SpokenLeaf

Privacy Policy

Last updated: July 18, 2026

SpokenLeaf turns speech into notes that live on your device, not on our servers. This policy explains, in plain language, the small amount of data we do keep, the data that never leaves your device unless you ask it to, and the choices you have.

The short version: your notes, recordings, tasks, folders, and images are stored on your device — we never receive or store their contents. On our servers we keep only what's needed to run your account and billing: your email and sign-in, your plan and billing status, and how many transcription minutes you've used. Optional AI features send just what's needed to a processor to do the work, and only when you invoke them.

1. Who we are

SpokenLeaf is operated by Infinite Source Agency Inc. (“we”, “us”, or “our”), a company based in Ontario, Canada. For additional contact details, see infinitesource.agency. For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws, we are the “data controller” for the limited account-related data described below.

If you have any question about this policy or your data, contact us at support@spokenleaf.com.

2. Where your data lives (our model)

SpokenLeaf is built to be local-first. Understanding two places is the key to this whole policy:

On your device

Your notes, task lists, folders, recordings and audio, and image attachments are created and stored on your device, inside your browser (using in-browser storage). We do not receive them, we do not store them on our servers, and we cannot read them. Because they live on your device, they don't automatically follow you to another browser or device, and clearing your browser's data will remove them. To keep a copy you own, you can export your notes or, on Pro, back them up to your own cloud storage.

On our servers

When accounts are enabled, we store only the minimum needed to run sign-in and billing — never the contents of your notes. Your account is your key for sign-in and billing, not a vault that holds your notes.

SpokenLeaf is not end-to-end encrypted, and we don't claim to be. Data is encrypted in transit and at rest by the services we use, but this is not zero-knowledge encryption.

3. What we store on our servers

If you create an account, the only personal data we hold on our servers is:

  • Account & sign-in — your email address and authentication details, managed by our authentication provider (Supabase Auth).
  • Plan & billing status — your subscription tier and status, and billing identifiers held by our payments provider (Stripe). We do not store your full card number; Stripe handles payment details.
  • Transcription usage — the number of transcription minutes you've used, so we can apply your plan's limits. This is a count of minutes, not the content of what you transcribed.

We never store your notes, recordings, tasks, folders, or images on our servers.

If you use SpokenLeaf without an account (local-only mode), we store no personal data about you on our servers at all.

4. What stays on your device

The following never reaches our servers and is never collected by us. It lives on your device until you delete it or clear your browser:

  • The content of your notes and task lists
  • Your folders and their organization
  • Your recordings and their audio
  • Images you attach to notes
  • App preferences (such as theme, selected microphone, and interface settings)

You are in control of this data. You can export it at any time (as JSON, on any plan) and delete it from your device whenever you like.

5. Optional AI features and data egress

Some SpokenLeaf features use third-party AI processors. These features are optional and always initiated by you. If you never use them, none of the data below leaves your device.

Transcription (audio → AssemblyAI)

When you transcribe a recording, your audio is sent to AssemblyAI to produce a transcript. AssemblyAI is a SOC 2-audited processor. The audio is automatically deleted after about a day (subject to normal processing lag), and we have opted SpokenLeaf out of AssemblyAI model training, so your audio is not used to train their models.

AI insights & task extraction (text → Perplexity)

When you use AI insights or task extraction, the relevant note or transcript text is sent to Perplexity's Sonar API to do the work. Perplexity operates the Sonar API under a zero-data-retention policy: it keeps none of the text you send and never uses it to train its models. Perplexity is SOC 2 Type II-audited.

These AI paths are not end-to-end encrypted — the processors must be able to read the data in order to process it and return a result. We show a short, contextual note at each AI touchpoint before you use it.

6. Service providers

We use a small set of reputable service providers (subprocessors) to run SpokenLeaf. Each processes data only as needed to provide their service:

  • Supabase — account authentication and the database that stores your account, plan, and usage data.
  • Stripe — payment processing and subscription billing.
  • AssemblyAI — audio transcription (only when you transcribe).
  • Perplexity — AI insights and task extraction over text (only when you use those features).
  • Sentry — error monitoring and session replay, to diagnose crashes and bugs.
  • Vercel — hosting and delivery of the application.

We will update this list as our providers change. If we launch native mobile apps in the future, any app-store billing providers we use at that time will be disclosed here.

7. Cookies and on-device storage

SpokenLeaf uses cookies and in-browser storage only for functional purposes — never for third-party advertising or cross-site tracking:

  • Authentication & session cookies (Supabase) to keep you signed in.
  • Payment & fraud-prevention data used by Stripe during checkout and billing.
  • Error-monitoring data used by Sentry to diagnose issues.
  • On-device app data (in-browser storage) that holds your notes and preferences on your device. This is functional storage, not tracking.

We do not sell your data and we do not run third-party ad tracking.

9. Your rights

EEA / UK (GDPR & UK GDPR)

You have the right to access, correct, delete, restrict, or object to our processing of your personal data, and the right to data portability. You may also withdraw consent for optional AI features at any time by not using them.

California (CCPA / CPRA)

California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to not be discriminated against for exercising these rights. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA.

Canada (PIPEDA)

If you are in Canada, you have the right to access the personal information we hold about you and to challenge its accuracy, and you may withdraw consent subject to legal and contractual limits.

How to exercise your rights

Because your notes live on your device, you already control most of your data directly:

  • Export — export your notes as JSON at any time, on any plan, from within the app.
  • Delete — delete your account and its server-side data from your account page. This also clears the app data stored on that device.
  • Contact us — for any other request, email support@spokenleaf.com. We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with your local data protection authority.

10. Data retention

We keep your account, plan, and transcription-usage data for as long as your account is active. When you delete your account, we delete this server-side data and cancel any active subscription. Audio sent to AssemblyAI is auto-deleted after about a day; text sent to Perplexity is not retained. Limited billing records may be kept where required by law.

Data stored on your device stays there until you delete it, clear your browser, or delete your account.

11. International data transfers

Our service providers may process the limited account data described above in countries outside your own, including the United States. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) offered by these providers under their data processing terms.

12. Children's privacy

SpokenLeaf is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Security

We use reputable providers with strong security practices, and data is encrypted in transit and at rest by those providers. No system is perfectly secure, and SpokenLeaf is not end-to-end encrypted. For a copy of your notes that you control, use export or Pro cloud backup.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we'll update the “Last updated” date above and, where appropriate, notify you in the app.

15. Contact us

Questions, requests, or concerns about your privacy? Email us at support@spokenleaf.com. The Service is operated by Infinite Source Agency Inc.; for additional contact details, see infinitesource.agency.