line with Article 34 GDPR.

Changes to this Privacy Policy

We may update this Privacy Policy. If changes are material, we will provide notice in the Service and update the "Last Updated" date above.

If we intend to process personal data for a materially new purpose that is not compatible with the purposes described in this Policy, we will provide notice before doing so where required by GDPR.

← Back to App