PRIVACY POLICY

SpeakLouder.ai / app.speaklouder.ai

Version 1.2 — May 2026

1. Data Controller

The data controller for personal data processed within the SpeakLouder.ai website and app.speaklouder.ai application is SpeakLouder.ai, hereinafter referred to as the "Controller".

Contact for data protection matters: hello@speaklouder.ai.

This Policy describes the principles of processing personal data of Clients (Platform account users) and Leads processed by the Platform on behalf of Clients.

2. Two Data Roles - Controller and Data Processor

2.1. Client Platform Data

With respect to personal data of Clients (name, email address, VAT number, billing data, account activity logs), SpeakLouder.ai acts as a Data Controller within the meaning of GDPR.

2.2. Lead Data Transmitted by the Client

With respect to personal data of Leads (phone numbers, names, form data), SpeakLouder.ai acts as a Data Processor on behalf of the Client, who is a separate Data Controller for that data and bears full responsibility for its lawful collection and possession of appropriate consents.

The Data Processing Agreement is concluded automatically upon account creation. The full text of the Agreement is available at speaklouder.ai/dpa.

3. Client Data - Scope and Legal Basis for Processing

Category of data Purpose / legal basis (GDPR) Email address, login data Performance of contract - access to Client Panel (Art. 6(1)(b) GDPR) VAT number, company name Verification of business status and issuing VAT invoices (Art. 6(1)(b) GDPR) Billing data Performance of contract and billing obligation (Art. 6(1)(b) GDPR) Transaction history, credit balance Performance of contract - billing (Art. 6(1)(b) GDPR) Activity logs, IP addresses Legitimate interest - system security and audit (Art. 6(1)(f) GDPR) Campaign configuration, agent prompts Performance of contract - voicebot services (Art. 6(1)(b) GDPR) Declaration of legal basis for contacting Leads (timestamp, IP) Legitimate interest - compliance documentation (Art. 6(1)(f) GDPR) KYC verification data - verification result, timestamp, Didit session ID Legal obligation - regulatory requirements of the telecommunications operator (Art. 6(1)(c) GDPR) Declaration of positive identity verification Legitimate interest - compliance documentation (Art. 6(1)(f) GDPR) Biometric data - facial image, identity document data (processed by Didit, not stored by the Platform) Explicit consent - Art. 9(2)(a) GDPR Gmail data (if integration activated) - Google account email, content of sent messages Performance of contract - Gmail integration at Client's request (Art. 6(1)(b) GDPR)

4. Lead Data - Role as Data Processor

The Platform stores Lead data transmitted by the Client solely for the purpose of executing Campaigns ordered by the Client.

The Client, as Lead Data Controller, is obliged to have a valid legal basis for processing each Lead's data, provide Leads with information about data processing and respect Lead rights (access, objection, erasure, portability).

The Controller does not sell, share or use Lead data for purposes other than the technical provision of Services to the Client.

5. Sub-processors

Provider Role and scope of data Supabase (USA) PostgreSQL database hosting, authentication, Edge Functions. Processes all categories of Client and Lead data. Transfer to USA based on SCC (Supabase DPA). ElevenLabs (USA) AI voice agents - initiates calls, generates transcripts. Data transferred: Lead phone number, campaign parameters, transcripts. Transfer to USA based on ElevenLabs DPA. Telnyx (USA) Telephony infrastructure (SIP/VoIP) - executing calls and sending SMS. Data transferred: Lead phone number, SMS content. Transfer to USA based on Telnyx DPA. Resend (USA) Email sending - processes Client email address and notification content. Transfer to USA based on Resend DPA. Stripe (USA) Online payments - card data stored exclusively by Stripe (PCI DSS). Platform stores only transaction identifier. Transfer based on Stripe DPA. Meta (USA) Lead Ads integration - retrieval of leads from forms. Transfer per Meta policy. Didit / Datuma Solutions SL (Spain, EU) KYC identity verification - processes Client's identity document, facial biometrics and proof of address. Data deleted after verification session. Certifications: ISO 27001, GDPR compliant, iBeta Level 1. DPA available on request: hello@didit.me. No transfer outside EEA. Google LLC (USA) Gmail integration - optional feature enabling email sending on behalf of the Client via Gmail API. Data processed in accordance with Google Workspace DPA and Google User Data Policy (Limited Use). Transfer to USA based on SCC.

5.1. Google User Data Policy Statement

"The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements."

6. Data Security

The Controller applies the following technical and organisational measures:

• encryption of Meta access tokens using pgcrypto with key stored in Supabase Vault

• Row Level Security (RLS) policies in the database - each Client has access only to their own data

• HMAC signature verification for ElevenLabs webhooks

• TLS encryption (HTTPS) for all communication channels

• data access restricted to Edge Functions operating server-side

• regular database backups

7. Data Retention

• Client account data: for the duration of the contract + 5 years (tax and accounting obligations)

• Campaign and Lead data: duration of Campaign + 90 days

• Call transcripts: duration of Campaign + 90 days; audio recordings are not stored

• Technical and diagnostic logs: 30 days from generation

• Transaction history: 5 years from transaction date

• Onboarding logs (timestamp, IP, declaration version): duration of contract + 5 years

• KYC verification data - identity document, biometrics: not stored by the Platform. Processed exclusively by Didit during the verification session. The Platform stores only the verification result (approved/declined), timestamp and session ID - for the duration of the contract + 5 years (regulatory requirements)

• Gmail data (if integration active): processed solely for sending; not stored by the Platform beyond technical logs (30 days)

8. Rights of Data Subjects

8.1. Client Rights (vis-à-vis the Controller)

The Client has the right to: access their data and receive a copy, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interest, and withdrawal of consent.

Requests should be submitted to: hello@speaklouder.ai. The Controller will respond within 30 days.

8.2. Lead Rights (vis-à-vis the Client as Controller)

Leads whose data is processed by the Platform on the Client's behalf should direct GDPR requests directly to the Client as their Data Controller. If a Lead contacts the Platform Controller, they will be informed of the appropriate Controller.

9. Cookies

The speaklouder.ai website and app.speaklouder.ai application may use technical/session cookies necessary for the service to function. No third-party analytics tools have been identified in the application repository. If such tools are added, this Policy will be updated accordingly.

10. Call Recording - Information for Leads

The Voicebot conducts voice calls that are automatically transcribed by the AI system. The Client is provided with transcripts only - audio recordings are not made available to the Client. A Lead has the right to request erasure of the transcript relating to them - the request should be directed to the Client as the Data Controller.

11. Complaints to Supervisory Authority

If you believe that the processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority. In Poland: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl.

12. Changes to this Privacy Policy

The Controller reserves the right to amend this Privacy Policy. Clients will be informed of material changes by email with at least 14 days' notice. The current version of the Policy is always available at speaklouder.ai.

Effective date: May 2026