V
Voxly

Privacy Policy

Last updated: February 19, 2026

1. Data We Collect

Account Information

Email address, display name (if provided), and authentication tokens from Google or GitHub sign-in. We use Supabase Auth for account management.

Transcript Data

Audio source URLs, transcript text, speaker labels, timestamps, and associated metadata (title, language, duration, word count). Transcripts are stored in your Supabase account and are only accessible to you unless you explicitly share them.

AI Enrichment Data

AI-generated summaries, topics, entities, sentiment scores, key points, action items, Q&A pairs, timeline events, and embedding vectors derived from your transcripts. This data is generated using your configured LLM provider (see Section 2).

Usage & Billing Data

Monthly transcription counts and subscription status for billing purposes. Payment processing is handled by Stripe (Chrome/web) and Apple (Safari/macOS). We do not store credit card numbers or payment method details.

Browser Extension Data (Chrome & Safari)

The Voxly browser extension stores your authentication session, transcription preferences, and the most recent transcript locally in the browser using chrome.storage.local. This data stays on your device and is not transmitted to Voxly servers. The extension does not collect browsing history, track page visits, or access data from websites other than the specific URLs being transcribed.

2. How We Process Your Data

Transcription

YouTube transcripts are fetched directly from YouTube's caption system by the browser extension running on your device. No audio is processed — only existing text captions are retrieved. Safari users can also access Apple Podcasts transcripts from the local cache. No audio is sent to Voxly servers.

AI Enrichment

Transcript text is sent to your configured LLM provider for summaries, entity extraction, sentiment analysis, and other enrichment. By default, this is OpenAI (gpt-4o-mini). You may configure any OpenAI-compatible provider (Ollama, Groq, Together AI, or a self-hosted endpoint) in Settings. When you bring your own API key, your transcript data is sent directly to your chosen provider — Voxly does not proxy or retain this data.

Semantic Search Embeddings

Embedding vectors are generated via your configured embedding provider (default: OpenAI text-embedding-3-small) for semantic search. Embeddings are stored in your Supabase account alongside your transcript chunks.

Live Recording

When using the Record feature, speech recognition is handled by your browser's built-in Web Speech API. Audio is processed locally in your browser and is not sent to Voxly servers.

3. Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following lawful bases:

  • Performance of a contract — Processing your transcripts, enrichment data, and account information is necessary to provide the Service you signed up for.
  • Legitimate interests — We process usage data to improve the Service, prevent abuse, and ensure security. We balance these interests against your privacy rights.
  • Consent — Where you opt in to data contribution for public-source transcripts (Section 9) or configure a third-party LLM provider that processes your data. You may withdraw consent at any time in Settings.
  • Legal obligation — We may process data where required to comply with applicable laws, regulations, or legal proceedings.

4. Third-Party Processors

We use the following third-party services to operate Voxly:

  • YouTube — Caption/transcript data fetched directly by the browser extension
  • OpenAI — Default AI enrichment and embedding generation (replaceable via BYO endpoint)
  • Supabase — Database, authentication, Edge Functions, and file storage (hosted on AWS)
  • Stripe — Payment processing for Chrome/web subscriptions
  • Apple — Payment processing for Safari/macOS subscriptions via StoreKit

When you configure a custom LLM provider (Ollama, Groq, Together AI, vLLM, or any OpenAI-compatible endpoint), your transcript data is sent to that provider instead of OpenAI. Voxly stores your API key securely in your profile but does not proxy requests through our servers.

5. International Data Transfers

Voxly is operated from the United States. Your data is processed and stored on servers located in the US (via Supabase, hosted on AWS). If you are located outside the US, your personal data will be transferred to the US for processing.

For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for these transfers. Our sub-processors (Supabase, Stripe) maintain their own SCCs and data processing agreements.

If you configure a custom LLM provider (Section 4), your transcript data is sent directly to that provider. You are responsible for ensuring the provider meets your data protection requirements.

6. Browser Extension Permissions

The Voxly Chrome and Safari extensions request the following permissions, each for a specific purpose:

  • storage — Save your authentication session and preferences locally
  • tabs — Detect the current page URL for auto-populating the transcription input
  • activeTab — Read the title of the current tab for transcript naming
  • tabCapture (Chrome only) — Capture tab audio for real-time recording
  • offscreen (Chrome only) — Process audio capture in a background document
  • cookies (Chrome only) — Sync authentication from the Voxly portal
  • contextMenus — Add "Transcribe with Voxly" to the right-click menu
  • alarms (Chrome only) — Retry failed cloud syncs in the background
  • sidePanel (Chrome only) — Display the Voxly interface in Chrome's side panel

The extension does not access, read, or modify the content of any web page you visit, except to extract the page title for transcript naming and to read Instagram's og:title meta tag for accurate title detection.

7. API Keys & Credentials

Your LLM and embedding API keys are stored in your Supabase profile. They are transmitted only to your configured provider endpoints and are never logged, shared, or accessible to Voxly staff. User-generated Voxly API keys (for programmatic access) are stored as SHA-256 hashes; the raw key is shown once at creation and cannot be retrieved afterward.

8. Cookies & Tracking Technologies

Voxly uses only essential cookies required for the Service to function:

  • Authentication cookies — Session tokens set by Supabase Auth to keep you signed in across page loads. These are strictly necessary and cannot be disabled while using the Service.

We do not use analytics cookies, advertising trackers, pixel tags, or any third-party tracking technologies. We do not participate in ad networks or cross-site tracking. The Voxly browser extension does not set or read cookies from any third-party domains.

9. Data Contribution & Public Content

Transcripts of publicly available content (e.g., YouTube videos, public podcasts) may be included in an aggregated data index, as described in our Terms of Service. Private uploads and recordings are never included.

You can opt out of data contribution at any time in Settings > Data & Privacy.

10. Data Retention

Your transcripts, enrichment data, and embedding vectors are retained for as long as your account is active. When you delete a transcript, it and all associated data (chunks, embeddings, entities) are permanently removed. When you delete your account, all associated data is permanently deleted within 30 days.

11. Data Export

You may export your transcripts at any time in JSON, Markdown, SRT, VTT, and plain text formats via the transcript viewer.

12. Security

All data is encrypted in transit (TLS 1.2+) and at rest. Authentication uses Supabase Auth with Row Level Security on all database tables, ensuring you can only access your own data. API keys are stored as SHA-256 hashes. The browser extension communicates exclusively over HTTPS.

13. Your Rights

You have the right to:

  • Access all data we hold about you
  • Export your data in standard formats
  • Delete individual transcripts or your entire account
  • Opt out of data contribution for public-source transcripts
  • Choose where your data is processed by configuring a custom LLM provider

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know — You may request the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose, and the categories of third parties with whom we share it.
  • Right to delete — You may request deletion of your personal information. You can delete individual transcripts or your entire account via Settings > Data & Privacy.
  • Right to opt out of sale/sharing — Voxly does not sell your personal information and does not share it for cross-context behavioral advertising.
  • Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of personal information collected: identifiers (email, name), internet activity (transcription usage data), and professional information (transcript content you provide). We do not collect sensitive personal information as defined by the CPRA.

To exercise your rights, contact us at privacy@voxlytranscribes.com or use the self-service options in Settings.

15. Children's Privacy

Voxly is not intended for use by children under 13. We do not knowingly collect personal information from children.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

17. Contact

For privacy-related questions, contact us at privacy@voxlytranscribes.com.

If you are located in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EEA DPAs is available at edpb.europa.eu.