Privacy Policy

[Dictu legal entity — e.g. "Dictu B.V."], registered at [postal address]. Privacy contact: privacy@dictu.co. We have not appointed a Data Protection Officer (below the GDPR Art. 37 threshold); the founders are responsible for privacy matters.

Account data — your name, email, and password hash. Used to run your account and send transactional email. Kept while your account exists; deletable on request.

Event content — the speech you write and the translations we produce from it, plus the event metadata you provide (title, date, organisers, chosen languages). Used to deliver the event. Tied to the event's lifetime; deleted on event delete unless the organizer publishes it as a public archive.

Invitations — invitee first name, email, optional personal message, and chosen language. After an invite is claimed, declined, revoked, or expires (14 days from sending), the row is kept for a 30-day grace period and then hard-deleted by a daily clean-up job.

Billing — plan, payment status, VAT number, transaction IDs. Cardholder data never reaches us — Paddle collects it directly inside their checkout iframe. Kept for 7 years per fiscal-record obligations.

Analytics — aggregate page views and coarse device/region rollups, only when you've accepted the cookie banner. No advertising or user-ID features. Retained for 13 months in Google Analytics.

Server logs — access logs, error traces, and rate-limit counters, kept for 30 days for reliability and abuse prevention.

Lawful bases under Art. 6 GDPR: contract for account, event content, invitations, and billing (Art. 6(1)(b)); legal obligation for billing/VAT records (Art. 6(1)(c)); legitimate interest for server logs and analytics (Art. 6(1)(f)) — you can object via the banner or by writing to us.

We share data only with the processors below, each bound by a Data Processing Addendum. We do not sell personal data, and we do not share it for advertising.

• Anthropic — Translation of speech content. privacy notice →
• Postmark — Transactional email (sign-in links, invites, etc.). privacy notice →
• Paddle — Payment processor. privacy notice →
• Lulu — Print fulfilment when physical keepsakes are ordered. privacy notice →
• Google Analytics 4 — Anonymous aggregate analytics — loaded only after you accept the banner. privacy notice →

Material changes to this list will be announced here and re-dated under "Last updated."

Some sub-processors are based outside the EU/EEA (primarily the United States and the United Kingdom). For each transfer we rely on either an adequacy decision (UK), the EU-US Data Privacy Framework, or the European Commission's Standard Contractual Clauses (Decision 2021/914) supplemented with a Schrems II transfer-impact assessment.

We use a small number of cookies. The ones that keep you signed in and remember your UI language are strictly necessary and load on every visit. Google Analytics loads only after you accept the cookie banner shown on your first visit; declining keeps it disabled, and we remember your choice for 180 days in a small __consent cookie. Paddle sets its own cookies inside the checkout iframe when you make a payment — those are strictly necessary for the transaction. You can clear or block cookies at any time via your browser.

You can ask us to give you a copy of your data, correct it, delete it, restrict processing, port it to another service, or object to any processing based on legitimate interest. You can withdraw any consent at any time. To exercise these rights, write to privacy@dictu.co; we will respond within one calendar month (Art. 12(3) GDPR). You also have the right to lodge a complaint with your local data-protection authority (Art. 77 GDPR) — our lead supervisory authority is [the Autoriteit Persoonsgegevens (Netherlands) — confirm with operator].

If you were invited to give a speech, you don't have to create an account. A small __talk cookie lets you write and edit your speech without registering. Your name and email come from the invitation; we collect nothing else about you unless you choose to create an account.

Who can see your speech before the event: you, the event organizer (who can preview content to coordinate translations and timing), and any translator the organizer has invited for your speech's languages. Other speakers at the same event cannot see your speech. Guests cannot see anything until the event is live, unless the organizer chooses to publish the event archive afterwards.

Guests who follow along during the live event are not asked to register and we do not associate them with any personal identifier. The sync server only relays which paragraph is active — it does not see who you are.

All traffic is served over TLS. Passwords are hashed with bcrypt. Magic-link tokens are single-use and rate-limited. Access to production data is restricted to the founders for incident response. No internet transmission is 100% secure, but we describe the safeguards in place and aim for sensible defaults.

Dictu is not directed at children under 16. If you believe a child has provided us with personal data, write to privacy@dictu.co and we will delete it.

Material changes will be announced via email to active organizers and re-dated at the top of this page.

Privacy and GDPR rights: privacy@dictu.co. Anything else: hello@dictu.co.