Formal DPA: This page serves as Cleft’s official Data Processing Agreement for all customers and compliance teams, while also providing transparent information for all users.
Last Updated: September 10, 2025
Effective: September 10, 2025

​
Data Processing Agreement

This document serves as both our user-friendly data transparency guide and our formal Data Processing Agreement (DPA) for customers requiring compliance documentation.

​
Data Controller/Processor Relationship

Roles & Responsibilities

You (Data Controller): You control the personal data in your notes, recordings, and accountCleft (Data Processor): We process your data solely to provide voice-to-text services as instructed by youLegal Basis: Processing based on legitimate interests (service provision) and consent where applicable
Key Principle: We only collect and process data that’s essential for delivering our service. Your content is never used for training AI models or shared with advertisers.Complete Vendor List: This DPA covers our key data processors. For our complete list of all 37 vendors (including business operations vendors that handle no personal data), see our Vendor Transparency page.

​
Data Categories & Usage

​
Audio Recordings

Your Voice Recordings

What We Collect: Audio files when you press recordHow It’s Processed:
  1. Local Storage: Audio stays on your device during recording
  2. Device Transcription: Processed locally using OpenAI’s Whisper model
  3. Cloud Backup: Audio files uploaded to AWS for 1-hour temporary access
  4. Permanent Storage: Moved to secure AWS storage after 1 hour
  5. Download Access: Available for download anytime via the app
Who Has Access:
  • AWS (hosting only - no content access)
  • You (full ownership and download rights)
Retention: Kept for 2 years after your last login, then securely deleted

​
Transcripts & Text

Transcribed Text

What We Collect: Text versions of your audio recordingsHow It’s Processed:
  1. Device Creation: Generated locally on your device
  2. AI Enhancement: Text sent to AI providers for note processing
  3. Cloud Sync: Stored on AWS for cross-device access
  4. User Access: Available in-app and via export
Who Has Access:
  • OpenAI (primary AI processing - text only, never audio)
  • Groq (backup AI processing - text only)
  • Anthropic (additional AI processing - text only)
  • AWS (hosting only - no content access)
Important: AI providers receive only text, never your audio recordings. Your data is never used to train their models.

​
Account Information

Profile & Settings

What We Collect:
  • Email address (for authentication)
  • Display name
  • App preferences and settings
  • Device information (for sync)
How It’s Used:
  • Authentication: Secure login via email
  • Sync: Cross-device note synchronization
  • Support: Customer service assistance
  • Communications: Service updates and newsletters (opt-in)
Who Has Access:
  • AWS (secure hosting)
  • HubSpot (customer support interactions only)
  • Mailerlite (newsletter delivery - opt-in only)
  • 1Password (internal team password management only)
Control: You can export, modify, or delete this data anytime

​
Website & Forms

Contact Forms & Website

What We Collect:
  • Form submissions on our website
  • Contact requests and support inquiries
  • Scheduling information for consultations
How It’s Used:
  • Customer Support: Responding to inquiries and requests
  • Scheduling: Coordinating onboarding calls and consultations
  • Website Hosting: Maintaining our public-facing website
Who Has Access:
  • Webflow (website hosting and form submissions)
  • Fillout (form building and data collection)
  • Namecheap (domain registration and DNS management)
  • Cloudflare (CDN and website performance)
Purpose: These vendors help us maintain our website and respond to customer inquiries

​
Integration & Automation

Workflow Automation

What We Collect:
  • Integration data flows you configure
  • Automated workflow triggers
  • Connected app permissions
How It’s Used:
  • User Integrations: Connecting Cleft with your other tools
  • Automation: Streamlining workflows as configured by you
  • Data Export: Sending your notes to destinations you choose
Who Has Access:
  • Zapier (workflow automation - only data flows you configure)
Control: You configure all data flows and can disable integrations anytime

​
Usage Analytics

App Performance Data

What We Collect:
  • Feature usage patterns (anonymous)
  • App performance metrics
  • Crash reports (no personal content)
  • Documentation page views
How It’s Used:
  • Product Improvement: Understanding which features are most valuable
  • Bug Fixes: Identifying and resolving technical issues
  • Performance: Optimizing app speed and reliability
Who Has Access:
  • Fathom Analytics (website analytics only - privacy-focused)
  • TelemetryDeck (in-app anonymous analytics - no PII collected)
  • Sentry (crash reporting - no personal data)
  • Metabase (internal analytics - aggregated data only)
Privacy: All analytics are anonymous and contain no personal content or notes

​
Payment Information

Billing & Subscriptions

What We Collect:
  • Subscription status
  • Purchase history
  • Payment method (handled by Apple/Stripe)
How It’s Processed:
  • Apple App Store: Handles all iOS subscription billing
  • Stripe: Processes web payments (we don’t see card details)
  • RevenueCat: Manages subscription status and analytics
Important: We never see or store your actual payment details (card numbers, etc.). This is handled entirely by secure payment processors.Who Has Access:
  • Apple (iOS subscriptions)
  • Stripe (web payments - PCI compliant)
  • RevenueCat (subscription management)

​
Data Flow Diagram

​
Your Data Rights

Full Ownership

You Own Everything
  • All notes, transcripts, and audio files
  • Complete export available anytime
  • Delete individual items or entire account
  • No vendor lock-in - portable data

Complete Control

Granular Permissions
  • Choose which features to sync
  • Control communication preferences
  • Manage integration permissions
  • Request specific data deletion

Transparency

Full Visibility
  • Know exactly who processes your data
  • See all vendor relationships
  • Access data processing agreements
  • Review security certifications

Privacy by Design

Built-in Protection
  • No advertising or tracking
  • No data sales to third parties
  • No AI training on your content
  • GDPR & CCPA compliant

​
Data Minimization

We follow strict data minimization principles:
  • Only Essential Data: We collect only what’s needed for core functionality
  • Purpose Limitation: Data used only for stated purposes
  • Retention Limits: Automatic deletion after 2 years of inactivity
  • Access Controls: Vendor access limited to necessary functions only

​
DPA Compliance & Audit Rights

Compliance & Audit Rights

Audit Rights: Customers have the right to audit our data processing activities upon reasonable noticeCompliance Support: We assist with your GDPR, CCPA, and other regulatory compliance requirementsDocumentation: This page serves as your DPA - bookmark, download, or print for your compliance recordsUpdates: We’ll notify customers of material changes to our data processing practices

​
Incident Response & Security

​
Questions About Data Processing?

Data Protection Officer

Jonny Cosgrove
Founder, COO and Data Protection OfficerπŸ“§ [email protected]
πŸ“‹ DPA Questions: Include β€œDPA” in subject line

Privacy & Compliance

Privacy TeamπŸ“§ [email protected]
πŸ“‹ For: DPA questions, audit requests, compliance documentation, general privacy questions

Official Versions: Privacy Policy | Terms of Service
Data Subject Access Request: To request a copy of all personal data we hold about you, submit a request here or contact our Data Protection Officer.