Cacatua1. Data Controller
Guillermo Nimubona Castrillo
Email: contacto@praxilia.com
Location: Valladolid, Spain
2. Scope
This Privacy Policy applies to the Cacatua mobile application (iOS and Android) and the Cacatua web application (the "Services"). By using the Services, you agree to the collection and use of information as described herein.
3. Data We Collect
3.1 Account Data
When you sign in via Google or Apple, we receive your name, email address, and profile identifier. This data is stored in Google Firebase Authentication to manage your account.
3.2 Audio Data
In streaming mode, audio is captured on your device and sent in real time to our cloud proxy for speech recognition via Alibaba Cloud DashScope (Qwen ASR). In recording mode, audio is recorded locally, then uploaded for transcription. Audio data is processed transiently and is not stored on our servers after transcription is complete.
3.3 Transcripts and Notes
Transcripts generated from your audio and any refined notes produced by LLM post-processing are stored locally on your device (SQLite database) and, when using the web viewer, temporarily in Firebase Realtime Database for cross-device synchronization. You own your transcripts and notes.
3.4 Subscription Data
If you subscribe to Cacatua Pro, your purchase is processed by Apple App Store or Google Play. We use RevenueCat to manage subscription status. RevenueCat receives your anonymous app user ID and transaction data. We do not have access to your payment card details.
3.5 Usage Data
We track your monthly ASR usage (seconds consumed) in Google Firestore to enforce quota limits. No behavioral analytics, advertising identifiers, or tracking pixels are used.
3.6 Cookies
The web application sets a single functional cookie (CACATUA_LOCALE) to remember your language preference. This cookie expires after one year. No analytics, advertising, or third-party tracking cookies are used.
4. Legal Basis for Processing (GDPR Art. 6)
| Data | Legal Basis |
|---|---|
| Account data | Contract performance (Art. 6(1)(b)) — necessary to provide the Services |
| Audio data | Contract performance (Art. 6(1)(b)) — necessary to perform transcription |
| Transcripts & notes | Contract performance (Art. 6(1)(b)) |
| Subscription data | Contract performance (Art. 6(1)(b)) |
| Usage data | Legitimate interest (Art. 6(1)(f)) — quota enforcement and abuse prevention |
| Language cookie | Legitimate interest (Art. 6(1)(f)) — functional preference |
5. Third-Party Processors
We share data with the following processors, all of which offer Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) for international transfers:
| Processor | Purpose | Data Region |
|---|---|---|
| Google Firebase (Auth, Firestore, RTDB, Cloud Run) | Authentication, data storage, server hosting | United States |
| Alibaba Cloud DashScope | Speech recognition (ASR) and LLM post-processing | Singapore |
| RevenueCat | Subscription management | United States (AWS) |
Audio sent to Alibaba Cloud DashScope is processed transiently for speech recognition and is not retained after the response is returned. We do not sell, rent, or share your personal data with any other third parties.
6. International Transfers
Your data may be transferred to the United States (Firebase, RevenueCat) and Singapore (Alibaba Cloud). These transfers are protected by Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework where applicable.
7. Data Retention
- Audio: Not retained after transcription.
- Transcripts & notes: Stored locally on your device until you delete them. Temporary RTDB data is deleted when you disconnect from the web viewer.
- Account data: Retained until you delete your account.
- Usage data: Retained for 12 months for quota tracking.
- Subscription data: Retained by RevenueCat per their retention policy (up to 6 years after account closure).
8. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing
- Data portability
- Object to processing based on legitimate interest
- Lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es
To exercise these rights, contact us at contacto@praxilia.com. We will respond within 15 business days.
9. Account Deletion
You can delete your account from the app's Settings screen. This will permanently erase your account data, usage history, and all data stored on our servers. Locally stored transcripts on your device will remain until you uninstall the app.
10. Children's Privacy
The Services are not intended for users under 16 years of age. We do not knowingly collect data from children under 16. If we become aware that a user is under 16, we will delete their account promptly.
11. Security
We implement industry-standard security measures including TLS encryption for data in transit, encryption at rest for Firebase services, and SOC 2 Type II certified infrastructure through our processors.
12. Changes
We may update this Privacy Policy. Material changes will be communicated via the app or email. Continued use of the Services after changes constitutes acceptance.
13. Contact
For privacy inquiries, contact:
Guillermo Nimubona Castrillo
Email: contacto@praxilia.com