Data Processing Agreement

You, as the user or business submitting Twitter/X Space URLs for transcription, act as the Controller of any personal data contained within that audio content. SpacesAI acts as the Processor, processing such data only on your documented instructions (i.e., by transcribing the audio you submit).

SpacesAI also acts as a Controller for data it collects directly from you for account management purposes (name, email, billing). That processing is governed by the Privacy Policy.

SpacesAI processes the following categories of data on your behalf:

• Audio data — the audio stream of Twitter/X Spaces you submit. May contain voices, names, opinions, and other personal data of Space participants.
• Transcript data — the text output generated from that audio, stored in your account.
• Account data — your email address and name, used to authenticate access to transcripts.
• Payment data — transaction identifiers passed from Stripe; no raw card data is processed by SpacesAI.

Processing operations include: downloading audio, transmitting audio to Deepgram for transcription, storing transcript output, and displaying results in your dashboard.

Data is processed solely to provide the transcription service you have contracted for. SpacesAI will not process personal data for any other purpose without your explicit instruction. You are responsible for ensuring you have a lawful basis to submit audio content that may contain personal data of third parties (e.g., Space participants).

SpacesAI engages the following sub-processors to deliver the service. By accepting this DPA you authorise their use.

SpacesAI will inform you of any intended changes to sub-processors (additions or replacements) in advance, giving you the opportunity to object.

• Audio files — deleted from SpacesAI servers immediately after transcription completes. Not retained.
• Audio at Deepgram — Deepgram's standard terms do not retain audio or transcripts beyond the API request. Confirm with Deepgram's policy for current retention terms.
• Transcript data — retained in your account until you delete it or close your account.
• Account data — deleted within 30 days of account deletion.
• Payment records — retained for 7 years as required by financial regulations.

Upon termination of the service or your written request, SpacesAI will delete or return all personal data processed on your behalf within 30 days, unless retention is required by law.

SpacesAI implements the following technical and organisational measures to protect personal data:

• All data in transit encrypted via TLS 1.2 or higher.
• Passwords stored as bcrypt hashes; plaintext credentials are never retained.
• Session tokens issued as httpOnly, Secure-flagged JWT cookies to mitigate XSS risks.
• Database access restricted to the application process; no public database exposure.
• Audio files stored temporarily in an isolated directory and deleted immediately post-processing.
• API endpoints protected by authentication; admin endpoints additionally require the is_admin role.

SpacesAI ensures that all personnel authorised to process personal data are subject to confidentiality obligations. Data is not disclosed to third parties except as described in this DPA or as required by law.

SpacesAI will assist you, as Controller, in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) to the extent possible given the nature of the processing. Submit such requests to privacy@spacesai.app.

Deepgram and Stripe are based in the United States. Transfers of personal data to these sub-processors rely on the EU–US Data Privacy Framework or Standard Contractual Clauses as the transfer mechanism. SpacesAI will not transfer personal data to sub-processors that do not provide an adequate level of protection.

SpacesAI will make available to you all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or a mandated auditor, subject to reasonable prior notice and confidentiality obligations.

Each party shall be liable for damages caused by processing that infringes GDPR to the extent it is responsible for such infringement, in accordance with Article 82 GDPR. SpacesAI's liability under this DPA is subject to the limitations set out in the Terms of Service.

Data protection enquiries: privacy@spacesai.app
General questions: Contact form