Speak2Action Privacy Policy

Last updated: 2026-06-02

1. Who we are

Speak2Action is provided by:

In this Privacy Policy, “Speak2Action”, “we”, “us”, and “our” refer to the provider listed above.

For personal data we process for account management, security, support, communications, app distribution, contract administration, and our own operational records, SidemenAI acts as the controller. For meeting content that a business customer or user processes through Speak2Action, we may act as a processor on behalf of that business customer. In that case, the customer determines the purpose, means, and legal basis for recording, uploading, and using the meeting content.

2. What Speak2Action does

Speak2Action is a mobile-first post-meeting execution app for sales teams. Users can record a short spoken recap after a customer meeting or select an existing audio file for upload. Speak2Action helps turn that audio into structured outputs such as summaries, action items, CRM-ready context, and follow-up drafts for user review.

3. Personal data we process

Depending on how the service is used, we may process:

  • account identity data, such as user id, email address, first name, last name, display name, and last-seen timestamp
  • authentication and session data needed to keep users signed in securely
  • local app preferences, such as language, theme, recording language, output language, phone number, and professional context
  • audio recordings and related metadata, such as format, size, duration, and storage path
  • raw transcripts produced from uploaded audio
  • meeting content, including people, companies, customer context, business context, and other information mentioned in a recording or added during review
  • generated business records, such as summaries, action items, CRM-ready context, and follow-up email drafts
  • CRM connection and export data, such as HubSpot account metadata, selected CRM contact or company ids and labels, OAuth credentials stored in encrypted form, export status, provider note ids, and export errors
  • technical and operational data, such as processing job status, error messages, app version, build profile, device/runtime diagnostics, crash data, traces, route context, and debugging breadcrumbs
  • support communications when users contact us

Speak2Action is not intended for processing special categories of personal data or criminal-offence data. Because meeting audio can contain free-form content, users may incidentally record such data. Users and their organizations are responsible for not uploading such data unless they have a valid legal basis, exception, and appropriate safeguards in place.

4. How we collect personal data

We collect personal data:

  • directly from users when they sign in, update settings or profile details, record audio, select an audio file, review content, connect CRM accounts, export CRM notes, or contact support
  • from app and server activity when Speak2Action stores session data, processing state, operational logs, error reports, and security information required to run the service
  • from service providers used to operate infrastructure, authentication, storage, transcription, AI generation, error reporting, CRM integration, app builds, app distribution, and support workflows

5. Why we process personal data

We process personal data to:

  • create and manage user accounts
  • authenticate users and keep sessions secure
  • upload, store, transcribe, and process meeting audio
  • generate structured meeting outputs for review
  • let users review, edit, approve, delete, export, and act on generated outputs
  • connect to CRM systems and export reviewed meeting notes where the user chooses to do so
  • secure, debug, monitor, and improve the reliability of the service
  • respond to support and privacy requests
  • comply with legal obligations and protect rights, safety, and the integrity of the service

Where the GDPR or similar laws apply, we rely on the following legal bases:

  • Account access, authentication, session management, core app settings, audio upload, transcription, structured output generation, review flows, and CRM export features: performance of a contract.
  • Security, abuse prevention, debugging, reliability monitoring, processing telemetry, CRM export logs, and limited error reporting: legitimate interests.
  • Support communications: performance of a contract and, where applicable, legitimate interests.
  • Legal requests, compliance, recordkeeping, and protection of rights: compliance with legal obligations or legitimate interests, depending on the context.

Our legitimate interests generally include operating a secure and reliable business service, preventing misuse, diagnosing failures, supporting users, and maintaining an accurate operational record of user-triggered processing.

7. AI and audio processing

Speak2Action uses server-side processing to transcribe uploaded audio and generate structured outputs. Transcription and structuring are handled outside the mobile app, and the app does not make direct LLM or transcription API calls.

Generated outputs are assistive drafts. Users remain responsible for reviewing, editing, approving, and deciding how to use them before relying on them or sharing them externally.

Speak2Action does not use solely automated decision-making that produces legal effects concerning users or similarly significantly affects them within the meaning of Article 22 GDPR.

7a. Internal quality improvement (Prompt Lab)

To monitor and improve the quality of AI output we use a restricted internal evaluation environment we call “Prompt Lab”. In it we process:

  • test transcripts and excerpts
  • uploaded test-audio objects
  • prompt snapshots and generated model output
  • transcription comparison output and provider response metadata
  • error messages, model response ids, and execution metadata
  • internal quality labels, review tags, and reviewer notes
  • the identity of the administrator who ran the evaluation

By default we use synthetic, owner-created, or pseudonymized fixtures. We only use real customer content in this environment with the separate written authorization of the relevant business customer, limited to specifically designated test cases or explicitly labeled audio sources. Prompt Lab data is automatically deleted within at most 90 days, sooner on customer request. Access is restricted to authorized administrators. We do not use Prompt Lab data to train general-purpose AI models.

8. Device permissions and local data

Speak2Action may request microphone access when a user chooses to record spoken recaps. Device permissions can usually be managed through the operating system settings.

When a user imports an audio file through the system file picker, Speak2Action only accesses the specific file selected by the user.

Some preferences and session data are stored locally on the device. Secure authentication session data is stored using the device secure storage where available. If a user clears app data, changes device settings, or signs out, local app behavior may change.

Some data is required to provide Speak2Action. If a user does not provide required account, authentication, or recording-related data, some or all core features may not work.

