Jutusta · speech platform
ETEN
Voice
Speech to Text
Speech to Text
  • 01 Live Speak into the mic — text appears instantly.
  • 02 From file Upload an audio or video file.
  • 03 Meetings Teams and Meet meeting recordings, with Zoom coming soon.
Translate
Translate
  • 01 Text translation Speak and read the translation.
  • 02 Simultaneous Hear the translation in a synthetic voice.
API Pricing

Privacy Policy

Last updated: 2026-06-15

This privacy policy describes what personal data the Jutusta service (jutusta.ee) collects, how it is used, and how you can exercise your rights. The policy is drafted in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and the Estonian Personal Data Protection Act.

1. Data controller

The data controller is Next Interaction OÜ, registry code 14100426, address Villardi tn 32-14, Kesklinna linnaosa, Tallinn 10142, Estonia.

For data protection inquiries, contact privacy [ät] jutusta [punkt] ee .

2. What data we collect

2.1 Account data

When you sign in via Google, we receive the following from Google: first and last name, email address, profile picture URL, and Google's internal user identifier (sub). We also store the OAuth tokens issued by Google (access token, refresh token, id token) to keep your session active and re-authenticate as needed.

2.2 Audio and transcription data

When you use the service, we store:

  • Uploaded audio files — files you send for transcription (/transcribe, /translate, the API);
  • Transcription results — text, timestamps, speaker diarisation, job metadata;
  • Voice clone source material — if you create voice clones, we store the source audio and user-provided text prompts;
  • Real-time speech-recognition audio — streaming audio is forwarded to our processing server for transcription; we do not persist the stream itself.
  • Saved speaker voiceprints — if you choose to save a speaker in a transcription, we store a numeric signature of their voice (a voiceprint) so the same speaker can be recognised in your future transcriptions. A voiceprint is biometric personal data; we store it only with your explicit consent, use it solely to label speakers in your own transcriptions, and never share it. You can permanently delete any voiceprint at any time in your account settings.

2.3 Technical data

Session data (session token, session creation and last-activity timestamps, IP address, user agent) is stored in our database to keep your session secure. At the Cloudflare infrastructure layer, request IP addresses and user agents are logged and used for error detection and abuse prevention. Logs are stored in our R2 bucket in the Western Europe region and auto-expire after 30 days.

2.4 Browser local storage

Preferences such as transcription language, voice selection, and UI layout are kept in your browser's localStorage. This data never leaves your browser and never reaches our servers.

2.5 API usage data

When you create API keys, we store only the SHA-256 hash of the key (never the key itself) along with the key's name, creation timestamp and last-used timestamp. API request metadata (request type, timestamp, status) is retained for service monitoring.

When you authorize a third-party application or AI agent to access your account through our OAuth/OIDC flow, we store the registered client (its name and icon), the consent you grant, and the access and refresh tokens issued to it, so it can act on your behalf until you revoke it. You can review and revoke connected applications at any time in your account settings.

3. Legal bases for processing

We process personal data on the following GDPR Article 6 grounds. For saved speaker voiceprints as special-category biometric data, we also rely on GDPR Article 9(2)(a).

  • Performance of a contract (Art. 6(1)(b)) — account creation and management, providing transcription and speech synthesis services, serving API requests;
  • Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) — storing saved speaker voiceprints only when you choose to save a speaker in a transcription. You can permanently delete any voiceprint at any time in account settings;
  • Legitimate interests (Art. 6(1)(f)) — ensuring security, preventing abuse, retaining error logs. Our interest is in stable and secure service operation;
  • Legal obligations (Art. 6(1)(c)) — retention duties imposed by accounting and tax law (e.g., retaining invoices for 7 years).

We do not currently carry out other non-essential processing, such as analytics, on the basis of consent. Should that change in the future, we will request consent separately.

4. Purposes of processing

  • providing the service (transcription, speech synthesis, speech recognition, voice clones, and recognising saved speakers with consent);
  • account management and authentication;
  • ensuring security and preventing abuse;
  • improving service quality (error log analysis);
  • complying with legal obligations.

We do not use your content (uploaded audio, transcripts, voice clones, or saved voiceprints) to train models.

5. Sub-processors and third parties

To provide the service we use the following sub-processors:

  • Cloudflare, Inc. — infrastructure services (Workers, R2 object storage, D1 database, Durable Objects). R2 and D1 are locked to EU jurisdiction, meaning data at rest is stored in European Union servers. Workers serverless execution runs at the Cloudflare PoP closest to the user — for Estonian and EU users that means EU PoPs (Tallinn, Helsinki, Stockholm);
  • Google LLC — authentication via OAuth (Google Sign-In);
  • Next Interaction OÜ on-premises hardware (Estonia) — speech recognition and synthesis AI models run on our own hardware in Estonia. This is not a sub-processor in the legal sense, as it is the same controller's infrastructure.

For the full list with legal bases, see the Sub-processors page.

Third-party applications you authorize. If you connect a third-party application or AI agent to your account (via our OAuth/OIDC flow), we disclose to it the identity details covered by the access you approve — your name and profile picture, your email address — and we process the content you direct it to create or transcribe. Such a provider is an independent controller for what it does with that data, not our sub-processor; its handling of your data is governed by its own privacy policy, not this one. Only authorize applications you trust, and revoke access from your account settings when you no longer use them.

6. Data location and international transfers

  • Object storage (R2) — audio files and voice clone source material are stored in Cloudflare R2, configured with EU jurisdiction. Data at rest remains in EU servers;
  • Database (D1) — user, session, transcription and account data is stored in Cloudflare D1 with EU jurisdiction;
  • Workers infrastructure — requests are served from the Cloudflare PoP closest to the user. For our Estonian and EU user base this means EU PoPs (Tallinn, Helsinki, Stockholm). Persistent data remains in the EU regardless;
  • Error logs — error logs are stored in our R2 bucket in the Western Europe region and auto-expire after 30 days. Logs contain only technical error information (HTTP status, error, request path, IP, user agent), not transcription or audio content;
  • Speech recognition and synthesis — speech recognition and synthesis AI models run on our own hardware in Estonia;
  • Google OAuth — Google LLC may transfer authentication data (your Google account identifier, name, email, profile picture) to the United States. The legal basis for this transfer is the Standard Contractual Clauses (SCC) and the EU–U.S. Data Privacy Framework, to which Google has self-certified.

7. Retention periods

Data typeRetention period
User profile (name, email, picture)Until account deletion
Session data (token, IP, user agent)7 days, refreshed on activity
Google OAuth tokensUntil account deletion
API key hashesUntil key revocation
Uploaded audio files30 days (automatic deletion)
Transcription resultsUntil you delete them
Voice clones (source + clone)Until you delete them
Webhook subscriptionsUntil you delete them
Error logs (R2, Western Europe)30 days (auto-deleted)
Accounting records (invoices etc.)7 years (statutory)

8. Your rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) — request what personal data we process about you;
  • Right to rectification (Art. 16) — request correction of inaccurate data;
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten");
  • Right to restrict processing (Art. 18);
  • Right to data portability (Art. 20) — request export of your transcription and voice-clone data in machine-readable form;
  • Right to object (Art. 21) — object to processing based on legitimate interests;
  • Right not to be subject to automated decision-making (Art. 22) — we do not make automated decisions that produce legal effects concerning you.

To exercise your rights, write to privacy [ät] jutusta [punkt] ee . We respond within 30 days.

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

9. Account deletion

You can request deletion of your account by writing to privacy [ät] jutusta [punkt] ee . Upon deletion:

  • your user profile, OAuth tokens and sessions are removed from our database immediately;
  • transcription results, voice clones, saved voiceprints and API key hashes are removed with the account;
  • uploaded audio files are removed within 30 days at the latest (R2 lifecycle rule);
  • audit entries in error logs expire automatically within 30 days;
  • accounting records (if any) are retained for the 7-year statutory period.

10. Children

The service is not directed at persons under 16 (in Estonia) or under 13 (elsewhere). We do not knowingly collect data from minors. If we become aware that we have collected a minor's data, we will delete it promptly.

11. Security measures

We apply the following technical and organisational measures:

  • TLS 1.3 encryption for all traffic;
  • OAuth tokens stored securely in the database;
  • API keys stored only as SHA-256 hashes;
  • EU jurisdiction for Cloudflare R2 and D1;
  • Session cookie is HttpOnly, Secure, SameSite=Lax;
  • access roles are role-based and minimised;
  • regular dependency security review.

12. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes by email at least 30 days before they take effect. For less significant changes, we will update the "Last updated" date above.

13. Contact

Next Interaction OÜ
Villardi tn 32-14, Kesklinna linnaosa
Tallinn 10142, Estonia
Registry code: 14100426
Email: privacy [ät] jutusta [punkt] ee

Terms · Privacy · Cookies · Withdrawal · DPA · Sub-processors · About · Blog
Jutusta · voice cloning, transcription, and translation · jutusta.ee
Next Interaction OÜ · registry code 14100426 · Villardi tn 32-14, Tallinn 10142, Eesti · email: · phone: