Privacy Policy
Last updated: 10th February 2026
1. Introduction
This Privacy Policy explains how TLC Creative Marketing ("we", "us" or "our"), trading under the SafeSpeak brand ("SafeSpeak"), collects, uses, stores, discloses and otherwise processes personal data when you:
- use and interact with our websites and web-based applications (including our progressive web application that can be installed on your device) that display or link to this Privacy Policy;
- register for an account and use our services;
- interact with us through our communications (including email); and
- otherwise engage with us.
It also tells you about your rights and choices with respect to your personal data, and how you can contact us if you have any questions or concerns. This Privacy Policy does not apply to personal data that we process on behalf of certain business customers or partners as a service provider/processor where they determine the purposes and means of processing. In those cases, our processing is governed by our agreement with the relevant business customer or partner, and you should refer to their privacy notices for information about their practices.
Please read this Privacy Policy carefully. If you do not agree with it, you should not use the Services or otherwise provide us with personal data. Your use of the Services is also governed by our Terms of Service.
We may update this Privacy Policy from time to time. If we make changes, we will post the updated Privacy Policy and update the "Last Updated" date above. If changes materially affect how we use or disclose personal data, we will provide notice as required by applicable law. Your continued use of the Services after any update becomes effective indicates your acceptance of the updated Privacy Policy.
2. Key Definitions
- SafeSpeak: The SafeSpeak platform, a brand and product operated by TLC Creative Marketing.
- Controller: The person or organisation that determines the purposes and means of processing personal data.
- EU GDPR: The General Data Protection Regulation (EU) 2016/679 and applicable national implementing laws.
- UK GDPR: The EU GDPR as incorporated into UK law, together with the Data Protection Act 2018.
- PECR: The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended.
- Personal data: Information that identifies or can reasonably be used to identify an individual.
3. Information We Collect
Some functionality of the Services can be used without providing personal data, though certain features require it. We generally collect personal data in three categories: (i) information provided directly by you; (ii) information received from third parties; and (iii) information collected automatically.
3.1 Information Provided Directly by You
Account Registration
If you register for an account, we collect your email address and password (or authentication credentials if you sign in via a third-party provider such as Google). Where you use Google sign-in, we receive your name, email address, and profile picture as permitted by your Google account settings.
Onboarding Information
During onboarding, we may ask for your preferred display name, how you discovered SafeSpeak, and your primary goal for using the service. This information is stored in your user profile and used to personalise your experience.
Communications
We collect personal data you provide when you contact us, request support, respond to surveys, provide feedback, or otherwise communicate with us.
Transactions and Payment Information
If you start a trial or purchase a paid subscription, we receive transaction details (for example, your name, amount paid, payment date, subscription tier, and billing information). Payment card details are typically processed by our payment processors and are not stored by us except as permitted or necessary for payment administration.
User Content and Voice Data
When you use SafeSpeak to capture ideas, you may provide voice recordings, written notes, tags, titles, and other content. Voice recordings are captured through your device's microphone (which requires your explicit permission via your browser or device settings). The Services request microphone access with echo cancellation, noise suppression, and auto-gain control enabled. Raw audio files are stored securely and retained alongside their transcriptions so that you can play back your recordings at any time. See Section 6 (Voice and Audio Data) for full details on how we handle Voice Data. You may also share content within invite-only collaborative groups, contribute to shared thoughts, and interact with AI-generated summaries of collaborative content.
Invitation Data
If you invite another person to collaborate on a shared thought, we collect their email address and (optionally) their name in order to deliver the invitation. If you are invited, the thought owner can see your email address in connection with the invitation. Invitations expire after 7 days.
Identity Verification
In some cases (for example if you request a refund) we may ask you to provide billing information, email address, login name, and other information that verifies your identity, in accordance with applicable law.
Testimonials
We collect and display personal testimonials of satisfied customers on the Services. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at hello@safespeak.space.
3.2 Information Received From Third Parties
We may receive personal data from third parties, such as:
- Authentication providers: if you sign in via Google OAuth, we receive your name, email address, and profile picture as permitted by your settings with that provider.
- Partners, resellers or distributors: if you obtain access to the Services through a partner that bundles or licenses SafeSpeak as part of its own offering, we may receive business contact information and account administration details from that partner.
- Other sources: marketing partners, publicly available sources, and data providers, where permitted by law, to improve record accuracy and support our sales and marketing activities.
3.3 Information Collected Automatically
Like many online services, we use technologies to automatically collect information that may include personal data as you navigate our websites or use the Services, subject to your choices and consent where required by law.
