Version: 7.0
Effective Date: January 2026
1.1. This Privacy Policy ("Policy") describes how HedyOS, operated by Individual Entrepreneur Andrey Boldyrev ("Operator", "HedyOS", "we", "us", "our"), collects, uses, and protects your personal data when you use the HedyOS service ("Service").
1.2. This Policy is designed to comply with:
- General Data Protection Regulation (EU) 2016/679 ("GDPR")
- California Consumer Privacy Act of 2018 ("CCPA") and California Privacy Rights Act ("CPRA")
- Other applicable data protection laws
1.3. This Policy applies to all personal data collected through the HedyOS website (hedyos.com) and desktop applications.
1.4. By registering for or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the Service.
Individual Entrepreneur Andrey Boldyrev
For data protection inquiries, please contact: hello@hedyos.com
HedyOS acts in two distinct roles depending on the type of data being processed:
2.1.1. HedyOS as DATA CONTROLLER of User Account Data:
HedyOS is the data controller for the following categories of data:
- User's email address
- Password (hashed)
- Name (optional)
- Subscription information
- User settings and preferences
- IP address and User-Agent (when accepting legal documents — for consent verification)
Legal Basis for Processing:
- Your consent (GDPR Art. 6(1)(a))
- Performance of a contract (GDPR Art. 6(1)(b))
- Legitimate interests (GDPR Art. 6(1)(f))
Purpose:
Providing access to the Service, managing your account, processing payments, technical support, and security.
2.1.2. HedyOS as DATA PROCESSOR of User-Provided Content:
HedyOS processes content (transcription texts) provided by Users, which MAY contain personal data of third parties.
If content contains personal data of third parties:
- YOU (the User) are the DATA CONTROLLER of such personal data
- HedyOS acts as a DATA PROCESSOR on your behalf (GDPR Art. 28)
Processing is carried out based on the Terms of Service for the purposes of:
- Synchronizing text between your devices
- Providing public access to transcription sessions (at your request)
- Automatic text translation
- Processing text with AI language models (LLM)
HedyOS's Obligations as Processor:
- Process content ONLY in accordance with your instructions
- Ensure confidentiality and security of data
- Not disclose personal data to third parties except subprocessors
- Notify you of security incidents within 24 hours
- Delete data upon your request within 30 days
2.1.3. Allocation of Responsibility:
This Privacy Policy governs the processing of Users' personal data (category 2.1.1).
Processing of content that may contain personal data of third parties (category 2.1.2) is performed by HedyOS as a processor on behalf of the User. Requirements and User responsibilities are described in Sections 6.2 and 6.3.
HedyOS processes personal data for the following purposes:
3.1. Providing Access to the Service:
- User registration and authentication
- User identification when accessing Service features
- Linking license to user's device
3.2. Providing Functionality:
- Audio-to-text transcription
- Translation of transcribed text
- Processing text with AI language models (LLM): summarization, Q&A, text analysis
- Synchronization of data between devices (optional)
- Public sharing of transcription sessions (optional)
3.3. Payment Processing:
- Managing licenses and subscriptions
- Processing payments through payment systems (Robokassa, Prodamus, T-Bank)
- Invoicing and storing transaction information
3.4. Technical Support and Service Improvement:
- Providing technical support to users
- Analyzing Service usage to improve functionality
- Ensuring security and preventing abuse
3.5. Communications:
3.5.1. Essential Technical Notifications (cannot opt out):
- Registration confirmation and account recovery
- Critical security notifications
Legal basis: Performance of contract (GDPR Art. 6(1)(b))
3.5.2. Service Notifications (can opt out):
- Payment confirmations, subscription status
- Changes to Service functionality
Legal basis: Consent (GDPR Art. 6(1)(a)), can be withdrawn in profile settings
3.5.3. Marketing Communications (requires separate consent):
- News about new features
- Special offers and promotions
- Educational content
Legal basis: Consent (GDPR Art. 6(1)(a)), can be withdrawn at any time
4.1. Required Data (necessary for Service use):
- Email address — for registration, authentication, and communication
- Password — stored in encrypted form (hashing)
4.2. Optional Data:
- Username — if provided during registration
- Transcribed text — stored only if you enable device synchronization or create a public link
- Settings and preferences — for personalization
4.3. Automatically Collected Technical Data:
- IP address — for geolocation and security purposes
- Cookies — for web interface functionality
- Browser and device information — for Service optimization
- Usage statistics — transcription counts and durations for license management
4.4. Payment Data:
- Transaction information — date, amount, payment status
- Payment details are processed by payment systems and NOT stored on our servers
4.5. IMPORTANT: Data NOT Processed by HedyOS:
Audio Files for Transcription:
Audio files are NOT processed or stored by HedyOS:
- You independently register with a third-party speech recognition service and obtain your personal API key
- You enter your API key in HedyOS settings
- Audio files are transmitted DIRECTLY from your device to the speech recognition service, bypassing HedyOS servers
- HedyOS does NOT have access to your audio files
Local Storage:
By default, transcription text is stored ONLY locally on your device and is not transmitted to HedyOS servers.
Transcription text is transmitted to HedyOS servers ONLY when:
- You enable synchronization between devices; OR
- You create a public link to a transcription session; OR
- You use the automatic translation feature; OR
- You use AI language model (LLM) features
5.1. Consent (GDPR Art. 6(1)(a), CCPA):
By using the Service, you confirm that you have:
- Read this Privacy Policy
- Consent to the processing of your personal data in accordance with this Policy
For California residents: You have the right to opt out of the sale of your personal information. HedyOS does NOT sell personal information.
5.2. Performance of Contract (GDPR Art. 6(1)(b)):
Processing is necessary for the performance of the Terms of Service between you and HedyOS.
5.3. Legitimate Interests (GDPR Art. 6(1)(f)):
Processing for legitimate interests includes:
- Security (analyzing access logs, blocking malicious IPs, fraud prevention)
- Service improvement (error statistics, performance analysis, feature usage)
- Legal compliance (data retention for accounting requirements)
5.4. AGE REQUIREMENTS
5.4.1. The Service is intended exclusively for persons aged 18 years or older.
5.4.2. By registering, you confirm that you have reached this age.
5.4.3. If we become aware that a user is under 18:
- The account will be immediately suspended
- Personal data will be deleted within 3 business days
HedyOS Service supports three scenarios for audio transcription:
- BYOK Scenario (6.1) — you use your own API key, audio is sent directly to the provider
- Transit Scenario (6.1A) — audio is sent through HedyOS servers to external STT providers
- Own Models Scenario (6.1B) — audio is processed by HedyOS's own models on servers in the Russian Federation
6.1.1. Self-Service Connection:
To use audio transcription, you INDEPENDENTLY:
- Register with a third-party speech recognition service
- Obtain your personal API key
- Enter your API key in HedyOS application settings
6.1.2. Direct API Interaction:
When using transcription:
- Audio files are transmitted DIRECTLY from your device to the speech recognition service
- Audio files DO NOT pass through HedyOS servers
- HedyOS does NOT have access to your audio files
6.1.3. Legal Relationships:
- Contractual relationships for audio processing arise DIRECTLY between you and the speech recognition service
- HedyOS is NOT a party to these relationships
- You are responsible for compliance with the terms of use of chosen services
6.1.4. Supported Transcription Services:
HedyOS supports integration with various speech recognition services.
Russia (no cross-border transfer):
- Yandex SpeechKit
Countries with Adequate Data Protection (GDPR adequacy):
| Provider | Country | Regions |
|---|---|---|
| Gladia | France | EU native |
| Alibaba SenseVoice | China | — |
| iFlytek | China | — |
Other Countries:
| Provider | Company Country | Available Regions |
|---|---|---|
| Google Cloud Speech-to-Text | USA | USA, Belgium (EU), Netherlands (EU), Germany (EU) |
| Microsoft Azure Speech | USA | USA, Netherlands (EU), UK, Canada, Australia, Japan, Singapore, UAE, India, Brazil, South Africa |
| Amazon Transcribe | USA | USA, Ireland (EU), Germany (EU), UK, Canada, Japan, Singapore, Australia, South Korea, Brazil, South Africa, Bahrain |
| OpenAI Whisper API | USA | USA, Ireland (EU), UK, Canada, Japan, South Korea, Singapore, India, Australia, UAE |
| Deepgram | USA | USA, Germany (EU) |
| AssemblyAI | USA | USA, Ireland (EU) |
| Rev.ai | USA | USA, Germany (EU) |
Current list: https://hedyos.com/docs/transcription-services
6.1A.1. Description:
When using the transit audio transfer function:
- HedyOS uses its own API keys for external STT providers (Deepgram, Google Cloud Speech, Azure Speech, etc.)
- Audio data is transmitted from your device to HedyOS servers
- HedyOS servers forward audio data to external STT providers for recognition
- Transcription results are returned to you
6.1A.2. HedyOS's Role:
In this scenario, HedyOS acts as a DATA PROCESSOR of audio data on your behalf.
6.1A.3. Cross-Border Transfer:
In this scenario, HedyOS performs cross-border transfer of audio data to foreign STT providers. By using this function, you consent to such transfer under GDPR Art. 49(1)(a).
6.1A.4. Audio Data Storage:
Audio data is NOT STORED on HedyOS servers after processing is complete. Audio is used exclusively for transcription and diarization (speaker separation), transmitted to the STT provider in real-time and deleted from server memory immediately after receiving the result.
6.1B.1. Description:
When using speech recognition with HedyOS's own models:
- Audio data is transmitted from your device to HedyOS servers
- Speech recognition is performed by HedyOS's own STT models
- Transcription results are returned to you
6.1B.2. HedyOS's Role:
In this scenario, HedyOS acts as a DATA PROCESSOR of audio data on your behalf.
6.1B.3. Data Localization:
In this scenario:
- Processing servers are located in the Russian Federation
- NO cross-border transfer of audio data is performed
- Data is processed in accordance with applicable data protection laws
6.1B.4. Audio Data Storage:
Audio data is NOT STORED on HedyOS servers after processing is complete, unless you explicitly request storage. Audio is used exclusively for transcription and diarization (speaker separation).
6.1C. Mixed Scenarios:
Different Service features may use different data processing scenarios. For example, transcription may use the BYOK scenario (with your own API key), while translation or Live Sharing features may operate through HedyOS servers. When using such features, the corresponding provisions for each scenario apply.
6.2.1. HedyOS's Role in Content Processing:
If content contains personal data of third parties:
- HedyOS acts as a DATA PROCESSOR (GDPR Art. 28)
- YOU (the User) are the DATA CONTROLLER of such personal data
6.2.2. Two Usage Scenarios:
SCENARIO 1: Personal Use
If you use the Service for your own personal audio (lectures, podcasts, notes), no additional consents are required.
SCENARIO 2: Business Use (processing third-party data)
If you transcribe content containing personal data of third parties (customer calls, meetings, interviews), you are the DATA CONTROLLER and responsible for:
- Having a lawful basis for processing (consent, contract, legitimate interest)
- Informing data subjects about processing
- Compliance with GDPR/applicable data protection laws
6.2.3. How Translation Works:
When you activate automatic translation:
1. Transcription text is transmitted from HedyOS server to a third-party machine translation service
2. The translation service processes the text and returns the translated text
3. Translated text is saved on HedyOS server (if synchronization is enabled) or locally
6.2.4. Translation Services Used:
Countries with Adequate Data Protection:
| Provider | Country | Regions |
|---|---|---|
| DeepL SE | Germany | EU native |
Other Countries:
| Provider | Company Country | Available Regions |
|---|---|---|
| Google Cloud Translate | USA | USA, Belgium (EU), Netherlands (EU), Germany (EU) |
| Microsoft Azure Translator | USA | USA, Netherlands (EU), UK, Canada, Australia, Japan, Singapore, UAE, India, Brazil, South Africa |
| Amazon Translate | USA | USA, Ireland (EU), Germany (EU), UK, Canada, Japan, Singapore, Australia, South Korea, Brazil, South Africa, Bahrain |
Current list: https://hedyos.com/docs/translation-services
6.3.1. Functionality:
The Service provides text processing features using Large Language Models (LLM):
- Summarization (creating text summaries)
- Generating answers to questions about content
- Text analysis and structuring
- Other text processing functions at user request
6.3.2. How It Works:
When activating LLM text processing:
