Privacy Policy

Last updated: June 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Samim Faiz

Oratio AI (Einzelunternehmen)

[GESCHÄFTSADRESSE]

Email: hello@oratio-ai.com

2. Data We Collect

2.1 Account Data

When you create an account, we collect your email address and authentication credentials. If you subscribe to a paid plan, your billing information is processed directly by Stripe (see Section 5). We do not store credit card numbers or payment details on our servers.

2.2 Speech Data

When you upload an audio or video file for analysis, we process the file to generate a transcript and a Perception Intelligence report. This processing includes:

  • Automatic speech recognition (transcription) using either a local Whisper model hosted in our infrastructure or the OpenAI Whisper API as a fallback
  • Voice feature extraction (pitch, pace, energy) using our server-side Python analysis pipeline
  • Video presence analysis (facial expression, gestures, posture) using our server-side MediaPipe pipeline, when a video file is uploaded
  • AI-generated coaching report via the OpenAI API (GPT-4.1-mini)

Important: Uploaded media files are automatically deleted from our servers immediately after analysis is complete. We do not retain your original audio or video recordings.

2.3 Analysis Results

We store the generated transcript, analysis scores, and the full Perception Intelligence report in our database so that you can access your reports from your dashboard. This data is associated with your user account and is not shared with other users.

2.4 Usage Data

We collect basic usage data such as credit consumption, analysis timestamps, and plan information for billing and service operation purposes. We do not use third-party analytics tools. We do not track you across websites.

3. Purpose and Legal Basis

PurposeLegal Basis
Account creation and authenticationArt. 6(1)(b) GDPR — performance of contract
Speech analysis and report generationArt. 6(1)(b) GDPR — performance of contract
Payment processing via StripeArt. 6(1)(b) GDPR — performance of contract
Storing analysis results for your dashboardArt. 6(1)(b) GDPR — performance of contract
Service operation and abuse preventionArt. 6(1)(f) GDPR — legitimate interest

4. Cookies

Oratio uses only strictly necessary session cookies provided by our authentication system (Supabase Auth) to keep you logged in. These cookies are essential for the service to function and do not require consent under Art. 5(3) of the ePrivacy Directive.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not participate in cross-site tracking or targeted advertising.

5. Sub-Processors and Third-Party Services

We use the following third-party services to operate Oratio. All processors have been selected for their GDPR compliance and, where applicable, have signed Data Processing Agreements (DPAs) with us.

Supabase (Supabase Inc.)

Purpose: Database, authentication, and temporary file storage

Location: EU (Frankfurt, Germany)

Uploaded media files are deleted immediately after analysis. Analysis results are stored in the Supabase database.

OpenAI (OpenAI LLC)

Purpose: Transcription fallback (Whisper API) and AI report generation (GPT-4.1-mini)

Location: United States

Data sent to OpenAI is not used for model training (API usage with data processing opt-out). Transfer basis: EU Standard Contractual Clauses (SCCs).

Stripe (Stripe Payments Europe, Ltd.)

Purpose: Payment processing and subscription management

Location: Ireland (EU)

Stripe processes payment data directly. We do not store credit card information.

6. International Data Transfers

Your data is primarily processed within the European Union (Supabase in Frankfurt, Stripe in Ireland). When data is transferred to OpenAI in the United States for AI processing, the transfer is safeguarded by EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

We only send the minimum data necessary for processing (transcript excerpts and extracted voice/video metrics) to OpenAI. We do not send your original audio or video files to OpenAI.

7. Data Retention

  • Uploaded media files: Deleted immediately after analysis is complete. Typical retention: less than 15 minutes.
  • Analysis results and transcripts: Stored for the duration of your account. Deleted upon account deletion.
  • Account data: Stored for the duration of your account. Deleted upon account deletion.
  • Billing records: Retained for 10 years after the end of the calendar year in which the transaction occurred, as required by German tax law (§ 147 AO, § 14b UStG).

8. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You may request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): You may request correction of inaccurate personal data.
  • Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18): You may request that we restrict the processing of your data in certain circumstances.
  • Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): You may object to processing based on legitimate interest at any time.

To exercise any of these rights, contact us at hello@oratio-ai.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)

Kavalleriestraße 2-4, 40213 Düsseldorf

Website: www.ldi.nrw.de

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit (TLS/HTTPS) for all connections
  • Encryption at rest for database storage
  • Row-level security policies ensuring users can only access their own data
  • Automatic deletion of uploaded media files after processing
  • Rate limiting and abuse prevention mechanisms
  • Authentication via Supabase Auth with secure session management

10. Children

Oratio is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at hello@oratio-ai.com and we will delete the data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. The date at the top of this page indicates when this policy was last revised.

12. Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at:

Samim Faiz — Oratio AI

[GESCHÄFTSADRESSE]

Email: hello@oratio-ai.com