PRIVACY POLICY • AICHE TECHNOLOGIES

Effective Date: January 14, 2026

0) Our Privacy Scorecard (At a Glance)

This summary is for convenience only. It does not replace the full Privacy Policy. The full policy controls.

🚫 We don't store what you say. Ever. Your voice and text are processed using temporary files that are immediately and securely deleted.
💳 We only keep your account & billing info. This is the absolute minimum we need to run the service and comply with the law.
🛡️ We don't sell your data or use it for ads. No selling, no sharing for marketing.
🔒 Your content is never used for AI training.
View our Live Trust Center →

1) Who We Are & The Scope of This Policy

Company Information

Company: AICHE Technologies, LLC Jurisdiction of Incorporation: Delaware, USA Privacy Contact: [email protected]

DPO and EU/UK Representative

As a U.S.-based company at our current scale, a formal Data Protection Officer is not required under GDPR. For all privacy matters, you can contact our dedicated privacy team directly at [email protected]. We will appoint a formal EU/UK representative if and when our scale of operations requires it.

Applicability

This policy applies to your use of:

• The AICHE website (aiche.app and subdomains)
• Desktop applications (Windows, macOS, Linux)
• Obsidian Plugin (AICHE Voice for Obsidian)
• APIs and developer tools
• Any related services (collectively, the "Service")

Important Distinction:

• Website: Uses standard web analytics for improvement
• Desktop Apps: No analytics, no tracking, complete privacy
• Obsidian Plugin: Same privacy model as desktop apps

User Categories

• Individual Users: Personal accounts without business agreements
• Business/Enterprise Users: Organizations with business agreements and DPAs

Our Roles (under GDPR)

• For Individual Users: We act as the Data Controller for all personal data we collect
• For Business/Enterprise Users: We act as a Data Processor for content processed under a Data Processing Addendum (DPA)

2) The Three Buckets: How We Handle All Data

To be radically transparent, all data we interact with falls into one of three simple buckets.

Bucket 1: Account & Billing Data (to run your account)

This is the only personal data about you that we keep long-term.

Bucket 2: Temporary Content Data (to provide the service to you)

• What it is: The audio stream of your voice and its resulting text transcription
• Why we need it: To perform the core speech-to-text function of the Service
• Retention: Your audio is deleted immediately after transcription. Text transcripts are retained temporarily for your convenience, then automatically cleared. We never use any of this data to train AI models or for any other purpose.

Bucket 3: Operational Data (to fix and secure the service)

• What it is:
  • Minimal, anonymized service metadata (timestamps, error codes-never your text/audio)
  • Website analytics (page views, referrers-only on aiche.app, not in desktop apps)
  • Support communications you send us
• Why we need it: To monitor service health, improve the website, and provide support
• Retention:
  • Anonymized logs: Rotated every 30-90 days
  • Support tickets: Up to 24 months
  • Website analytics: Per Google Analytics retention settings

3) The Temporary Processing Flow: Our Technical Privacy Guarantee

The Data Journey

1. Your Device (mic captures audio)
2. → Encrypted Transit (TLS 1.3+)
3. Our Secure Temporary Processing (brief file creation)
4. → Encrypted Transit (TLS 1.3+)
5. Your Device (text returned/pasted into your active application)
6. PURGED (all temporary files permanently erased from our servers)

Our Core Pledges

• No Long-Term Storage: Your content uses temporary files during processing but is permanently erased immediately after completion
• No AI Training: We strictly prohibit the use of your content to train any AI models
• No Human Review: The process is fully automated. No human ever sees or hears your content
• Desktop App Privacy: Our desktop applications contain no analytics, no trackers, no telemetry

4) Sharing & Subprocessors

We use a small number of trusted service providers ("Subprocessors") to operate AICHE. We will never sell your personal information.

Infrastructure & Processing

• Groq Inc.: AI inference for speech-to-text (processes temporarily, no retention)
• Hetzner & DigitalOcean: Server infrastructure
• Stripe: Payment processing (PCI-compliant)

Website-Only Services

• Google Analytics: Website visitor analytics (not used in desktop apps)
• Marketing pixels: May include Facebook, LinkedIn for website advertising (not in apps)

Trust Center

A current and detailed list of our subprocessors is maintained on our Trust Center.

5) Your Privacy Rights & Controls

We believe you should have simple, powerful control over your information.

Your Privacy Dashboard (in Account Settings)

🔍 See Your Data: Export a complete copy of your Account & Billing information
✏️ Fix Your Data: Update your name or email address in Profile Settings
🗑️ Delete Your Data: Permanently erase your Account & Billing information (subject to legal retention)
✋ Manage Communications: Control which emails you receive

Your Additional Rights

You may also have the right to:

• Object to or restrict certain processing
• Data portability
• Withdraw consent for optional processing
• Lodge a complaint with supervisory authorities

To exercise any rights, contact [email protected]. We'll respond within 30 days.

5a) Cookies & Tracking

Website (aiche.app)

Our website uses:

• Essential cookies: For session management and security
• Analytics cookies: Google Analytics to understand visitor behavior
• Marketing cookies: May include advertising pixels for remarketing
• You can control these through your browser settings

Desktop Applications

Our desktop apps use:

• No cookies
• No analytics
• No tracking pixels
• No telemetry
• Complete privacy by design

Obsidian Plugin

When you use AICHE Voice for Obsidian:

Data Collection:

• Audio recordings are sent to AICHE servers for transcription
• Device information: device ID, operating system, app version
• Authentication tokens stored locally in your Obsidian vault

Data Processing:

• Audio is processed and immediately deleted after transcription
• Transcribed text is returned directly to your device
• We do not store your transcriptions on our servers

Offline Mode:

• Failed recordings are encrypted locally using AES-GCM
• Encrypted audio is stored in your vault until successfully uploaded
• Once uploaded and processed, local encrypted data is deleted

Authentication:

• OAuth flow via obsidian://aiche-auth protocol handler
• Tokens encrypted at rest using Web Crypto API
• Session can be revoked from account settings

Third-Party:

• The Obsidian plugin interacts only with AICHE servers (api.aiche.app)
• No data is shared with Obsidian or third parties

iOS App

When you use AICHE on iOS or watchOS:

Data Handling:

• Audio is deleted immediately after transcription
• Text transcripts remain on your device under your control
• Your device's backup feature (iCloud, etc.) may include app data. Configure your backup settings according to your privacy preferences
• You can delete all transcripts and history anytime from the app settings

Future Changes

If we ever add crash reporting to desktop apps, it will be:

• Strictly opt-in
• Fully anonymized
• Announced 30 days in advance

5b) U.S. State Privacy Rights & Disclosures

For Residents of California and other applicable states

• Categories of Data: Account & Billing Information (Bucket 1), and website analytics if you visit aiche.app
• Do Not Sell or Share: We do not "sell" your personal information. We may "share" website visitor data for advertising (you can opt out via browser settings)
• Sensitive Information: We do not collect or process "sensitive personal information" to infer characteristics about you
• Your Rights: You have the right to know, delete, and correct your information via the Privacy Dashboard or by contacting [email protected]

6) Our Legal Bases for Processing (GDPR)

Legitimate Interests Balancing Test (Security)

When we rely on Legitimate Interests for security and fraud prevention, we perform a balancing test to ensure our interests don't override your fundamental rights and freedoms. We:

• Assess necessity and proportionality
• Minimize data collection (no storage of audio/transcripts)
• Implement strong safeguards (encryption, access controls, limited retention)
• Provide you the ability to object by contacting [email protected]

A high-level summary of this assessment is available on our Trust Center.

Website vs Desktop App Processing

• Website visits: We have a legitimate interest in understanding how visitors use our site
• Desktop app usage: Processing is strictly necessary for service delivery under our contract with you
• The key difference: You can browse our website without an account (analytics apply), but the desktop app requires an account and processes only what's needed for transcription

7) Security & Incident Response

We implement industry-standard measures to protect your data:

• Encryption: TLS 1.3+ in transit, AES-256 for any local storage
• Access controls: Role-based access, principle of least privilege
• Regular audits: Security assessments and penetration testing
• Secure development: Code reviews and security scanning

Incident Response Timeline Commitments

Detection & Triage: We continuously monitor for suspicious activity. Once aware of a potential incident, we initiate triage within 24 hours.

Containment & Assessment: We aim to contain confirmed incidents promptly and assess impact as quickly as possible.

Notification to Authorities: Where legally required (e.g., GDPR), we'll notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach.

Notification to Affected Users: We'll notify affected users without undue delay when a breach is likely to result in high risk to their rights and freedoms-generally within 72 hours of confirming material impact.

Status Updates: We'll provide follow-up updates as material information becomes available, and a final summary after closure.

Note: These timelines apply except in cases of force majeure or circumstances beyond our reasonable control.

Security Reporting

Report security issues to: [email protected]

• We appreciate responsible disclosure
• Please allow reasonable time for fixes before public disclosure
• Security researchers may be eligible for acknowledgment

8) International Data Transfers

We're based in the United States. Here's how we handle international data:

Account & Billing Data

• Processed in the US under appropriate safeguards
• Standard Contractual Clauses for EU/UK users
• Other valid mechanisms as applicable by region

Temporary Content Processing

• May be processed in data center region closest to you for performance
• Remember: It's deleted immediately after processing (typically under 30 seconds)
• No long-term storage means minimal transfer risk

Website Analytics

• Google Analytics may process data according to their policies
• You can opt out via browser settings or Google's opt-out tools

For more information, see our Trust Center and any region-specific disclosures we publish.

9) Children's Privacy

Our Policy

• Service not directed to individuals under 13 (or 16 in EU/UK)
• We don't knowingly collect personal information from children
• If we learn a child provided information, we'll delete it promptly

For Parents

If you believe your child has provided us with personal information:

• Contact us immediately at [email protected]
• We'll verify and delete the information
• We'll prevent future access if appropriate

Age Verification

• We rely on users to provide accurate age information
• Business/Enterprise accounts are responsible for ensuring their users meet age requirements

10) Law Enforcement Requests

Our Stance

• We require valid legal process (e.g., court order) for any user data request
• We don't store audio or transcription content, so we have no content to provide
• We'll challenge overly broad or improper requests when appropriate

What We Can Provide

Since we only retain minimal data:

• Can provide: Account email, subscription status, billing records
• Cannot provide: Voice recordings, transcriptions, content history (we don't have it)

Transparency Commitment

We publish periodic transparency reports on our Trust Center including:

• Number of requests received by type and jurisdiction
• Number of accounts identified in requests
• Our compliance/rejection rate
• Confirmation that no content data was provided (as we don't store it)
• Number of requests we challenged

Warrant Canary

We maintain a warrant canary statement in our Trust Center. A warrant canary is a periodic statement that, as of a given date, we have not received certain kinds of secret legal demands. If the canary is removed or not updated on schedule, it may indicate a change in circumstances.

Note: Legal restrictions may limit what we can say. A missing canary is not definitive proof of any specific event.

11) Common Privacy Questions (FAQ)

Q: Can any AICHE employee listen to my recordings? A: No. We don't retain your recordings or transcripts after processing, so there's nothing for anyone to access or review.

Q: Do you use my voice or text to train your AI? A: Never. Our privacy-by-design architecture and contracts with AI providers prohibit this.

Q: Is AICHE more private than on-device tools? A: We offer a different model with similar privacy outcomes. On-device tools keep data local; our temporary cloud processing ensures data is deleted immediately after use, while letting you benefit from powerful cloud AI.

Q: Why does the website have analytics but the desktop app doesn't? A: Our website needs analytics to improve user experience and measure marketing effectiveness. Our desktop app is built for absolute privacy-what happens on your device stays on your device (except for the brief processing moment).