9. Recipients and service providers

We may share personal data with service providers that help us operate Speak2Action, including providers of:

  • authentication, database, storage, Edge Functions, and cloud infrastructure, including Supabase
  • audio transcription, including OpenAI
  • structured-output generation, including Anthropic
  • error reporting and diagnostics, including Sentry
  • CRM integration and CRM note export destinations, including HubSpot where a user connects it
  • app build, update, beta testing, and distribution infrastructure, including Expo/EAS and Apple App Store/TestFlight where relevant
  • support, security, legal, and business operations

We do not sell personal data. We do not use personal data for third-party advertising.

We may also disclose data where necessary to comply with law, respond to lawful requests, protect rights or safety, prevent abuse, enforce terms, or support a merger, acquisition, financing, or similar business transaction.

10. International transfers

Personal data may be processed in countries other than the country where a user is located, including outside the European Economic Area. Where required, we use appropriate safeguards such as European Commission adequacy decisions (including the EU-US Data Privacy Framework for certified U.S. recipients), Standard Contractual Clauses, data processing agreements, or another lawful transfer mechanism available under applicable data protection law.

For transfers to U.S.-based sub-processors (such as OpenAI and Anthropic) we perform a transfer impact assessment and apply supplementary measures including encryption in transit, contractual exclusion of use for model training, and — where available — zero-retention settings at the API level.

A copy of, or reference to, the safeguards applied (such as the Standard Contractual Clauses) is available on request at support@speak2action.com.

11. Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

Current working retention periods include:

  • Raw audio: deleted 30 days after successful processing, or earlier when the meeting is permanently deleted.
  • Raw transcript: deleted 30 days after successful processing, or earlier when the meeting is permanently deleted.
  • Generated briefs, action items, and follow-up email drafts: retained while the account is active unless the user deletes the meeting or account.
  • Processing jobs: deleted after 90 days.
  • CRM export logs: deleted after 180 days or sooner when the meeting is deleted, unless retention is needed for a dispute, support issue, security reason, or legal obligation.
  • Local preferences: retained on the device until changed, cleared, or affected by sign-out/account handling.
  • Error reporting data: retained for approximately 30 days under the current Sentry configuration, using SDK scrubbing and project settings intended to reduce sensitive content.
  • Support messages: 24 months after ticket closure.
  • Administrative and audit logs: standard admin logs 12 months; security-relevant events (role/permission changes, login anomalies) 24 months.
  • Post-termination account and contract records: 7 years in a legal-hold-isolated record to satisfy Dutch fiscal retention (Article 52 AWR); personal data not required for fiscal records is deleted sooner via the erasure process.
  • Marketing and sales CRM (SidemenAI’s own outbound funnel): 2 years after the last interaction, aligned with the Dutch Data Protection Authority guidance on direct marketing.
  • Anonymized product analytics: indefinite, conditional on irreversible anonymization verified via k-anonymity.
  • Prompt Lab evaluation data: up to 90 days after creation, sooner on customer request for authorized customer data.
  • Backups: rotating cycle of up to 30 days; deletion in active systems propagates on the next rotation. Backups are not restored except for continuity or legal necessity.

Account-wide deletion and export requests are handled through support while self-service account deletion/export is not yet available in the app. We aim to resolve such requests within 30 days of identity verification, with a possible extension of up to 60 days for complex requests in line with Article 12(3) GDPR.

12. CRM exports and third-party systems

If a user connects a CRM account and exports a note, Speak2Action may send reviewed meeting content to that CRM. Once content is exported to a third-party CRM, that provider and the CRM account owner may independently control copies of the exported note. Deleting data in Speak2Action may not automatically delete copies already exported to the CRM.

13. TestFlight and app distribution

If a user participates in beta testing through Apple TestFlight, Apple may process beta tester data, device information, crash logs, usage information, screenshots, and feedback, and may share relevant beta testing information with us as the app provider. Apple applies its own TestFlight privacy terms and retention practices.

14. Security

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration. These include private storage for raw audio, server-side AI processing, access controls, row-level access controls where applicable, secure session storage in the mobile app, and error-reporting scrubbing.

No system can be guaranteed to be completely secure. Users should also protect their account credentials, devices, and CRM accounts.

15. User rights

Depending on location and applicable law, users may have rights to:

  • access their personal data
  • correct inaccurate personal data
  • request deletion of personal data
  • restrict or object to certain processing
  • receive a copy of certain personal data in a portable format
  • withdraw consent where processing is based on consent
  • lodge a complaint with a supervisory authority

Users can submit privacy requests by contacting:

Users in the European Union may lodge a complaint with their local supervisory authority. In the Netherlands, that authority is the Autoriteit Persoonsgegevens.

16. Personal data about non-users

Speak2Action may process personal data about customer contacts, prospects, colleagues, or other people mentioned by users in recordings, review content, generated outputs, or CRM exports.

Users are responsible for using Speak2Action lawfully in their meeting context, including providing any notices or obtaining any permissions required by their organization, customer relationship, or applicable law before recording or uploading meeting content.

Where we process non-user data to provide Speak2Action, the processing is generally necessary to provide the service to the user and to support accurate post-meeting follow-up and action records. Non-users can contact us at support@speak2action.com with privacy questions or requests. We may need to verify the request and coordinate with the relevant user or customer account before responding.

17. Children

Speak2Action is a business tool and is not intended for children. We do not knowingly collect personal data from children where prohibited by law.

18. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will publish the updated version at the public privacy-policy URL associated with the app and update the “Last updated” date above.

19. Contact

For privacy questions or requests, contact: