Formal DPA: This page serves as Cleft’s official Data Processing Agreement for all customers and compliance teams, while also providing transparent information for all users.
Last Updated: September 10, 2025
Effective: September 10, 2025

Data Processing Agreement

This document serves as both our user-friendly data transparency guide and our formal Data Processing Agreement (DPA) for customers requiring compliance documentation.

Data Controller/Processor Relationship

Roles & Responsibilities

You (Data Controller): You control the personal data in your notes, recordings, and accountCleft (Data Processor): We process your data solely to provide voice-to-text services as instructed by youLegal Basis: Processing based on legitimate interests (service provision) and consent where applicable
Key Principle: We only collect and process data that’s essential for delivering our service. Your content is never used for training AI models or shared with advertisers.Complete Vendor List: This DPA covers our key data processors. For our complete list of all 37 vendors (including business operations vendors that handle no personal data), see our Vendor Transparency page.

Data Categories & Usage

Audio Recordings

Your Voice Recordings

What We Collect: Audio files when you press recordHow It’s Processed:
  1. Local Storage: Audio stays on your device during recording
  2. Device Transcription: Processed locally using OpenAI’s Whisper model
  3. Cloud Backup: Audio files uploaded to AWS for 1-hour temporary access
  4. Permanent Storage: Moved to secure AWS storage after 1 hour
  5. Download Access: Available for download anytime via the app
Who Has Access:
  • AWS (hosting only - no content access)
  • You (full ownership and download rights)
Retention: Kept for 2 years after your last login, then securely deleted

Transcripts & Text

Transcribed Text

What We Collect: Text versions of your audio recordingsHow It’s Processed:
  1. Device Creation: Generated locally on your device
  2. AI Enhancement: Text sent to AI providers for note processing
  3. Cloud Sync: Stored on AWS for cross-device access
  4. User Access: Available in-app and via export
Who Has Access:
  • OpenAI (primary AI processing - text only, never audio)
  • Groq (backup AI processing - text only)
  • Anthropic (additional AI processing - text only)
  • AWS (hosting only - no content access)
Important: AI providers receive only text, never your audio recordings. Your data is never used to train their models.

Account Information

Profile & Settings

What We Collect:
  • Email address (for authentication)
  • Display name
  • App preferences and settings
  • Device information (for sync)
How It’s Used:
  • Authentication: Secure login via email
  • Sync: Cross-device note synchronization
  • Support: Customer service assistance
  • Communications: Service updates and newsletters (opt-in)
Who Has Access:
  • AWS (secure hosting)
  • HubSpot (customer support interactions only)
  • Mailerlite (newsletter delivery - opt-in only)
  • 1Password (internal team password management only)
Control: You can export, modify, or delete this data anytime

Website & Forms

Contact Forms & Website

What We Collect:
  • Form submissions on our website
  • Contact requests and support inquiries
  • Scheduling information for consultations
How It’s Used:
  • Customer Support: Responding to inquiries and requests
  • Scheduling: Coordinating onboarding calls and consultations
  • Website Hosting: Maintaining our public-facing website
Who Has Access:
  • Webflow (website hosting and form submissions)
  • Fillout (form building and data collection)
  • Namecheap (domain registration and DNS management)
  • Cloudflare (CDN and website performance)
Purpose: These vendors help us maintain our website and respond to customer inquiries

Integration & Automation

Workflow Automation

What We Collect:
  • Integration data flows you configure
  • Automated workflow triggers
  • Connected app permissions
How It’s Used:
  • User Integrations: Connecting Cleft with your other tools
  • Automation: Streamlining workflows as configured by you
  • Data Export: Sending your notes to destinations you choose
Who Has Access:
  • Zapier (workflow automation - only data flows you configure)
Control: You configure all data flows and can disable integrations anytime

Usage Analytics

App Performance Data

What We Collect:
  • Feature usage patterns (anonymous)
  • App performance metrics
  • Crash reports (no personal content)
  • Documentation page views
How It’s Used:
  • Product Improvement: Understanding which features are most valuable
  • Bug Fixes: Identifying and resolving technical issues
  • Performance: Optimizing app speed and reliability
Who Has Access:
  • Fathom Analytics (website analytics only - privacy-focused)
  • TelemetryDeck (in-app anonymous analytics - no PII collected)
  • Sentry (crash reporting - no personal data)
  • Metabase (internal analytics - aggregated data only)
Privacy: All analytics are anonymous and contain no personal content or notes

Payment Information

Billing & Subscriptions

What We Collect:
  • Subscription status
  • Purchase history
  • Payment method (handled by Apple/Stripe)
How It’s Processed:
  • Apple App Store: Handles all iOS subscription billing
  • Stripe: Processes web payments (we don’t see card details)
  • RevenueCat: Manages subscription status and analytics
Important: We never see or store your actual payment details (card numbers, etc.). This is handled entirely by secure payment processors.Who Has Access:
  • Apple (iOS subscriptions)
  • Stripe (web payments - PCI compliant)
  • RevenueCat (subscription management)

Data Flow Diagram

Your Data Rights

Full Ownership

You Own Everything
  • All notes, transcripts, and audio files
  • Complete export available anytime
  • Delete individual items or entire account
  • No vendor lock-in - portable data

Complete Control

Granular Permissions
  • Choose which features to sync
  • Control communication preferences
  • Manage integration permissions
  • Request specific data deletion

Transparency

Full Visibility
  • Know exactly who processes your data
  • See all vendor relationships
  • Access data processing agreements
  • Review security certifications

Privacy by Design

Built-in Protection
  • No advertising or tracking
  • No data sales to third parties
  • No AI training on your content
  • GDPR & CCPA compliant

Data Minimization

We follow strict data minimization principles:
  • Only Essential Data: We collect only what’s needed for core functionality
  • Purpose Limitation: Data used only for stated purposes
  • Retention Limits: Automatic deletion after 2 years of inactivity
  • Access Controls: Vendor access limited to necessary functions only

DPA Compliance & Audit Rights

Compliance & Audit Rights

Audit Rights: Customers have the right to audit our data processing activities upon reasonable noticeCompliance Support: We assist with your GDPR, CCPA, and other regulatory compliance requirementsDocumentation: This page serves as your DPA - bookmark, download, or print for your compliance recordsUpdates: We’ll notify customers of material changes to our data processing practices

Incident Response & Security

Questions About Data Processing?

Data Protection Officer

Jonny Cosgrove
Founder, COO and Data Protection Officer📧 DPO@cleftnotes.com
📋 DPA Questions: Include “DPA” in subject line

Privacy & Compliance

Privacy Team📧 privacy@cleftnotes.com
📋 For: DPA questions, audit requests, compliance documentation, general privacy questions

Official Versions: Privacy Policy | Terms of Service
Data Subject Access Request: To request a copy of all personal data we hold about you, submit a request here or contact our Data Protection Officer.