Device and Usage Data
We operate a custom-built analytics system (we do not use third-party analytics services such as Google Analytics). Through this system we collect:
- pages visited and page paths
- session identifiers (randomly generated, not linked to device identity)
- session duration
- browser user agent string
- device type (derived from user agent: mobile, tablet, or desktop)
- referring URL (the page you visited before arriving at our site)
- interaction events (such as recording started, recording completed, pull-to-refresh)
We do not collect IP addresses in our application-level analytics, though our infrastructure providers may log IP addresses at the platform level as part of standard server operations. We do not use device fingerprinting, and we do not load any third-party tracking pixels or advertising scripts.
Haptic Feedback
On supported devices, the Services may use your device's vibration API to provide haptic feedback during certain interactions (such as starting or stopping a recording). No data is collected through this feature.
Third-Party Resources
The Services load fonts from Google Fonts (fonts.googleapis.com and fonts.gstatic.com). When your browser requests these fonts, Google may receive your IP address. Google's use of this data is governed by Google's Privacy Policy.
4. Cookies, Local Storage and Similar Technologies
We use cookies and similar browser storage technologies for core functionality. Where required by law (including under UK PECR and EU ePrivacy rules), we request consent for non-essential storage.
4.1 Cookies
Our application code does not set explicit cookies. However, our authentication provider (Supabase) may use cookies as part of its session management.
4.2 Browser Storage
| Storage Type | Key / Purpose | Duration |
|---|---|---|
| localStorage | Authentication tokens (JWT access and refresh tokens) managed by Supabase | Persistent until sign-out |
| sessionStorage | Analytics session ID (randomly generated UUID) | Current browser session only |
| Analytics session start timestamp | Current browser session only | |
| Page timing tracking | Current browser session only | |
| Pending invite token (for post-authentication acceptance) | Current browser session only | |
| sessionStorage | UI state flags (e.g., welcome toast display) | Current browser session only |
4.3 Service Worker and PWA Caching
The Services can be installed as a progressive web application (PWA) on your device. When installed or visited, a service worker may cache application assets (JavaScript, CSS, HTML, icons, and fonts) on your device to improve performance and enable faster loading. Cached Google Fonts are stored for up to one year. Application assets are updated automatically when new versions are available.
You can manage cookie preferences through our cookie banner/settings and your browser controls. You may also clear browser storage and cached data through your browser settings at any time.
5. How We Use Your Personal Data
We use personal data for the following purposes. For each purpose, we identify the lawful basis under Article 6 of the UK GDPR / EU GDPR:
- To provide the Services and related support, manage accounts, process registrations, and respond to requests
- To operate, maintain, and improve the Services, including analytics, troubleshooting, quality assurance, research, and development
- To enable AI-powered features such as transcription, semantic search, categorisation, tag suggestion, title generation, summarisation, and conversational insight generation (see Section 6 and Section 7)
- To personalise your experience using onboarding preferences (display name, primary goal)
- To manage our relationship with you, including sending administrative communications, product guidance, feature updates, and information about changes to our terms and policies
- To send marketing communications, including information about upgrades, plans, pricing, promotions, and launch announcements, where permitted by law
- To facilitate collaboration features, including delivering invitation emails and enabling shared thought participation
- To secure the Services, prevent fraud, investigate abuse, and protect our rights and the rights of others
- To comply with legal obligations, enforce our agreements, and maintain suppression lists to honour opt-out requests
- To send automated onboarding and welcome email sequences to new users
6. Voice and Audio Data
Given the central role of voice capture in our Services, we want to be transparent about how we handle your Voice Data.
6.1 How Voice Data Is Processed
| Stage | What Happens | Where |
|---|---|---|
| 1. Recording | Audio is captured via your device's microphone using the browser's MediaRecorder API. You must grant microphone permission before recording. | Your device (browser) |
| 2. Upload | The audio file is uploaded to a private storage bucket. Files are stored at a path unique to your user account. | Supabase Storage (hosted in USA) |
| 3. Transcription | The audio file is sent to OpenAI's Whisper API (model: whisper-1) for speech-to-text transcription. The transcript is saved to your thought record. | OpenAI (USA) |
| 4. Storage | Both the raw audio file and the transcription are stored. You can play back your audio from the thought detail view at any time. | Supabase (USA) |
6.2 Audio Retention
Raw audio files are retained for as long as your account is active or until you delete the associated thought. We retain audio so that you can play back your original recordings. When you delete a thought, the associated audio file is also deleted. If you wish to verify deletion of your audio data, please contact us at hello@safespeak.space.
6.3 Voice Data and Third Parties
Your audio files are sent to OpenAI solely for the purpose of transcription. OpenAI's API data usage policy states that data submitted via the API is not used to train their models. We do not share your audio with any other third parties. We do not use Voice Data to create voice profiles, biometric identifiers, or for speaker identification purposes.
7. AI Processing and Automated Features
The Services use AI technologies to provide core features. We want to be transparent about which AI providers process your data, what data they receive, and for what purpose.
7.1 AI Features and Providers
| Feature | AI Provider | Data Sent | Model |
|---|---|---|---|
| Voice transcription | OpenAI | Raw audio file | Whisper (whisper-1) |
| Semantic search (embeddings) | OpenAI | Thought text content (up to 8,000 characters) or search query | text-embedding-3-small |
| Chat with your thoughts | OpenAI | Your chat messages plus up to 15 relevant thought excerpts (500 characters each) | gpt-4o-mini |
| Tag suggestions | OpenAI | Thought text (up to 2,000 characters) plus existing tag names | gpt-4o-mini |
| Title generation | OpenAI | User message excerpt (500 characters) plus assistant response excerpt (300 characters) | gpt-4o-mini |
| Thought summaries | OpenAI | Root thought content, all contributions, and participant display names | gpt-4o-mini |
7.2 Model Training
We do not currently use User Content to train, fine-tune, or improve AI models. All AI providers listed above are used in inference-only mode (meaning they process your data to generate a result and do not retain it for model training purposes). OpenAI's API terms confirm that API data is not used for model training by default. If we introduce any use of User Content for model training in the future, we will update this Privacy Policy, notify you, and provide a clear opt-out mechanism before any such processing begins.
7.3 Automated Decision-Making
Our AI features are assistive in nature. They generate suggestions (such as tags and titles), produce summaries, and return search results. No automated decisions are made that produce legal effects or similarly significant effects on you. You can ignore, edit, or override any AI-generated content at any time.
8. How We Disclose Your Personal Data
We do not sell, rent, lease, or otherwise provide your personal data to others except as described below, to provide the Services you request, with your permission, or as required or permitted by law.
Service Providers and Sub-processors
We engage the following categories of service providers to process personal data on our behalf, under our instructions and subject to contractual protections:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage, edge functions (application hosting) | All user data, authentication tokens, audio files, analytics data | USA |
| OpenAI | Voice transcription, vector embeddings, chat responses, tag suggestions, title generation, thought summaries | Audio files, thought text content, search queries, chat messages, participant names | USA |
| Resend | Transactional email delivery (invitations, notifications) | Recipient email address, inviter name, thought title | USA |
| n8n Cloud | Automated onboarding workflows (welcome email sequences) | User ID, email, name, discovery source, primary goal | EU (n8n GmbH) |
| Google Fonts | Font delivery | IP address (via browser font requests) | USA |
| Google (OAuth) | Social authentication | Email, name, profile picture (as permitted by your Google settings) | USA |
Collaboration Participants
When you participate in a shared thought, the following information becomes visible to other active participants: the root thought content (title and text), contribution content, your display name, and any AI-generated summary. Participant counts are visible to the thought owner. Shared thoughts are invite-only and not publicly accessible.
Partners and Business Customers
If you access the Services through an employer, business customer, or partner, we may share limited information needed for account administration, billing, support, and service delivery.
Business Transfers
If we are involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction subject to applicable legal requirements.
Legal Requirements
We may disclose personal data to comply with legal obligations, respond to lawful requests, protect rights and safety, and enforce our Terms.
9. Data Retention
We retain personal data for as long as reasonably necessary to provide the Services and fulfil transactions you have requested. The following table sets out our retention approach for key categories of data:
| Data Category | Retention Period |
|---|---|
| Account data (profile, email, authentication) | Retained while your account is active, and for up to 30 days after account deletion to allow for recovery |
| Thoughts and transcriptions | Retained until you delete them or delete your account |
| Voice recordings (audio files) | Retained until you delete the associated thought or delete your account |
| AI chat conversations | Retained until you delete them or delete your account |
| Analytics data (sessions, events) | Retained while your account is active, and for up to 24 months after account deletion, then anonymised or deleted |
| Invitation records | Invitations expire after 7 days; records retained for up to 90 days for audit purposes |
| Transactional and billing data | Retained for as long as required by applicable tax and accounting laws |
| Marketing suppression lists | Retained indefinitely to honour your opt-out preferences |
After the applicable retention period, personal data will be deleted or anonymised. Where deletion of specific records is not technically feasible in the short term (for example, data within backups), we apply appropriate access controls and will delete it when the backup is cycled.
10. How We Protect Your Personal Data
We implement physical, technical, and organisational measures designed to protect the confidentiality and integrity of personal data, including:
- Encryption in transit (HTTPS/TLS) for all connections to our Services, APIs, and third-party providers
- Encryption at rest provided by our infrastructure provider (Supabase/AWS)
- Private storage buckets for audio files (not publicly accessible), with time-limited signed URLs (1-hour expiry) for playback
- Row-level security (RLS) policies on all database tables, ensuring users can only access their own data (or data shared with them through the collaboration features)
- Scope-limited sign-out (clearing credentials on the current device only)
- Access controls limiting internal access to personal data
However, no internet-based service can be guaranteed to be 100% secure. You are responsible for protecting the security of your login credentials. If you believe your account has been compromised or personal data has been misused, please contact us at hello@safespeak.space.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required under Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, as required under Article 34.
11. International Transfers of Personal Data
We are based in the United Kingdom. As detailed in Section 8, several of our service providers are located in the United States and the European Union. These jurisdictions may have data protection laws that differ from those in your country of residence. Where we transfer personal data internationally, we ensure appropriate safeguards are in place. Depending on the transfer route, safeguards include:
- The UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses for transfers from the UK
- The European Commission's Standard Contractual Clauses (SCCs) for transfers subject to EU GDPR
- Other legally recognised transfer mechanisms as applicable
You may contact us for more information about the specific safeguards we have in place with each service provider.
EU Representative
Where required under Article 27 of the EU GDPR, we will appoint an EU representative. Details will be made available in this Privacy Policy.
12. Privacy Rights and Choices
Your Rights Under UK GDPR and EU GDPR
Depending on your location and applicable law, you have the following rights:
- Right of access: You can request a copy of the personal data we hold about you.
- Right to rectification: You can request correction of inaccurate personal data.
- Right to erasure: You can request deletion of your personal data in certain circumstances.
- Right to restriction: You can request that we restrict processing of your personal data in certain circumstances.
- Right to data portability: You can request a copy of your personal data in a structured, commonly used, machine-readable format.
- Right to object: Where we process personal data based on our legitimate interests, you have the right to object to such processing on grounds relating to your particular situation.
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk. For EU residents, you may contact your local data protection authority.
Opt-Out of Marketing Communications
You may opt out of marketing-related emails by using the unsubscribe instructions in the emails you receive, or by contacting us at hello@safespeak.space. You may continue to receive service-related and other non-marketing communications.
How to Exercise Your Rights
To make a data rights request, please contact us at hello@safespeak.space. We may request information to verify your identity. We will handle requests in accordance with applicable law within one month (extendable by a further two months for complex requests). Your rights may be limited in certain situations, such as where fulfilling a request would impair the rights of others or our ability to comply with legal obligations.
Account Deletion
You may request deletion of your account and all associated data by contacting us at hello@safespeak.space. Upon receiving a verified deletion request, we will delete your profile, thoughts, audio files, transcriptions, chat conversations, tags, and analytics data within 30 days, subject to any legal retention obligations.
Additional Rights for Certain Jurisdictions
Depending on your location, you may have additional privacy rights under applicable laws (including certain U.S. state laws such as the California Consumer Privacy Act). We do not sell personal data. We will respond to verified requests in accordance with applicable law.
13. Children
Our Services are not directed to children. The Services are intended for adults aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will take appropriate steps to delete it.
14. Contact Information
Controller: TLC Creative Marketing
87 West Ave, Northwich, CW9 7ET, United Kingdom
Email: hello@safespeak.space
Supervisory Authority
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with:
- UK: Information Commissioner's Office (ICO), ico.org.uk, telephone: 0303 123 1113
- EU: Your local data protection authority
Appendix: Sub-processor List
The following third-party sub-processors process personal data on our behalf in connection with the provision of the Services:
| Sub-processor | Purpose | Data Categories | Location |
|---|---|---|---|
| Supabase Inc. | Application hosting, database, authentication, file storage, serverless functions | Account data, user content, audio files, analytics, authentication tokens | USA |
| OpenAI Inc. | Voice transcription, vector embeddings, AI chat, tag suggestions, title generation, thought summaries | Audio files, thought text, search queries, chat messages, participant names | USA |
| Resend Inc. | Transactional email delivery | Recipient email, inviter name, thought title | USA |
| n8n GmbH | Automated onboarding email workflows | User ID, email, name, discovery source, primary goal | EU |
| Google LLC | OAuth authentication, font delivery | Authentication data, IP addresses | USA |
We will update this list when we engage new sub-processors or make changes to existing arrangements. Material changes will be communicated in accordance with our Privacy Policy.
Also see our Terms of Service.