Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website or use the Hablará app. Personal data is any data that can be used to identify you personally.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the "Controller" section of this privacy policy.

How do we collect your data?

Some data is collected when you provide it to us directly. Other data is collected automatically or with your consent when you visit the website through our IT systems — primarily technical data (e.g., browser, operating system, time of access).

What do we use your data for?

Some data is collected to ensure the website functions correctly. Other data may be used to analyze your usage behavior (not currently implemented).

What rights do you have regarding your data?

You have the right at any time to receive free information about the origin, recipient, and purpose of your stored personal data. You also have the right to request correction or deletion of this data. If you have given consent to data processing, you may revoke it at any time for the future. You also have the right, under certain circumstances, to request the restriction of processing of your personal data.

🔒 Hablará App: 100% Privacy-First

The Hablará desktop app collects NO user data.

  • ✅ All audio recordings stay on your device
  • ✅ No cloud uploads, no external data transfers
  • ✅ 100% local processing with Ollama or optional cloud LLMs
  • ✅ No telemetry, optional anonymous crash reports (opt-in), no analytics
  • ✅ Source-Available — code is publicly viewable on GitHub

When using cloud LLMs (optional): If you choose OpenAI, Anthropic Claude, or Mistral AI as your LLM provider, transcripts will be sent to these services. This only happens upon your explicit configuration. In that case, the privacy policies of OpenAI, Anthropic, and Mistral AI apply. Mistral AI processes data on EU servers (no third-country transfer).

  • API keys are stored locally in the macOS Keychain, encrypted (AES-256-GCM)
  • Transcripts are sent directly to the chosen provider
  • The user bears sole responsibility for the configuration and use of third-party services

🤖 Third-Party AI Services (Apple Guideline 5.1.2(i))

Important: When using OpenAI, Anthropic Claude or Mistral AI, your transcripts are transmitted to external AI services. Per Apple App Store Guidelines:

  • Transfer occurs only after your explicit consent (consent dialog on first cloud provider switch)
  • You are informed and asked for permission before each configuration
  • Without your active consent, no data is sent to third parties
  • When using Ollama (default), all data remains 100% local

App-Specific Privacy Information

Legal Basis

Art. 6(1)(a) GDPR: Processing based on your informed consent.

Data Categories

Audio recordings, transcriptions, AI analysis results, configuration settings (e.g., chosen LLM provider).

Note on Art. 9 GDPR: Hablará is not a medical device and does not create diagnoses. The psychologically-informed analyses serve exclusively for self-reflection. Processing occurs locally on your device; when using cloud services, based on your explicit consent (Art. 9(2)(a) GDPR).

Storage Location

Locally at ~/Hablara/recordings/ — no transmission to external servers.

Storage Duration & Automatic Cleanup

Default: Automatic deletion when exceeding 500 recordings (configurable: 25–500). Users can manually delete or adjust auto-cleanup in settings. No external storage; data remains exclusively in ~/Hablara/recordings/.

App Permissions

  • Microphone: Required for audio recordings
  • File system: For local storage in ~/Hablara/recordings/

Audio recordings and transcripts are stored unencrypted locally. API keys are encrypted in the macOS Keychain. The user is responsible for device security (FileVault recommended).

Important Note

Hablará is a self-reflection tool, not a medical product. The AI analyses serve self-awareness, not diagnosis or treatment.

Minimum Age

Hablará is intended for adults (18+). The psychologically-informed analysis features are not designed for minors. Users under 16 require parental consent.

2. Hosting and Server Logs

External Hosting

This website is hosted externally. Personal data collected on this website is stored on the servers of the hosting provider — including IP addresses, contact requests, meta and communications data, and other data generated via the website.

External hosting serves the purpose of fulfilling our contract (Art. 6(1)(b) GDPR) and in the interest of a secure, fast provision of our online offering (Art. 6(1)(f) GDPR).

Hosting provider: ALL-INKL.COM

ALL-INKL.COM - Neue Medien Münnich
Hauptstraße 68
02742 Friedersdorf
Germany

More information: ALL-INKL.COM Privacy Information

Server Log Files

The hosting provider automatically collects and stores information in server log files, including:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing device
  • Time of server request
  • IP address

This data is not merged with other data sources. Collection is based on Art. 6(1)(f) GDPR — legitimate interest in error-free website operation.

3. General Information and Mandatory Disclosures

Controller

The controller for data processing on this website is:

Marc Allgeier
Kugelfangtrift 81
30657 Hannover
Email:

Right to Complain to a Supervisory Authority

In the event of GDPR violations, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, workplace, or place of the alleged infringement.

The competent supervisory authority for the controller (located in Lower Saxony, Germany) is:

Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen)
Prinzenstraße 5, 30159 Hannover, Germany
lfd.niedersachsen.de

UK users may also contact the Information Commissioner's Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk

SSL/TLS Encryption

This site uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection when the browser address bar changes from "http://" to "https://" and shows a padlock icon.

4. Source Code & GitHub

The source code of Hablará is publicly viewable on GitHub (Source-Available license — no free use/modification without permission). When interacting with the repository (issues, pull requests, etc.), the GitHub Privacy Statement applies.

5. Crash Reports (Optional)

Purpose and Scope

The Hablará app offers the option to send anonymous crash reports to improve stability and quality. This feature is disabled by default and is only activated after your explicit consent (opt-in under Settings > Advanced > Crash Reports).

Data Processed

When an error occurs, only the following technical data is transmitted:

  • Technical error messages (stack traces)
  • App version
  • Operating system and platform
  • Time of the error

The following data is explicitly NOT processed:

  • Your transcripts, audio recordings, or analysis results
  • Personal data such as name, email, or username
  • IP addresses (automatically removed)
  • File paths containing usernames (automatically anonymized)

Recipient and Storage Location

Crash reports are processed by Sentry (Functional Software, Inc., San Francisco, USA). Data processing occurs exclusively on EU servers in Frankfurt, Germany. More information: Sentry Privacy Policy

A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is in place with Sentry. As Sentry is a US company, transfers are based on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. Processing itself takes place exclusively on EU servers in Frankfurt, Germany. More information: Sentry Data Processing Addendum

Storage Duration

Crash reports are automatically deleted after 7 days.

6. Contact

For privacy questions or to exercise your rights, contact us at:

Marc Allgeier
Kugelfangtrift 81
30657 Hannover
Email:

7. International Users and Supervisory Authorities

Applicable Law

This website and app are operated by a private individual based in Germany. Data processing is governed by the GDPR (EU 2016/679) and the UK GDPR for users in the United Kingdom.

Supervisory Authorities by Country

  • EU/EEA: The supervisory authority of your country of residence (EDPB member list)
  • Germany (controller's authority): LfD Niedersachsen — see Section 3
  • United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk. Processing of UK users' personal data (server logs) is governed by UK GDPR. As this processing is not large-scale and involves no special categories of data, the Art. 27 UK GDPR exemption applies (no UK representative appointed).
  • Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
  • Norway / Iceland / Liechtenstein (EEA, non-EU): These countries apply the GDPR via the EEA Agreement. Norway: Datatilsynet — datatilsynet.no
  • Switzerland: Applies the revDSG (similar to GDPR; EU adequacy decision in place). Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch

United States

This website and app are operated by a private individual in Germany and do not meet the thresholds of US state privacy laws (CCPA, VCDPA, CPA, CTDPA, etc.), including the $25 million annual revenue threshold and the 100,000 consumer threshold. These laws therefore do not legally apply.

That said: We do not sell or share personal information. The only personal data processed is server log data (IP addresses) by our German hosting provider. No data broker activity, no targeted advertising, no profiling.

Australia

This operator does not meet the annual turnover threshold (AUD 3 million) of the Australian Privacy Act 1988 and is therefore not legally required to comply with the Australian Privacy Principles (APPs). The data practices described in this policy nonetheless align with APP principles: minimal collection, no onward sharing, and transfers only upon your explicit action (optional cloud LLMs).

Do Not Track (DNT)

This website uses no tracking, no analytics, and no cookies. Do Not Track signals from your browser are therefore implicitly honoured — there is no behavioural tracking that could be disabled.

Cross-Border Data Transfers

When using optional cloud LLMs (OpenAI/Anthropic), transcript data is transferred to the USA. This applies to users from all countries, including the United Kingdom, Canada, and Australia. Transfers occur only upon your explicit configuration. The privacy policies of the respective providers apply. When using Mistral AI, data is processed within the EU — no third-country transfer occurs.

Last updated: March 2026
This privacy policy may be updated when the website or legal requirements change.