Q: What happens to my data if I'm offline? A: The desktop app queues recordings locally in encrypted storage. When you're back online, they're processed and immediately deleted from our servers as usual. The local queue is also cleared after successful processing.

Q: Can I use AICHE for confidential business conversations? A: Yes. Since we don't store content after processing, your confidential information remains confidential. For enterprise needs, we offer additional contractual protections via our Business agreements.

12) Changes to This Policy & Contact Us

Policy Updates

If we make material changes to this policy, we will:

• Provide at least 30 days' notice via email or in-app notification
• Update the "Last Updated" date at the top
• Maintain a change log on our Trust Center
• For changes affecting Core Pledges, seek explicit consent

Types of Changes

• Minor changes (typos, clarifications): Updated without notice
• Material changes (new data uses, new subprocessors): 30-day notice
• Critical changes (affecting core privacy promises): Require your consent

Contact Information

For any questions about this policy or to exercise your privacy rights:

Email: [email protected]
Response time: Within 30 days (sooner for urgent matters)
Languages: English (primary), other languages as available

For other inquiries:

• Security issues: [email protected]
• General support: [email protected]
• Legal matters: [email protected]
• Business inquiries: [email protected]

13) Automated Decision-Making

Current State

We do not make decisions based solely on automated processing that produce legal or similarly significant effects for you within the meaning of GDPR Article 22.

What Our AI Does

• Transcribes speech to text: A tool you control
• Enhances text: Only when you request it
• Does NOT: Make decisions about you, profile you, or determine your access to services

Your Control

• You review and edit all outputs before use
• You decide whether to accept AI suggestions
• The AI is a tool, not a decision-maker

Future Changes

If we ever introduce automated decision-making that affects your legal rights or status:

• We'll provide clear advance notice
• Explain the logic involved
• Offer human review options
• Update this policy before implementation

14) Additional Disclosures & Regional Rights

For European Economic Area (EEA) and UK Residents

• Legal basis for processing: See Section 6
• Data Protection Authority: You may lodge complaints with your local DPA
• Transfers: Standard Contractual Clauses for data transfers to the US

For California Residents

• CCPA Rights: See Section 5b
• Shine the Light: We don't share data with third parties for their direct marketing
• Do Not Track: Our website responds to browser DNT signals

For Other Regions

We extend core privacy rights to all users regardless of location:

• Access to your data
• Correction capabilities
• Deletion options
• Portability features

Check our Trust Center for region-specific information.

15) Data Retention Summary

16) Privacy Policy Interpretation

Guiding Principles

This Privacy Policy should be interpreted:

• In favor of user privacy when ambiguous
• Consistently with our Core Pledges
• Reasonably and in good faith
• With recognition that desktop apps and website have different privacy models

Conflicts

If there's a conflict between:

• This policy and our Terms of Service: This policy controls for privacy matters
• This policy and a Business Agreement: The Business Agreement controls for that customer
• Different language versions: The English version controls

Severability

If any provision of this Privacy Policy is found unenforceable:

• That provision will be limited to the minimum extent necessary
• All other provisions remain in full effect
• We'll update the policy to address the issue when feasible

Summary: Your Privacy at AICHE

What We Don't Do ❌

• Store your voice or transcriptions
• Train AI on your content
• Sell or share your personal data
• Track you in our desktop apps
• Allow human review of your content

What We Do ✅

• Process your content temporarily (deleted in seconds)
• Keep minimal account data to run the service
• Use website analytics to improve aiche.app
• Maintain complete privacy in desktop apps
• Give you control over your data

The Bottom Line

Website visitors: Standard website privacy (analytics, cookies)
Desktop app users: Maximum privacy (no tracking, temporary processing only)
Everyone: Your content is yours, processed temporarily, never stored

Questions? Contact [email protected]

Want details? Visit our Trust Center at https://trust.aiche.app