Privacy Policy
Last updated: February 8, 2026
Introduction
SpeechWay ("we", "our", or "us") is committed to protecting the privacy of speech and language therapists and the clients they serve. This policy explains how we collect, use, and protect your data when you use our voice-to-SOAP documentation service.
We are registered with the UK Information Commissioner's Office (ICO) and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller
For your account and billing data, SpeechWay acts as the data controller.
For client session data (notes, transcripts, client information), you (the therapist) are the data controller, and SpeechWay acts as a data processor on your behalf. You are responsible for having appropriate consent or legal basis to process your clients' information.
What We Collect
| Data Type | Purpose | Retention |
|---|---|---|
| Account info (email, name) | Authentication, communication | Until account deletion |
| Client records (name, goals) | Organise sessions, track progress | Until you delete them |
| Session transcripts | Generate SOAP notes, audit trail | Until you delete them |
| SOAP notes | Clinical documentation | Until you delete them |
What We Don't Store
Audio recordings are never stored
Your voice recordings are processed for transcription and immediately deleted. We never retain audio files on our servers.
How We Process Your Data
1. Voice Recording
Audio is captured in your browser using the MediaRecorder API. The recording stays on your device until you submit it.
2. Transcription
Audio is sent securely to OpenAI's Whisper API for transcription. OpenAI does not use API data for training. Audio is deleted immediately after transcription.
3. SOAP Generation
The transcript is sent to Anthropic's Claude API to structure it into SOAP notes. Anthropic does not use API data for training.
4. Storage
Transcripts and SOAP notes are stored in our UK-based database (Supabase, London region), encrypted at rest and in transit.
Sub-processors
We use the following third-party services to provide SpeechWay. We have Data Processing Agreements with each provider.
| Provider | Purpose | Location |
|---|---|---|
| OpenAI | Audio transcription (Whisper API) | US (SCCs in place) |
| Anthropic | SOAP note generation (Claude API) | US (SCCs in place) |
| Supabase | Database and authentication | UK (London) |
| Vercel | Application hosting | Global (UK primary) |
SCCs = Standard Contractual Clauses for GDPR-compliant international data transfers.
AI and Model Training
Your data is never used to train AI models
Both OpenAI and Anthropic have confirmed that data sent via their APIs is not used to train their models. Your session content remains private.
Security Measures
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- Row-level security (therapists only see their own data)
- Secure authentication via Supabase Auth
- UK data residency for stored data
Your Rights
Under UK GDPR, you have the right to:
- Access:View all your data through your dashboard
- Rectification:Edit client information and session notes
- Erasure:Delete clients, sessions, or your entire account
- Portability:Request an export of your data
To exercise these rights, contact us at privacy@speechway.io
Health Data
Session notes may contain health-related information, which is considered "special category data" under GDPR Article 9. We process this data on the following lawful bases:
- Article 6(1)(b): Processing is necessary for the contract (providing the service)
- Article 9(2)(a): You provide explicit consent when creating your account
Cookies
We use only essential cookies required for authentication and security. We do not use advertising or tracking cookies.
Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes via email or through the application.
Contact Us
For privacy-related questions or to exercise your rights:
If you're not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk