ParrotKey

GDPR Compliance

Effective Date: February 3, 2026 Last Updated: February 3, 2026

This document explains how ParrotKey complies with the General Data Protection Regulation (GDPR) and outlines your rights as a data subject.

1. Data Controller Information

Data Controller: AppMachine B.V. Netherlands

Contact Information:

AppMachine B.V. is the data controller responsible for your personal data processed through the ParrotKey application and services.

2. Legal Basis for Processing

We process your personal data under the following legal bases:

2.1 Performance of Contract (Article 6(1)(b))

We process data necessary to provide the ParrotKey service, including:

  • Account creation and authentication
  • Voice transcription services
  • Data synchronization across devices
  • Customer support

2.2 Consent (Article 6(1)(a))

We process the following data only with your explicit consent:

  • Usage analytics and statistics
  • Marketing communications
  • Optional data sharing for service improvement

You may withdraw consent at any time through your account settings or by contacting us.

2.3 Legitimate Interest (Article 6(1)(f))

We process data for our legitimate interests, including:

  • Security monitoring and fraud prevention
  • Service improvement and debugging
  • Legal compliance and record-keeping

We balance these interests against your fundamental rights and freedoms.

3. Your GDPR Rights

As a data subject under GDPR, you have the following rights:

3.1 Right to Access (Article 15)

You have the right to:

  • Know whether we process your personal data
  • Receive a copy of your personal data
  • Understand how and why we process your data

How to exercise: Request via support@parrotkey.ai or export your data through account settings.

3.2 Right to Rectification (Article 16)

You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete personal data

How to exercise: Update your information in account settings or contact support.

3.3 Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request deletion of your data when:

  • Data is no longer necessary for its original purpose
  • You withdraw consent
  • You object to processing and there are no overriding legitimate grounds
  • Data has been unlawfully processed

How to exercise: Delete your account through app settings or email support@parrotkey.ai.

Exceptions: We may retain data where required by law or for legal claims.

3.4 Right to Restrict Processing (Article 18)

You can request that we limit how we use your data when:

  • You contest the accuracy of your data
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing pending verification

How to exercise: Contact support@parrotkey.ai with your specific request.

3.5 Right to Data Portability (Article 20)

You have the right to:

  • Receive your data in a structured, commonly used, machine-readable format
  • Transmit your data to another controller

How to exercise: Use the data export feature in account settings or contact support.

Formats available: JSON, CSV

3.6 Right to Object (Article 21)

You can object to processing based on legitimate interests, including:

  • Direct marketing
  • Profiling for marketing purposes

How to exercise: Update your preferences in settings or contact support.

3.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

How to exercise:

  • Analytics: Change your tracking preference in app settings
  • Marketing: Unsubscribe link in emails or contact support

3.8 Rights Related to Automated Decision-Making (Article 22)

ParrotKey does not make automated decisions with legal or similarly significant effects based on your personal data. Transcription is a tool that assists you; all decisions about using the output are made by you.

4. How to Exercise Your Rights

4.1 In-App Options

Many rights can be exercised directly through ParrotKey:

ActionLocation
Update personal informationAccount Settings
Change analytics consentPrivacy Settings
Export your dataData & Privacy > Export
Delete your accountAccount Settings > Delete Account
Manage devicesDevices & Security

4.2 Formal Requests

For formal GDPR requests, contact us at:

4.3 Verification

To protect your data, we may need to verify your identity before processing requests. This may include:

  • Confirming your email address
  • Asking security questions
  • Requesting additional identification for sensitive requests

4.4 Response Time

We will respond to your request within 30 days. If your request is complex or we receive many requests, we may extend this by an additional 60 days, notifying you of the extension.

4.5 Cost

Most requests are handled free of charge. We may charge a reasonable fee for:

  • Manifestly unfounded or excessive requests
  • Additional copies of data

5. Data Processing Activities

The following table summarizes our data processing activities:

PurposeData CategoriesLegal BasisRetention Period
Transcription ServiceAudio (processed, not stored), transcription outputContractAudio: Not retained; Output: Until deleted by user
Account ManagementEmail, name, profile photoContractUntil account deletion
AuthenticationLogin credentials, session tokensContractCredentials: Until account deletion; Tokens: Session duration
Cloud SyncNotes, dictionary, settingsContractUntil account deletion or sync disabled
Usage AnalyticsFeature usage, word counts, time savedConsent24 months (anonymized after 12 months)
Device ManagementDevice name, platform, app versionContractUntil device removed or account deleted
Team CollaborationShared dictionaries, team membershipContractUntil team membership ends
Payment ProcessingPayment details (processed by Paddle)ContractAs required by financial regulations
Customer SupportSupport tickets, communication historyContract / Legitimate Interest3 years after resolution
Security & Fraud PreventionIP addresses, access logsLegitimate Interest12 months

6. International Data Transfers

6.1 EU-Based Processing

Our primary data processing occurs within the European Union:

  • Firebase: europe-west4 (Netherlands)
  • Primary Database: EU region

6.2 Third-Party Transcription Providers

When you select certain transcription providers, data may be transferred outside the EU:

ProviderLocationSafeguards
OpenAIUnited StatesStandard Contractual Clauses, DPA
GroqUnited StatesStandard Contractual Clauses, DPA
CloudflareGlobal (edge)Standard Contractual Clauses, DPA
SonioxUnited StatesStandard Contractual Clauses, DPA
ParrotKey CloudEuropean UnionNo transfer required
Local ModelsYour deviceNo transfer

6.3 Safeguards for International Transfers

For transfers outside the EU/EEA, we implement:

  • Standard Contractual Clauses (SCCs): EU-approved contract terms
  • Data Processing Agreements: Binding commitments from processors
  • Encryption: All data encrypted in transit and at rest
  • Access Controls: Strict limitations on who can access data

6.4 Your Choice

You can avoid international transfers by:

  • Using local transcription models (Whisper, Parakeet)
  • Selecting ParrotKey Cloud (EU-based)
  • Disabling cloud sync (data stays on your device)

7. Data Protection Measures

7.1 Technical Measures

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access Control: Role-based access, principle of least privilege
  • Monitoring: Security event logging and anomaly detection
  • Secure Development: Security-focused development practices

7.2 Organizational Measures

  • Training: Staff trained on data protection
  • Policies: Internal data handling policies
  • Vendor Management: Due diligence on third-party processors
  • Incident Response: Documented breach response procedures

8. Data Protection Officer

While not legally required for our organization size, we have designated a privacy contact:

Privacy Contact:

9. Supervisory Authority

9.1 Dutch Data Protection Authority

As a Netherlands-based company, our lead supervisory authority is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)

9.2 Your Right to Complain

You have the right to lodge a complaint with:

  • The Dutch Data Protection Authority (our lead authority)
  • Your local data protection authority (if you reside in another EU country)

We encourage you to contact us first at support@parrotkey.ai so we can address your concerns directly.

10. Children's Data

ParrotKey is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.

If you believe a child under 16 has provided us with personal data, please contact us at support@parrotkey.ai.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours
  • We will notify affected users without undue delay if the breach poses a high risk
  • Notifications will include the nature of the breach, likely consequences, and measures taken

12. Changes to This Document

We may update this GDPR Compliance document to reflect changes in our practices or legal requirements. We will notify you of material changes via:

  • Email to your registered address
  • In-app notification
  • Notice on our website

13. Contact Us

For any questions about this document or our GDPR compliance:

AppMachine B.V.

We aim to respond to all inquiries within 5 business days.

14. Related Documents

This GDPR Compliance document is effective as of February 3, 2026.