LeadSpeech

Data Processing & Security

Last Updated: December 7, 2025

1. Data Flow Architecture

We have designed our architecture to prioritize privacy and minimize data retention.

1.1. Audio Stream

  1. Capture: Audio is captured via the browser's `MediaRecorder` API only after you explicitly grant permission.
  2. Transmission: Audio chunks are streamed via secure WebSocket (WSS) connections.
  3. Processing: Our speech-to-text partner (Speechmatics) converts audio to text in real-time.
  4. Ephemeral Nature: Audio is processed in RAM and is discarded immediately after processing. We do not store audio files on disk.

1.2. Text & Context

  1. Input: Transcribed text is received by the LeadSpeech application.
  2. Analysis: A sliding window of the transcript (the "context") is sent to the OpenAI API to generate relevant suggestions.
  3. Output: OpenAI returns text suggestions which are displayed in your browser.
  4. Retention: Transcripts are stored in your local browser session state. If you use our optional cloud saving features (when available), data is encrypted at rest.

2. Sub-processors

We maintain Data Processing Agreements (DPAs) with the following sub-processors to ensure they meet our high security standards:

  • Speechmatics: For enterprise-grade speech recognition.
  • OpenAI: For large language model (LLM) text generation. Note: We use the API platform where data is not used to train their models by default.
  • Vercel: For serverless function execution and secure hosting.
  • Resend: For transactional emails and managing user contact lists for product updates.

3. Security Measures

  • Encryption in Transit: All data transmitted between your browser, our servers, and third-party APIs is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Any persistent user data (e.g., account settings) is encrypted in our database.
  • Access Control: Strict access controls are applied to internal API keys and production environments. Only authorized personnel have access to system configurations.
  • Data Minimization: We only send the minimum necessary context to AI models to generate relevant suggestions.

4. User Consent

4.1. Microphone Access

You maintain control over your hardware. The application cannot access your microphone without your explicit permission via the browser's native security prompt. You can revoke this permission at any time via your browser settings.

4.2. Marketing Consent & Audit Trail (GDPR Compliance)

When you sign up for LeadSpeech and provide marketing consent, we collect and store the following metadata to comply with GDPR Article 7(1) requirements for demonstrating valid consent:

  • Consent Status: Whether you checked the marketing consent checkbox (true/false)
  • Consent Text: The exact wording of the consent statement you agreed to
  • Timestamp: The date and time you provided consent (ISO 8601 format)
  • IP Address: Your IP address at the time of signup (for identity verification)
  • Source: The form or page where you signed up (e.g., "landing-page-hero")

Purpose: This audit trail allows us to prove that consent was freely given, specific, informed, and unambiguous, as required by GDPR. This data is only accessed if we need to demonstrate compliance with data protection regulations.

Retention: Consent metadata is stored for as long as your account is active. If you delete your account or withdraw consent, we retain a minimal record (email + withdrawal timestamp) for legal compliance purposes only (up to 3 years).

5. Email Data Processing

We use Resend as our email service provider for:

  • Magic link authentication emails (transactional)
  • Product updates and marketing communications (if you opted in)

Data Shared with Resend: Your email address, consent status, and email metadata (send time, open rate). Resend operates under a Data Processing Agreement (DPA) and is GDPR-compliant.

To unsubscribe from marketing emails, click the "Unsubscribe" link in any marketing email or email support@leadspeech.com.

6. Data Retention Periods

Data TypeRetention PeriodReason
Audio streamsEphemeral (seconds)Processed in memory only
Session transcriptsBrowser session onlyNot stored server-side
Email addressUntil account deletionAuthentication & communication
Consent metadataUntil account deletion + 3 yearsLegal compliance (GDPR proof)
Usage statistics90 daysService improvement

7. Your Data Rights

Under GDPR, CCPA, and other privacy regulations, you have the right to:

  • Access: Request a copy of all data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Delete your account and all associated data
  • Portability: Receive your data in a machine-readable format
  • Withdraw Consent: Opt-out of marketing communications at any time
  • Object: Object to processing based on legitimate interests

To exercise any of these rights, contact us at: support@leadspeech.com