1. Selected transcription text is transmitted from HedyOS server to a third-party LLM service
2. The service processes the request and returns a result
3. Results are displayed to you and may be saved on HedyOS server (if synchronization is enabled) or locally
6.3.3. Legal Qualification:
Similar to translation (section 6.2):
- HedyOS acts as DATA PROCESSOR on your behalf (GDPR Art. 28)
- LLM services act as SUB-PROCESSORS
- If content contains personal data of third parties, YOU are the DATA CONTROLLER
6.3.4. LLM Services Used:
Countries with Adequate Data Protection:
| Provider | Country | Regions |
|---|---|---|
| Mistral AI | France | EU native |
| Hugging Face | France | EU inference |
| DeepSeek | China | api.deepseek.com |
| Alibaba (Qwen) | China | — |
| iFlytek (Spark) | China | — |
| Baidu (ERNIE) | China | — |
Other Countries:
| Provider | Company Country | Available Regions |
|---|---|---|
| OpenAI (GPT-4, GPT-4o) | USA | USA, Ireland (EU), UK, Canada, Japan, South Korea, Singapore, India, Australia, UAE |
| Anthropic (Claude) | USA | USA, Ireland (AWS Bedrock EU), Germany (AWS Bedrock EU), Australia, Japan, Singapore |
| Google (Gemini) | USA | USA, Belgium (EU), Netherlands (EU), Germany (EU) |
| Microsoft (Azure OpenAI) | USA | USA, Netherlands (EU), UK, Canada, Australia, Japan, Singapore, UAE, India, Brazil, South Africa |
| Amazon (Bedrock) | USA | USA, Ireland (EU), Germany (EU), UK, Canada, Japan, Singapore, Australia, South Korea, Brazil, South Africa, Bahrain |
| Groq | USA | USA, Canada, Finland (EU), Saudi Arabia, Australia |
| Together AI | USA | USA, Sweden (EU), France (EU), UK, Italy (EU), Portugal (EU) |
| Perplexity | USA | USA, EU servers |
| Cohere | Canada/USA | USA, Germany (SAP EU) |
| IBM (watsonx) | USA | USA, Germany (EU) |
Current list: https://hedyos.com/docs/llm-services
6.3.5. International Data Transfers:
By activating LLM features, you consent to transfer of content to the jurisdictions listed above.
When using providers with EU endpoints, data is processed within the EEA/countries with adequate protection under GDPR Art. 45.
For US providers using EU endpoints, we rely on:
- Standard Contractual Clauses (GDPR Art. 46(2)(c))
- EU-US Data Privacy Framework (where applicable)
Reference Information:
The following services may be used for text-to-speech synthesis:
Countries with Adequate Data Protection:
| Provider | Country | EU Endpoint |
|---|---|---|
| Kyutai | France | EU native |
| Alibaba CosyVoice | China | — |
| ByteDance Seed-TTS | China | — |
| iFlytek | China | — |
Other Countries:
| Provider | Company Country | Available Regions |
|---|---|---|
| Google Cloud Text-to-Speech | USA | USA, Belgium (EU), Netherlands (EU), Germany (EU) |
| Microsoft Azure Speech | USA | USA, Netherlands (EU), UK, Canada, Australia, Japan, Singapore, UAE, India, Brazil, South Africa |
| Amazon Polly | USA | USA, Ireland (EU), Germany (EU), UK, Canada, Japan, Singapore, Australia, South Korea, Brazil, South Africa, Bahrain |
| OpenAI TTS | USA | USA, Ireland (EU), UK, Canada, Japan, South Korea, Singapore, India, Australia, UAE |
| ElevenLabs | USA/UK | USA, UK, EU (api.eu.residency.elevenlabs.io) |
7.1. General Provisions:
We do not sell your personal data. We share personal data only as described in this section.
7.2. Service Providers (Processors):
7.2.1. Payment Processors:
| Payment System | Location |
|---|---|
| Robokassa | Russia |
| Prodamus | Russia |
| T-Bank | Russia |
Data shared:
- Email address
- Transaction information (date, amount, subscription type)
Payment card details are processed directly by payment systems and NOT stored on our servers.
7.2.2. AI Services (Translation, LLM, STT, TTS):
See Sections 6.2, 6.3, and 6.4 for detailed lists.
7.2.3. Email Services:
| Provider | Legal Name | Country | Data Transferred | Purpose |
|---|---|---|---|---|
| UniSender | Unisender LLC | Russia | Email address | Email notifications |
UniSender processes data on servers located within the Russian Federation. No cross-border transfer is performed.
