Privacy + GDPR
Data we process
| Data | Purpose | Where it lives | Retention |
|---|---|---|---|
| End-user audio | Voice AI inference | Browser ↔ OpenAI (WebRTC) | Not stored |
| End-user transcripts | Analytics, debugging, audit | Supabase Postgres | 30 days default; 0–90 configurable |
| Session metadata | Billing, analytics | Supabase Postgres | 13 months |
| IP address (hashed) | Rate limiting, fraud detection | Redis | 1 hour |
| User agent | Bug diagnosis | Session metadata | 13 months |
| Customer OpenAI key | Session token minting | Supabase Postgres (encrypted) | Until deleted |
| Customer DB credentials | Query proxying | Supabase Postgres (encrypted) | Until deleted |
| OAuth refresh tokens | API access | Supabase Postgres (encrypted) | Until revoked |
GDPR roles
- Customer (you, the site operator) = Data Controller
- Spelo = Data Processor (we process on your instructions)
- OpenAI = Sub-processor (we forward audio + transcripts to them)
Lawful basis
Your visitors’ audio processing happens under one of two lawful bases:
- Consent — via the privacy notice shown before the first session
- Legitimate interest — for fraud prevention, rate limiting, security logging
For EU / UK / California visitors, consent is the most defensible basis. Don’t disable the notice.
Sub-processors
| Sub-processor | Role | Region |
|---|---|---|
| OpenAI | AI inference (audio in / text out / audio out) | US |
| Supabase | Database hosting | US (us-east-1) |
| Upstash | Redis for rate limits | US / EU |
| Cloudflare | CDN + DDoS protection | Global |
| Stripe | Billing | US |
| Resend | Transactional email | US |
| Sentry | Error tracking | US |
Full list at spelo.ai/trust/subprocessors. We notify customers 30 days before adding a new sub-processor.
Data residency
Default region: us-east-1 (Virginia).
EU residency is available on Enterprise plans (eu-west-1, Ireland). Data stays in-region; OpenAI inference routes to their EU inference endpoints.
User rights (GDPR Articles 15–22)
Right of access
Visitors can request a copy of their transcripts:
POST /v1/user-data/exportAuthorization: Bearer vk_live_...{ "site_id": "ab1c2d3e", "user_fingerprint": "hashed-ip-ua-abc123"}We return all transcripts linked to that fingerprint. Delivery by signed URL within 30 days.
Right of erasure
POST /v1/user-data/deleteAuthorization: Bearer vk_live_...{ "site_id": "ab1c2d3e", "user_fingerprint": "hashed-ip-ua-abc123"}Deletes:
- All transcripts matching the fingerprint
- Session metadata with PII redacted
Processed within 72 hours.
The user_fingerprint is a salted hash of IP + user-agent — not PII itself, but enough to link sessions to a specific visitor on a specific device.
Right to data portability
The /user-data/export endpoint returns JSON — machine-readable by design.
Right to object / restrict processing
Set enabled_pages: [] for the affected visitor’s session (or disable the widget site-wide). Contact us if you need a programmatic per-visitor block.
Transcripts — what they contain
- Visitor’s spoken text (Whisper transcription)
- AI’s spoken text
- Function call events (what the AI did)
- Query parameters (what the AI searched for)
- Page URL at time of session
What they do not contain:
- Audio recordings (we don’t store audio)
- Your database contents
- Any PII beyond what the visitor said
Retention configuration
Dashboard → Privacy → Transcript retention → 0–90 days.
- 0 days = no transcripts stored at all. Debugging becomes harder.
- 30 days (default) = enough for debugging recent issues, short enough for most compliance requirements.
- 90 days (max) = for regulated industries with longer audit requirements.
Retention is enforced by a daily cron that deletes expired transcripts.
Cookies
The widget sets no third-party cookies. It uses:
localStoragekeyspelo:notice:<site_id>— to remember the user accepted the privacy noticesessionStoragekeyspelo:session:<site_id>— to survive tab refresh during a call
Both are client-side only. No cookies set by the widget; no tracking across sites.
CCPA
California Consumer Privacy Act applies identically — Spelo does not “sell” personal information. The right-of-access and right-of-erasure endpoints above satisfy CCPA Section 1798.100 / 1798.105.
DPA (Data Processing Agreement)
Standard DPA available at spelo.ai/trust/dpa.pdf. Countersign yourself and email to legal@spelo.ai — we return signed within 5 business days.
Enterprise customers get custom-negotiated DPAs on request.
Recommendations for your privacy policy
Add these lines under the “Third parties we share data with” section:
Voice AI (Spelo + OpenAI):When you interact with our voice assistant, your audio is sent toSpelo and OpenAI for processing. We do not store your audio.Transcripts are retained for up to [30] days.
Spelo DPA: https://spelo.ai/trust/dpa.pdfOpenAI DPA: https://openai.com/policies/data-processing-addendumChildren’s privacy
Spelo does not knowingly process data from children under 13 (COPPA) or 16 (GDPR). If your site is directed at children, contact us — we have not cleared this product for children’s use.
International transfers
Data routes US → EU / UK → US routinely (OpenAI’s inference is US-based). Transfers rely on:
- EU Standard Contractual Clauses (SCCs) — included in our DPA
- UK International Data Transfer Addendum
- Data Privacy Framework (DPF) (OpenAI is certified)