Back to home

Legal

Privacy Policy

Last updated:

Controller pursuant to Art. 4 No. 7 GDPR

Steven Braun
Voltastr. 1
30165 Hannover
Germany
Email: info@memo2text.de
Website: www.memo2text.de

1. Fundamentals

Memo2Text is a WhatsApp-based service for automatic transcription and summarization of voice messages using Artificial Intelligence (AI).

  • Free version: 2 transcriptions upon registration
  • Premium subscription: Unlimited use (paid via Stripe)

The protection of your personal data is our highest priority.

1.2 Age Restriction

Use of Memo2Text is only permitted for persons aged 16 years or older.

By giving consent, you confirm that you are at least 16 years old.

2. Consent Before Use

2.1 Consent Requirement

Before first use, you must expressly consent that:

  • Your voice messages will be processed for transcription on our servers at Hetzner (Germany) and/or Microsoft Azure (Sweden/Norway, EU)
  • The transcripts will be transmitted to Microsoft Azure OpenAI (Sweden/Norway, EU) for AI processing
  • Your phone number will be stored on our servers
  • Your data will be transmitted to the mentioned third-party providers (WhatsApp, Stripe)
  • The WhatsApp Business API is NOT end-to-end encrypted and Meta Platforms can read your message content (including voice messages)
  • You are at least 16 years old

Legal basis: Art. 6(1)(a) GDPR (consent)

2.2 Withdrawal of Consent

Withdrawal at any time via WhatsApp ("WITHDRAW CONSENT") or email to info@memo2text.de.

  • Account deletion within 7 days
  • Lawfulness until withdrawal remains unaffected
  • No further use possible after withdrawal

3. What Data Is Processed?

3.1 Required Data

Data TypePurposeStorage Location
WhatsApp phone numberIdentification & account managementHostinger server (Frankfurt)
Account creation dateTraceability of registrationHostinger server (Frankfurt)
Number of credits usedQuota managementHostinger server (Frankfurt)
Message timestampsTechnical loggingHostinger server (Frankfurt)

Important: Voice messages and transcription content are not permanently stored.

3.2 Temporarily Processed Data

Data TypePurposeProcessing LocationRetention
Voice message (audio)TranscriptionHetzner (Germany) and/or Azure Whisper (Sweden/Norway, EU)<3 seconds (immediate deletion)
Transcribed textSummarizationAzure GPT-4.1 (Sweden/Norway, EU)Not stored, only during processing
Summary, to-dos, repliesOutput to userNot storedOnly during processing

Privacy Highlight:

  • Audio files are immediately deleted after transcription (<3 seconds)
  • Transcripts are not stored, only used for summarization
  • All sensitive data remains in the EU (Germany/Sweden/Norway)

3.3 Additional Data for Premium Subscription

Data TypePurposeProcessing Location
Email addressAccount management, invoice deliveryStripe (Ireland/USA)
Payment dataPayment processingStripe (Ireland/USA)
Invoice dataTax obligationsStripe + Hostinger

Legal basis: Art. 6(1)(b) GDPR (contract performance)

3.4 Log and Error Data

Data TypePurposeRetention
Error logs (without message content)Technical error analysis90 days
System backups (phone numbers, credits)Data backup30 days

3.5 Processing of Third-Party Data

3.5.1 Voice Messages from Other Persons

Memo2Text can process voice messages that originate not from the user themselves but from third parties. This may involve the voice, content, and sensitive information of these persons.

3.5.2 Legal Basis

Memo2Text processes third-party data exclusively on behalf of the user. The user is responsible for ensuring a lawful basis (consent or other GDPR basis) before forwarding and informing the affected person.

3.5.3 Processing Steps

Processing StepDescriptionLegal Basis
Reception via WhatsAppVoice message is received via WhatsApp Business APIArt. 6(1)(b) GDPR (contract with user)
Transmission to Hetzner server or AzureAudio file is transferred to our server (Nuremberg) or Azure (Sweden/Norway) for transcriptionArt. 6(1)(b) GDPR
TranscriptionWhisper model creates text from audio (Germany or Sweden/Norway)Art. 6(1)(b) GDPR
Transmission to Azure GPT-4.1Transcript is sent to Microsoft Azure OpenAI (Sweden/Norway, EU) for analysisArt. 6(1)(b) GDPR
AI analysisCreation of summary, to-dos, and reply suggestionsArt. 6(1)(b) GDPR
Return to userResult is delivered via WhatsAppArt. 6(1)(b) GDPR
DeletionAudio is immediately deleted (<3s), transcripts are not storedArt. 17 GDPR

3.5.4 User's Information Obligations

When forwarding voice messages from third parties, users must provide the following information:

  • Controller: Steven Braun, Voltastr. 1, 30165 Hannover, info@memo2text.de
  • Purpose of processing: Transcription and summarization of voice message
  • Legal basis: Art. 6(1)(a) or Art. 6(1)(f) GDPR (depending on user's basis)
  • Recipients: Hetzner (Germany), Microsoft Azure OpenAI (Sweden/Norway, EU), WhatsApp/Meta (Ireland/USA)
  • Storage duration: Audio <3 seconds (immediate deletion), transcripts not stored
  • Rights of the data subject: Access, deletion, complaint
  • Third-country transfer: Only WhatsApp (Meta) - USA with EU Standard Contractual Clauses
  • Reference to this privacy policy: www.memo2text.de/datenschutz/en

3.5.5 Rights of Affected Third Parties

Affected third parties have rights to access, deletion, and complaint to a supervisory authority. Requests should be directed to info@memo2text.de or by mail to Steven Braun, Voltastr. 1, 30165 Hannover.

Since no content is permanently stored, we can only confirm that temporary processing occurred.

3.5.6 No Verification Obligation & Measures for Violations

Memo2Text is not obligated to verify the lawfulness of forwarded voice messages. In case of violations, we reserve the right to suspend or delete user accounts, inform authorities, and take legal action.

4. Purposes of Data Processing

4.1 Service Provision

  • Account management and user identification
  • Transcription and summarization of voice messages
  • Credit quota management

Legal basis: Art. 6(1)(a), (b) GDPR

4.2 Payment Processing (Premium only)

Processing of subscriptions, invoicing, and tax documentation.

Legal basis: Art. 6(1)(b), (c) GDPR

4.3 Technical Security and Error Analysis

Fraud prevention, error analysis, and system optimization.

Legal basis: Art. 6(1)(f) GDPR

5. Data Sharing with Third-Party Providers

Hetzner (Hetzner Online GmbH, Germany)

Purpose: Server infrastructure for Whisper transcription

Transferred Data

  • Audio file of your voice message (temporary <3 seconds)
  • Technical metadata (audio length, format)

Storage Location: Data Center Nuremberg, Germany (no third-country transfer)

Privacy Features

  • Immediate deletion after transcription (<3 seconds)
  • No permanent storage
  • HTTPS/TLS encryption
  • ISO 27001 certified
  • Firewall protected

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Data Processing Agreement: DPA per Art. 28 GDPR

Hetzner Privacy Policy

Microsoft Azure OpenAI (EU)

Purpose: AI-based transcription (Azure Whisper) and summarization, to-do extraction, and reply suggestions (Azure GPT-4.1)

Transferred Data

  • Audio files (only for Azure Whisper transcription)
  • Transcribed text (for GPT-4.1 summarization)
  • No additional personal data beyond message content

Storage Locations

  • Primary: Microsoft Azure Sweden Central (Gävle, Sweden) - EU
  • Fallback: Microsoft Azure Norway East (Oslo, Norway) - EEA
  • Deployment Type: Data zone standard (EUR)
  • Guaranteed: All data remains in the EU/EEA
  • Excluded: No processing in the USA or other third countries

Retention Period

  • Audio files: <3 seconds (immediately deleted after transcription)
  • Transcripts: Not persistently stored, only during processing
  • Prompts & Completions: Not stored
  • Metadata: 30 days (token usage, API calls, error logs) or 0 seconds with opt-out

No Training with Customer Data

✅ Microsoft contractually guarantees that your data will NOT be used for:

  • Training OpenAI models
  • Training Microsoft models
  • Training third-party products
  • Improving Azure OpenAI models

Technical Security (Art. 32 GDPR)

  • ✅ Encryption in transit: TLS 1.3 (state-of-the-art encryption)
  • ✅ Encryption at rest: AES-256
  • ✅ Authentication: API keys (64 characters), Azure Role-Based Access Control
  • ✅ Access control: IP whitelist (authorized systems only), firewall
  • ✅ Certifications: ISO 27001, ISO 27017, ISO 27018, SOC 2 Type 2, BSI C5

Data Processing Agreement (Art. 28 GDPR)

  • ✅ Microsoft is configured as a data processor
  • ✅ Data Protection Addendum (DPA): Automatically part of Microsoft Customer Agreement
  • ✅ EU Standard Contractual Clauses: Included for theoretical third-country transfers
  • ✅ Obligations: Instruction-bound, confidentiality, TOMs, data subject rights, data breach notification

No Third-Country Transfer

  • ✅ Sweden: EU member state (GDPR applies directly)
  • ✅ Norway: EEA member state (GDPR applies via EEA Agreement)
  • ✅ EU Data Boundary: Guarantees processing only in EU/EFTA
  • ❌ No GDPR adequacy decision needed (not classified as third-country transfer)

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Azure OpenAI Data PrivacyMicrosoft Data Protection AddendumMicrosoft Trust CenterEU Data Boundary

WhatsApp (Meta Platforms Ireland Ltd.)

Purpose: Messaging platform for user communication

Transferred Data

  • Phone number (for identification)
  • Message content (incoming and outgoing)
  • Metadata (timestamps, delivery status)

Storage Location: Ireland (Meta EU headquarters) and USA (Meta Inc.)

⚠️ IMPORTANT NOTICE:

The WhatsApp Business API is NOT end-to-end encrypted.

This means:

  • Meta Platforms can technically read your message content (including voice messages)
  • This is technically necessary for the Business API (webhooks to our servers)
  • Meta commits to confidentiality according to their privacy policies

Additional Important Notes

  • Meta may process metadata for its own purposes
  • Transfer via EU Standard Contractual Clauses (Art. 46 GDPR)
  • Access by US authorities is not excluded (CLOUD Act, FISA 702)

Legal basis: Art. 6(1)(a) GDPR (consent)

Data Processing Agreement: Per Art. 28 GDPR

WhatsApp Privacy PolicyWhatsApp Business Policy

Stripe (Stripe Payments Europe Ltd., Ireland)

Purpose: Payment processing and subscription management (Premium only)

Transferred Data

  • Email address and name (optional)
  • Payment information
  • Billing address

Storage Location: Ireland and potentially USA

Security

  • PCI-DSS Level 1 certified
  • EU Standard Contractual Clauses (for USA transfer)

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Data Processing Agreement: DPA per Art. 28 GDPR

Stripe Privacy PolicyStripe DPA

Hostinger (Hostinger International Ltd., Cyprus)

Purpose: Hosting of server and database (n8n workflow)

Transferred Data

  • WhatsApp phone numbers, account data
  • Credits and error logs
  • System backups

Storage Location: Frankfurt am Main (no third-country transfer)

Security

  • ISO 27001 certified
  • SSL/TLS encryption
  • Firewalls

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

Data Processing Agreement: Per Art. 28 GDPR

Hostinger Privacy Policy

n8n Workflow Engine (self-hosted)

Purpose: Orchestration between WhatsApp, transcription, and database

Transferred Data

  • Receives messages, manages credits, controls responses

Deployment: Hostinger server (Frankfurt)

Privacy

  • No permanent storage of message content
  • Technical orchestration only

Legal basis: Art. 6(1)(f) GDPR

6. Storage Duration

Data TypeRetention Period
Phone number & creditsUntil account deletion (upon request)
Voice messages<3 seconds (immediate deletion after transcription)
Transcripts & AI resultsNot stored (only during processing)
Email & payment data (Premium)Contract duration + 7 years (§ 147 AO)
Error logs90 days
System backups30 days
Account creation dateUntil account deletion

7. Your Rights

You have the following rights under GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Competent Supervisory Authority:

The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5
30159 Hannover
Germany

8. Data Security

Technical Measures

  • SSL/TLS encryption of website (HTTPS)
  • Encrypted API connections to all services
  • Firewall protection on Hetzner servers (IP whitelist)
  • API key authentication
  • ISO 27001 certified data centers
  • Regular security updates
  • Automatic, encrypted backups (30 days)

Organizational Measures

  • Access restriction to production data
  • Strong passwords and secret protection
  • Logging and monitoring without user content
  • Immediate audio deletion after processing
  • Regular review of data processors

9. Cookies and Tracking

9.1 Cookie Categories

Memo2Text uses different types of cookies. With our cookie banner you can choose which categories you want to allow:

🔒 Necessary Cookies (always active)

These cookies are essential for the operation of the website:

  • Session management
  • Saving cookie preferences
  • Security functions (CSRF protection)

Legal basis: Art. 6(1)(f) GDPR in conjunction with § 25 para. 2 no. 2 TTDSG

📊 Statistics Cookies (with your consent)

Help us understand how visitors interact with our website:

  • Google Analytics 4 (anonymized IPs)
  • Page views and dwell time
  • Technical information (browser, device)

Provider: Google Ireland Limited

Measurement ID: G-C4SJJQM3VE (via GTM: GTM-T9NHPKT5)

Storage duration: 2 months

Legal basis: Art. 6(1)(a) GDPR (consent)

🎯 Marketing Cookies (with your consent)

Used for relevant advertising and conversion tracking:

  • Meta Pixel (Facebook/Instagram Ads)
  • Conversion tracking
  • Custom Audiences (hashed data)

Provider: Meta Platforms Ireland Ltd.

Storage duration: 90 days

Legal basis: Art. 6(1)(a) GDPR (consent)

9.2 Google Analytics

With your consent, we use Google Analytics 4 to analyze website usage:

Processed Data

  • IP address (anonymized)
  • Device information (browser, operating system)
  • Page views and dwell time
  • Referrer URL

Privacy Configuration

  • ✅ IP anonymization enabled
  • ✅ Google Signals disabled
  • ✅ Advertising features disabled
  • ✅ Personalized advertising disabled (all regions)
  • ✅ Data retention: 2 months (minimum)
  • ✅ Consent Mode v2 implemented

Measurement ID: G-C4SJJQM3VE

Opt-out: You can disable Google Analytics in your cookie settings or use the browser add-on.

9.3 Meta Pixel (Facebook)

With your consent, we use the Meta Pixel for conversion tracking and remarketing:

Processed Data

  • Page views and events (e.g., WhatsApp clicks)
  • Browser and device information
  • IP address

Advanced Matching

To improve conversion attribution, the following data is hashed (SHA-256) and transmitted to Meta:

  • Email address (hashed)
  • First and last name (hashed)
  • Phone number (hashed)
  • Gender
  • Date of birth
  • Location data (city, postal code, country)
  • External ID

Privacy Configuration

  • ✅ Consent Mode: Pixel only loads after marketing consent
  • ✅ All personal data is hashed before transmission
  • ✅ Page automatically reloads when consent is revoked

Purpose: Optimization of Facebook/Instagram advertising, conversion measurement, and audience building

Storage location: Meta Platforms Ireland Ltd. (EU) and Meta Platforms Inc. (USA)

Third-country transfer: USA with EU Standard Contractual Clauses (Art. 46 GDPR)

Opt-out: You can disable the Meta Pixel in your cookie settings.

9.4 Cookie Management

You have full control over your cookie settings at all times:

  • Cookie banner on first visit
  • Granular selection by categories
  • Settings changeable anytime via footer link
  • Opt-out possible for all non-essential cookies

Important Notice: Tracking cookies are only set if you explicitly consent. Without your consent, only technically necessary cookies are used.

10. Third-Country Transfers Notice

10.1 Data Processing in the EU

Core processing takes place exclusively in the EU:

  • Transcription (Option 1): Hetzner server in Nuremberg (Germany)
  • Transcription (Option 2): Azure Whisper in Sweden/Norway (EU/EEA)
  • AI Processing: Azure GPT-4.1 in Sweden/Norway (EU/EEA)
  • Audio Data: Remains in the EU, not transferred to third countries
  • Transcripts: Remain in the EU, not transferred to third countries

10.2 Unavoidable Third-Country Transfers

Only the following data is transferred to third countries (USA):

WhatsApp/Meta (USA)

  • Transferred: Phone number, message content (incoming and outgoing), metadata
  • Purpose: Messaging infrastructure (technically unavoidable for WhatsApp service)
  • Safeguards: EU Standard Contractual Clauses (Art. 46 GDPR)

Stripe (USA)

  • Transferred: Email, payment data (only for Premium subscription)
  • Purpose: Payment processing
  • Safeguards: EU Standard Contractual Clauses, PCI-DSS Level 1 certification

10.3 Legal Notes

Data transfers to the USA are based on:

  • EU Standard Contractual Clauses (Art. 46(2)(c) GDPR)
  • Your consent (Art. 49(1)(a) GDPR)

Residual Risk: Despite safeguards, the level of protection may differ from the European standard. Access by US authorities (CLOUD Act, FISA 702) is theoretically possible.

Transparency Notice:

  • Audio files and transcripts are NOT transferred to the USA
  • Only messaging (WhatsApp) and payments (Stripe) involve US transfer
  • With your consent, you accept this minimized residual risk

11. No Profiling

  • No automated decision-making
  • No profiling for marketing purposes
  • No credit checks
  • No sharing with data brokers

12. Changes to This Privacy Policy

For material changes, we will notify you via WhatsApp.

Current version: www.memo2text.de/datenschutz/en

13. Contact

Email: info@memo2text.de
Website: www.memo2text.de
Postal address: Steven Braun, Voltastr. 1, 30165 Hannover, Germany

Response time: Usually within 7 days.