UniSender Privacy Policy: https://www.unisender.com/ru/privacy-notice/
7.2.4. Hosting Providers:
| Provider | Server Location |
|---|---|
| FirstVDS | Non-Russian servers |
7.3. Legal Requirements:
We may disclose personal data if required by law or in response to valid requests by public authorities.
7.4. Business Transfers:
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you of any such transfer.
8.1. Data Transfer Mechanisms:
When we transfer personal data outside your country of residence, we ensure appropriate safeguards:
For EEA/UK residents:
- Standard Contractual Clauses (GDPR Art. 46(2)(c))
- Adequacy decisions (GDPR Art. 45) for countries with adequate protection
- EU-US Data Privacy Framework (where applicable)
For California residents:
Personal data may be transferred to and processed in countries outside the United States. We ensure appropriate safeguards are in place.
8.2. Countries with Adequate Data Protection (EU adequacy decisions):
Data transfers to these countries require no additional safeguards:
- All EU/EEA member states
- United Kingdom
- Switzerland
- Canada
- Japan
- South Korea
- Argentina
- Israel
- New Zealand
- And other countries with EU adequacy decisions
8.3. Countries Requiring Additional Safeguards:
| Country | Safeguard Used |
|---|---|
| USA | Standard Contractual Clauses, EU-US Data Privacy Framework |
| China | Standard Contractual Clauses |
| Data Category | Retention Period |
|---|---|
| Account data (email, name) | Until account deletion |
| Transcriptions (sessions) | Until deleted by user |
| Transaction data | 5 years (legal requirement) |
| Technical logs | 90 days |
10.1. Rights Under GDPR (for EEA/UK residents):
You have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
- Lodge a complaint with a supervisory authority (Art. 77)
10.2. Rights Under CCPA/CPRA (for California residents):
You have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt-out of the sale of personal information (we do NOT sell your data)
- Non-discrimination for exercising your rights
- Correct inaccurate personal information
- Limit use of sensitive personal information
10.3. How to Exercise Your Rights:
To exercise any of your rights, please contact us at: hello@hedyos.com
We will respond to your request within:
- 30 days (GDPR)
- 45 days (CCPA), extendable by additional 45 days if necessary
We may request verification of your identity before processing requests.
11.1. Technical Measures:
- TLS 1.2+ encryption for data in transit
- Encryption for data at rest
- Access controls and authentication
- Regular security assessments
11.2. Organizational Measures:
- Staff training on data protection
- Access limited to authorized personnel
- Data Processing Agreements with all processors
We use cookies and similar technologies for:
- Essential functionality (authentication, preferences)
- Analytics (anonymous usage statistics)
You can manage cookie preferences in your browser settings.
We may update this Policy from time to time. We will notify you of material changes:
- By email (for registered users)
- Through the Service interface
- By updating the "Effective Date" at the top
Continued use after changes constitutes acceptance of the updated Policy.
For any questions about this Privacy Policy or our data practices:
Email: hello@hedyos.com
Website: https://hedyos.com
15.1. Categories of Personal Information Collected:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Email, device ID | Yes |
| Commercial information | Transaction records | Yes |
| Internet activity | Usage data, logs | Yes |
| Geolocation | IP-based location | Yes |
| Sensory data | Audio (NOT stored by us) | No |
| Professional information | N/A | No |
15.2. Sources of Personal Information:
- Directly from you (registration, settings)
- Automatically (device, usage data)
15.3. Business Purposes for Collection:
- Providing the Service
- Security and fraud prevention
- Analytics and improvement
- Legal compliance
15.4. Sharing for Business Purposes:
We share personal information with service providers (processors) as described in Section 7. We do NOT sell personal information.
15.5. Financial Incentives:
We do not offer financial incentives for personal information.
16.1. Data Protection Officer:
We have not appointed a DPO as we do not meet the threshold requirements under GDPR Art. 37. For data protection inquiries, contact: hello@hedyos.com
16.2. Supervisory Authorities:
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members
16.3. Legal Basis Summary:
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract (Art. 6(1)(b)) |
| Payment processing | Contract (Art. 6(1)(b)) |
| Essential notifications | Contract (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Security measures | Legitimate interest (Art. 6(1)(f)) |
| Service improvement | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |