Specala AI Logo

Privacy Policy

Last updated: 23.06.2026

This Privacy Policy explains how Relocybersec, S.L., a company incorporated in Spain under tax identification number (NIF) B56220395, with its registered office at Calle Antonio González Barrios 1, Planta 2, Puerta 8, 38683 Santiago del Teide, Santa Cruz de Tenerife, Spain ("Specala", "Specala AI", "we", "us", "our"), collects, uses, shares, and protects personal data when you use the Specala AI service at https://specala.ai, https://app.specala.ai, the "Specala AI" Telegram bot, our browser extension, and our API/MCP server (together, the "Service").

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Spanish data-protection law (LOPDGDD). This Policy should be read together with our Terms of Service, our Cookie Policy, and, for business customers, our Data Processing Agreement ("DPA").

1. Who we are; how to contact us

1.1. Controller. Relocybersec, S.L. is the controller of the personal data described in this Policy, except where we act as a processor for business customers (Section 2.3).

1.2. Privacy contact. For any privacy question or to exercise your rights, contact us at hello@specala.ai. This address reaches the person responsible for data-protection matters at Specala.

1.3. Lead supervisory authority. As we are established in Spain, our lead supervisory authority is the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD, www.aepd.es). You may also contact the data-protection authority of your own EU/EEA country.

1.4. United Kingdom. UK individuals can contact us about their personal data at hello@specala.ai and may lodge a complaint with the UK Information Commissioner's Office (ICO, www.ico.org.uk).

1.5. Other regional contacts are listed in Section 12.

2. Scope and our roles

2.1. This Policy covers personal data of: visitors to our website; registered users of the Service; people whose voice, image, or information appears in content that users upload or record ("Participants"); and business contacts.

2.2. We are a controller for: account, profile, and authentication data; billing and transaction data; usage, device, and log data; support communications; and marketing data. Our processing of this data is governed by this Policy.

2.3. We are a processor when a business customer (the controller) uploads or records content containing personal data through the Service. We process that content only on the customer's documented instructions, under our DPA. The business customer is responsible, as controller, for the lawfulness of that data and for informing the Participants.

2.4. Participants. Where you are an individual user (not a business), you are responsible for the content you record or upload and for notifying and obtaining consent from Participants as required by law (see Terms, Section 6). For our own purposes, we process Participant data as described here.

3. Personal data we collect

3.1. Data you provide:

  • Account & profile: email address, password or third-party sign-in identifier (e.g., Google), name, language, and (for the Telegram bot) your Telegram identifier.
  • Billing: plan, transaction history, and partial payment details. Full card data is handled by our payment providers; we do not store it.
  • User Content: audio and video files, recordings of online meetings and calls, and the information they contain, including voices, images, and any personal data of you and of Participants spoken or shown in the recording.
  • Support & communications: messages you send us.

3.2. Data generated by the Service:

  • Output: transcripts, summaries, reports, action items, and answers generated by AI from your User Content.
  • Speaker-separation labels (diarization): in-session labels distinguishing speakers (e.g., "Speaker 1/2"). See Section 5.4 on voice data.

3.3. Data we collect automatically:

  • Usage & device data: IP address, device and browser type, identifiers, pages and features used, timestamps, and diagnostic logs.
  • Cookies and similar technologies: see our Cookie Policy.

3.4. Workspace data: if you use Workspaces, members can see each other's name, email, and activity necessary for the Workspace to function.

3.5. Data about Participants (collected indirectly). When you record or upload content, it may contain personal data of Participants who are not our users. We process this on your instruction/responsibility to provide the Service. This Policy and the Terms describe how that data is handled; the user who created the content is responsible for the legal basis and for notifying Participants (GDPR Article 14 may apply to them).

Purpose Personal data Legal basis (GDPR Art. 6 / 9)
Provide the Service: recording, transcription, AI Output, storage, Workspaces, API/MCP Account, User Content, Output, usage Contract — Art. 6(1)(b)
Create and manage your Account; authenticate you Account, profile Contract — Art. 6(1)(b)
Process payments and prevent payment fraud Billing, transaction Contract — Art. 6(1)(b); legal obligation — Art. 6(1)(c)
Secure the Service; prevent abuse, fraud, and unauthorized access Usage, device, logs Legitimate interests — Art. 6(1)(f)
Maintain and improve reliability and quality of the Service (diagnostics, aggregate analytics — not AI training) Usage, diagnostic Legitimate interests — Art. 6(1)(f)
Provide support and respond to you Communications, account Contract / legitimate interests — Art. 6(1)(b)/(f)
Send marketing communications Email, profile Consent — Art. 6(1)(a) (withdraw anytime)
Train or improve AI models on your content User Content, Output Explicit opt-in consent — Art. 6(1)(a); we do not do this by default (Section 5.3)
Persistent voice identification (voiceprints), if you enable it Voice data Explicit consent — Art. 9(2)(a); off by default (Section 5.4)
Comply with legal obligations and respond to lawful requests As relevant Legal obligation — Art. 6(1)(c)

4.1. Where we rely on legitimate interests, you may object (Section 9). Where we rely on consent, you may withdraw it at any time without affecting prior processing.

5. Artificial intelligence, accuracy, and voice data

5.1. The Service uses speech-recognition and AI models to transcribe your content and generate Output. Output is generated automatically and may contain errors; it is informational only and is not a substitute for the source recording or professional advice (see Terms, Section 9).

5.2. No solely-automated decisions with legal effect. We do not use the Service to make decisions that produce legal or similarly significant effects about you without human involvement. Any decisions you make using Output are yours.

5.3. AI training — opt-in only. We do not use your User Content or Output to train, retrain, fine-tune, or develop AI models, unless you give separate, explicit consent, which you can withdraw at any time. We contractually require our AI sub-processors not to use your content to train their models.

5.4. Voice data. The Service performs transcription and in-session speaker separation (diarization), which distinguishes speakers within a single recording. By default, we do not create persistent "voiceprints" to identify a specific named individual across recordings. Where a feature that does so is offered, it is off by default and requires your explicit consent; voiceprints are special-category/biometric data and are handled with additional safeguards and a defined retention-and-deletion schedule.

5.5. AI transparency. Where required by law, Output is marked or otherwise disclosed as AI-generated.

6. Who we share data with

6.1. We share personal data with:

  • Sub-processors / service providers who process data on our behalf to run the Service — cloud hosting, speech-to-text providers, AI/LLM providers (for summaries and reports), email delivery, analytics, and payment processing. We bind them to confidentiality and data-protection obligations and, for AI providers, to a no-training-on-your-content commitment. A current list of sub-processors is available on request.
  • Workspace members and recipients you choose, when you share Output.
  • Third-party software you connect via API/MCP, on your instruction (their processing is governed by their own terms).
  • Authorities and advisers where required by law, to enforce our Terms, or to protect rights, safety, and security.
  • Business successors in a merger, acquisition, reorganization, or asset sale, subject to this Policy.

6.2. We do not sell your personal data, and we do not "share" it for cross-context behavioural advertising (as those terms are defined under US state laws). See Section 12.

7. International data transfers

7.1. We are established in the European Union (Spain). Your data is processed within the European Economic Area (EEA) and, in some cases, outside the EEA by our hosting and AI sub-processors.

7.2. Where we transfer personal data outside the EEA to a country that is not the subject of an adequacy decision, we rely on appropriate safeguards — primarily the European Commission's Standard Contractual Clauses (SCCs) — together with a transfer risk assessment and supplementary measures (such as encryption). For transfers from the UK, we use the UK International Data Transfer Agreement / Addendum. You may request a copy of the relevant safeguards by emailing hello@specala.ai.

7.3. For transfers from other regions (e.g., Brazil, Türkiye), we use the transfer mechanisms required by local law.

8. How long we keep data

8.1. We keep personal data only as long as necessary for the purposes in this Policy:

  • Account & profile: while your Account is active and for a limited period afterwards.
  • User Content & Output: for as long as you keep them in the Service. They are deleted when you delete them or when your Account is deleted, within the period stated in the Service or this Policy, subject to a short period for backups.
  • Billing & transaction records: for the period required by tax and accounting law.
  • Usage, security, and log data: for a limited retention period for security and diagnostics.
  • Voiceprints (if enabled): per the defined retention-and-deletion schedule (Section 5.4).

8.2. We may retain certain data longer where required to comply with law, resolve disputes, or enforce our agreements (legal holds). When data is no longer needed, we delete or irreversibly anonymize it.

9. Your rights

9.1. GDPR / UK GDPR (EEA, UK). Subject to conditions, you have the right to: access your data; rectify it; erase it ("right to be forgotten"); restrict processing; data portability; object to processing based on legitimate interests or to direct marketing; and not be subject to solely-automated decisions with legal/significant effect. Where processing is based on consent, you may withdraw it at any time.

9.2. How to exercise. Email hello@specala.ai. We respond within one month (extendable by two months for complex requests) and may need to verify your identity. Exercising your rights is free unless requests are manifestly unfounded or excessive.

9.3. Participants. If your personal data appears in content uploaded by a user, that user is the controller or the responsible party; we may forward your request to them and will assist as required by law.

9.4. Complaints. You may lodge a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es), with the supervisory authority of your EU/EEA country of residence, or, in the UK, with the Information Commissioner's Office (ICO). We ask that you contact us first so we can help.

9.5. Region-specific rights (California, Brazil, Türkiye, and others) are in Section 12.

10. Security

10.1. We implement technical and organizational measures appropriate to the risk, including encryption of data in transit and at rest, access controls, and monitoring. No system is perfectly secure; we cannot guarantee absolute security. In the event of a personal-data breach, we will notify the AEPD (and, where relevant, other authorities) and affected individuals where required by GDPR.

11. Children

11.1. The Service is intended for users aged 18 and over. It is not directed to children, and we do not knowingly collect personal data from children under the minimum age set by applicable law (14 in Spain; under 13 under US COPPA). If we learn that we have collected such data, we will delete it. If you believe a child has provided us personal data, contact hello@specala.ai.

12. Region-specific disclosures

12.1. California (CCPA/CPRA). In the preceding 12 months we may have collected the categories of personal information described in Section 3 (identifiers, account, commercial/billing, internet/usage, audio/visual content, and inferences), for the purposes in Section 4. We do not sell or share your personal information for cross-context behavioural advertising, and we do not knowingly do so for consumers under 16. California residents have the right to: know/access, delete, and correct their personal information; opt out of sale/sharing (not applicable, as we do not sell or share); limit the use of sensitive personal information; and not be discriminated against for exercising rights. We honour Global Privacy Control (GPC) browser signals where applicable. To exercise these rights, email hello@specala.ai. You may use an authorized agent.

12.2. Brazil (LGPD). If you are in Brazil, you have the rights in Article 18 LGPD (confirmation, access, correction, anonymization/blocking/deletion, portability, information on sharing, and review). Our legal bases correspond to the LGPD hypotheses. You may contact us at hello@specala.ai and may also contact the ANPD.

12.3. Türkiye (KVKK). If you are in Türkiye, you have the rights in Article 11 KVKK. You may contact us at hello@specala.ai. Cross-border transfers are made using the mechanisms permitted under KVKK.

12.4. United Kingdom. Section 9 applies. You may complain to the Information Commissioner's Office (ICO).

12.5. Other jurisdictions: where local law grants you data-protection rights, we honour them; contact hello@specala.ai.

13. Changes to this Policy

13.1. We may update this Policy. The current version is published on our website with its effective date. For material changes, we will give notice by email and/or in the Service. Continued use after the effective date means you acknowledge the updated Policy, subject to any consent required by law.

14. Contact

Relocybersec, S.L. · Calle Antonio González Barrios 1, Planta 2, Puerta 8, 38683 Santiago del Teide, Santa Cruz de Tenerife, Spain · Privacy: hello@specala.ai · Lead supervisory authority: AEPD (www.aepd.es)

If you have any questions, email us at hello@specala.ai
← Back to home