Quick Check: GDPR, Encryption & Privacy Policy

Question

Letterly Team,\u000a\u000aCould you please clarify your underlying infrastructure and whether it aligns with GDPR principles?\u000a\u000aFor those of us handling sensitive info, it’d be helpful to know:\u000a\u000a1. Are audio/transcripts encrypted in transit and at rest?\u000a2. Is there an access control policy? Can staff or subprocessors access data?\u000a3. Any plans to update the Privacy Policy to reflect GDPR and clarify data handling?\u000a4. Do you offer a DPA or internal GDPR\u002Daligned documentation?\u000a5. Is there a data retention policy or auto\u002Ddeletion feature?\u000a6. Have any security standards or breach notification processes been implemented?\u000a\u000aTotally understand it’s a big task for a startup — just keen to know where you\u0027re at and how you’re approaching data protection.\u000a\u000aThanks!

Anton_Letterly · Answer

Hi Ida, thanks for your questions! Please find the answers:\u000a\u000a1. All audio and text notes are encrypted both in transit (via HTTPS/TLS) and at rest. Encryption keys are stored separately in a secure environment and can only be accessed through a controlled, multi\u002Dstep validation process.\u000a\u000a2. We have strict access controls in place. Access to user content is highly limited and governed by internal policies. The only external subprocessor we use is OpenAI, which temporarily processes notes for rewriting or transcription. This data is not used to train their models.\u000a\u000a3. We’re updating our Privacy Policy to better reflect our GDPR alignment. While our documentation may still be evolving, our internal data practices are already designed with strong privacy and security in mind.\u000a\u000a4. We’re working on making a Data Processing Agreement (DPA) available and expect to publish it soon. Internally, we already follow GDPR\u002Daligned practices.\u000a\u000a5. We retain user data for up to 12 months to support core functionality. Upon request, all data can be deleted within 24 hours (usually faster). Automatic deletion is planned and will be available in one of the next releases.\u000a\u000a6. We haven’t completed formal certifications yet, but we follow security best practices and are working on a clear breach response process.

planetcreation · Answer

In a previous answer you stated \u0022The data is saved both on the server and locally. In the future, we’re planning to add a feature that lets you delete it locally and keep it only on the server.\u0022 However answer to point 5, my understanding is that our voice notes are stored on your EU servers for 12 months after which it will be deleted (when the automatic deletion is implemented)? Please clarify.

Letterly

Share Letterly

Related questions