Privacy Policy

Last Updated: 2026-05-22 Version: 1 (DRAFT — pending lawyer review) Effective Date: 2026-06-18

This Privacy Policy explains how Individual Entrepreneur ARTEM KHAUSTOV (“NoParrot”, “we”, “us”) collects, uses, and protects your personal data when you use the NoParrot service (the “Service”).

We take your privacy seriously. Our positioning is local-first: by default, your audio and transcripts never leave your machine.

1. Who we are

Data controller: Individual Entrepreneur ARTEM KHAUSTOV, a Georgian Individual Entrepreneur registered with the Georgian Revenue Service under ID 302302657, with registered address at Georgia, Tbilisi, Chugureti district, Mikheil Tsinamsavrishvili street, N 52, Georgia.
EU Representative (per GDPR Article 27): not yet appointed — NoParrot does not currently target EU data subjects (a representative will be appointed before offering services in the EU).
UK Representative (per UK GDPR Article 27): not yet appointed — NoParrot does not currently target UK data subjects (a representative will be appointed before offering services in the UK).
Contact for privacy matters: privacy@noparrot.com.

[LAWYER: confirm EU Rep is contracted (Prighter / EDPO / DataRep) before publishing. Critic 025 SB-1: Art. 27 is Day-0 obligation from customer #1, not Phase 2.]

2. What personal data we collect

2.1 Account data

When you register an account, we collect:

Email address
Hashed password (we never store plaintext passwords)
Display name (optional)
Locale and country (derived from sign-up)
Account creation timestamp and last-login timestamp

2.2 Subscription and billing data

When you purchase a subscription or Cloud Credits, our payment provider Lemon Squeezy processes your payment and shares with us:

Payment method brand (Visa, Mastercard, PayPal, etc.) — not full card numbers
Last four digits of card or account identifier
Payment method fingerprint (an opaque hash used for fraud prevention)
Billing country
Order amount, currency, and timestamp
Tax amount collected at point of sale

We never see or store your full credit card number.

2.3 Hardware fingerprint

When you activate a Pro/Team license on a device, we generate and store a one-way hash of stable hardware identifiers (e.g., motherboard UUID, CPU ID, salted with a NoParrot-specific salt). This hash is used to enforce per-license device limits (e.g., 3 machines per Pro license).

This hash is personal data under the GDPR because it is a persistent identifier that, when combined with your account_id, allows us to recognise your device. We disclose this collection explicitly at activation time and obtain your consent through a dedicated dialog before proceeding.

We never store the raw component values — only the hash. The hash cannot be reversed to identify the underlying hardware.

2.4 Usage data

When you use the Service, we record:

Cloud transcription minutes consumed
Number of files processed
Feature usage events (e.g., “Notion push succeeded”, “Smart routing applied”)
Tier-specific limits and consumption
Audio file metadata (filename hash, duration, language) — NOT the audio content itself
Transcription job timing and processing metadata

2.5 Pseudonymous telemetry

By default, our application sends pseudonymous usage data including:

Application version, OS platform, locale
GPU vendor category (e.g., “nvidia_consumer_high”, “apple_silicon”)
Random anonymous client identifier (client_id)
Event-level feature usage and outcomes

Important clarification: Although this data does not contain your name, email, or other direct identifiers, it is technically pseudonymous personal data under GDPR Recital 26 because it can be associated with you via your client_id and, after you sign in, via your account_id. We process this data on the basis of our legitimate interest in product improvement (GDPR Article 6(1)(f)).

You may opt out at any time:

Settings → Privacy → Disable analytics
Or set environment variable TRANSCRIBEAI_TELEMETRY=0

2.6 Cloud transcription data (opt-in only)

If you opt in to cloud transcription, we temporarily process:

The audio file (encrypted in transit using TLS 1.3)
Derived intermediate artifacts (segmentation, diarisation outputs)

These are deleted within 30 days of completion. We do not use your audio or transcripts to train any AI model. You may verify deletion via the data-export endpoint described in Section 6.

2.7 IP addresses

We hash incoming IP addresses (truncated to the /24 subnet) for security, fraud prevention, and geolocation purposes. We do not store plaintext IP addresses long-term.

2.8 Cookies and similar technologies

See our Cookie Policy for details. Summary: we use only essential security cookies; our analytics provider (Plausible) is cookieless.

3. Why we collect personal data (legal bases)

Under the GDPR, we rely on the following legal bases:

Data category	Legal basis
Account / subscription data	Contract performance (Art. 6(1)(b))
Cloud transcription processing	Contract performance (Art. 6(1)(b))
Hardware fingerprint	Legitimate interest (Art. 6(1)(f)) + explicit consent at activation
Pseudonymous telemetry	Legitimate interest (Art. 6(1)(f)) — opt-out available
Marketing emails	Consent (Art. 6(1)(a)) — opt-in only
Anti-fraud (chargeback blacklist)	Legitimate interest + legal obligation (Art. 6(1)(c)+(f))
Tax records	Legal obligation (Art. 6(1)(c)) — 10-year retention required

We maintain a documented Legitimate Interest Assessment (LIA) for each (f)-basis processing activity, available on request to data protection authorities.

[LAWYER: confirm LIA documentation; particularly verify hardware fingerprint LIA — we should NOT rely on consent for activation-required processing (Art. 7(4) — consent not freely given). Use legitimate interest with a documented LIA + a clear consent dialog as transparency, NOT as a separate legal basis.]

We share personal data with the following sub-processors only as necessary to provide the Service:

Sub-processor	Purpose	Data shared	Location
Lemon Squeezy Inc.	Payment processing (Merchant of Record)	Email, name, billing address, payment method	USA (subsidiary of Stripe Inc.)
Fly.io / Render	Application hosting	Application data	USA / EU (configurable)
RunPod / Lambda	Cloud GPU transcription (opt-in only)	Audio file (encrypted)	USA
Resend	Transactional emails	Email address, message content	USA (EU data residency option used where available)
Cloudflare	DDoS protection and CDN	IP address (transitive)	Global
Plausible Cloud	Cookieless web analytics	URL pageviews, country (no cookies)	Germany / EU
db-ip.com (free dataset)	Country geolocation	None (local lookup, no data flows)	Local

A complete and current list of sub-processors is available at /legal/subprocessors. We provide 30-day advance notice of any new sub-processor to subscribers via email.

No data sales. We do not sell your personal data and do not share it for cross-context behavioural advertising (CCPA / CPRA definition).

5. International transfers

The Service is operated from Georgia. Personal data is processed in the EU/EEA, UK, USA, and Georgia depending on the sub-processor.

For transfers outside the EEA/UK, we rely on:

EU Standard Contractual Clauses (SCC) Module 2 under Decision 2021/914 for processor arrangements.
UK International Data Transfer Addendum (IDTA) for UK personal data.
Switzerland SCC addendum where applicable.

We maintain a documented Transfer Impact Assessment (TIA) for each US-based sub-processor (Schrems II requirement). TIAs are available on request to enterprise customers and to data protection authorities.

For Enterprise customers requiring EU-only data residency, we offer Fly.io / Render EU regions upon contract — discuss with support@noparrot.com.

6. Your rights

Under the GDPR, UK GDPR, CCPA/CPRA, and similar laws, you have the right to:

Right	What it means	How to exercise
Access	Receive a copy of your personal data	Settings → Privacy → “Download my data” or email `privacy@noparrot.com`
Rectification	Correct inaccurate data	Settings → Account or `privacy@noparrot.com`
Erasure (“right to be forgotten”)	Delete your account and personal data	Settings → “Delete my account” (7-day grace period) or `privacy@noparrot.com`
Restriction	Limit how we process your data	`privacy@noparrot.com`
Portability	Receive your data in machine-readable format	Settings → Privacy → “Export data” (JSON + CSV)
Objection	Opt out of processing based on legitimate interest	Settings → Privacy → “Disable telemetry”; `privacy@noparrot.com` for other categories
Withdraw consent	Withdraw previously given consent	Settings or `privacy@noparrot.com`; does not affect prior lawful processing
Lodge a complaint	Contact your local data protection authority	See list at https://edpb.europa.eu/about-edpb/board/members_en

We respond within 30 days to verified requests (extendable to 90 days for complex requests with notice). We may request additional information to verify your identity.

6.1 California residents (CCPA / CPRA)

You also have:

The right to know what categories of personal information we collect and the purposes.
The right to opt out of “sale” or “sharing” — although we do not sell or share for behavioural advertising, you can still exercise this right at privacy@noparrot.com (link: “Do Not Sell or Share My Personal Information”).
The right to non-discrimination for exercising your privacy rights.

Telemetry events emitted before you sign in are stored under a randomly generated client_id and contain no direct identifiers. Because we cannot link them to any natural person, they are treated as anonymous data under EDPB Guidelines 04/2020 and are not subject to erasure requests. If you signed in at any point, we associate your client_id with your account, and events from that point are subject to all rights above.

7. Data retention

Data category	Retention period	Reason
Account profile	Until account deletion (+ 7-day grace)	Service operation
Subscription history (PII fields)	Scrubbed on erasure	Account-tied
Subscription history (aggregates: amount, dates)	10 years	Tax law (Georgia, EU, US)
Order records (PII fields)	Scrubbed on erasure	Account-tied
Order records (aggregates)	10 years	Tax law
Cloud transcription audio	≤ 30 days	Deleted post-processing
Cloud transcription text outputs	Until account deletion	Service operation
Hardware fingerprints / activation rows	Deleted on erasure	Account-tied
License revocation list	Indefinite	Anti-piracy and refund integrity
Telemetry events (linked to account)	90 days detailed, 18 months aggregate	Product improvement
Telemetry events (pre-login anonymous)	18 months aggregate, no individual lookup	Aggregate analytics only
Chargeback blacklist	90 days from chargeback	Fraud prevention (legitimate interest)
Billing audit log	10 years	Tax and legal-hold
Tax-related correspondence	10 years	Tax law

For full erasure semantics (which fields survive vs which are deleted), see the internal Erasure Matrix in our DPIA.

8. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data without parental consent, please contact privacy@noparrot.com and we will delete the data promptly.

[LAWYER: GDPR Art. 8 default is 16, but member states can lower (UK=13, FR=15, DE=16, IT=14, ES=14, SE=13, IE=16). We chose conservative 16-everywhere to simplify. Confirm acceptable.]

9. Data Protection Impact Assessment (DPIA)

We have completed a Data Protection Impact Assessment (DPIA) for cloud transcription processing under GDPR Article 35, given that:

We perform systematic monitoring of user actions (telemetry).
The content may incidentally include special-category data under Art. 9 (e.g., health discussions, biometric voice data).
The processing uses innovative AI/ML technology (Whisper, pyannote).

The DPIA is reviewed annually and updated when material processing changes occur. A redacted version is available to enterprise customers on request.

10. Security measures

We implement technical and organisational measures (TOMs) appropriate to the risk, including:

TLS 1.3 in transit; AES-256 at rest for sensitive data
Hashed passwords (bcrypt); never stored in plaintext
Hardware fingerprints stored as one-way SHA-256 hashes
Pseudonymised IP addresses (truncated to /24)
Role-based access control (RBAC) for internal admin
Vulnerability scanning (CodeQL, OSV, pip-audit, gitleaks)
Pre-commit secret scanning to prevent credential leaks
Multi-factor authentication for administrative access
Quarterly security review and penetration testing (subject to budget)
Documented incident response procedure and 72-hour breach notification SOP

For full TOMs, see DPA Annex 2 (available to enterprise customers).

11. Data breaches

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will:

Notify the competent supervisory authority within 72 hours of becoming aware (GDPR Art. 33).
Notify affected data subjects without undue delay if the risk is high (GDPR Art. 34).
Maintain a register of all breaches for our records.

We carry cyber-insurance to support response and remediation.

12. Cookies

See our Cookie Policy. Summary: we use only essential security cookies; our analytics is cookieless (Plausible).

13. Marketing communications

We may send you transactional emails (order confirmations, billing notices, security alerts) as necessary to operate the Service — you cannot unsubscribe from these while you have an active account.

Marketing communications (newsletters, product announcements) require your separate consent. You may withdraw consent at any time via the unsubscribe link in any marketing email.

14. Updates to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by:

Email to active subscribers
Banner in the application
Updated Last Updated date and Version field at the top

For material changes affecting how we process your data, you will be asked to review and re-accept; if you decline, you may delete your account before the changes take effect.

The version you accepted is recorded against your account.

15. Contact

Privacy / data protection: privacy@noparrot.com
Security disclosures: security@noparrot.com
Legal: legal@noparrot.com
General contact: support@noparrot.com
EU Representative: not yet appointed — NoParrot does not currently target EU data subjects (a representative will be appointed before offering services in the EU)
UK Representative: not yet appointed — NoParrot does not currently target UK data subjects (a representative will be appointed before offering services in the UK)
Right to lodge a complaint with a supervisory authority:
- EU: https://edpb.europa.eu/about-edpb/board/members_en
- UK: https://ico.org.uk/
- California: https://oag.ca.gov/privacy/ccpa

This Privacy Policy is provided in plain English. Translations may be provided for convenience; in case of discrepancy, the English version prevails.