At a Glance
- Vakyya is a B2B managed service for the transcription, translation, and captioning of confidential internal media.
- Parakletos acts as processor for Customer Personal Data contained in Customer Content where the Customer determines the purposes and means of processing, subject to the DPA. Parakletos remains controller for its own account, billing, support, security, analytics, legal, and operational records.
- We process uploaded media to produce transcripts, translations, captions, glossaries, and audit logs, and for no other purpose.
- Customer Content and Workflow Outputs are not used to train general-purpose AI models.
- Customer Content is hosted and processed exclusively in the UK or EU region assigned at contract.
- If you appear in uploaded media and want to exercise a data subject right, contact your employer or the organisation that uploaded the material first. We will assist them as processor.
The rest of this Policy expands on each of the points above.
1. Introduction
This Privacy Policy explains how Parakletos AI Limited (“Parakletos”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data in connection with Vakyya and related services (the “Service”).
Parakletos AI Limited is a company registered in England and Wales under company number 16504323, with registered address First Floor, 85 Great Portland Street, London W1W 7LT, United Kingdom.
We process personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, the EU General Data Protection Regulation 2016/679 (“EU GDPR”) where applicable, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
Data Protection Contact
Email: privacy@vakyya.com
Postal: First Floor, 85 Great Portland Street, London W1W 7LT, United Kingdom
ICO Registration: ZC150429
2. Controllership and the Data Classification Model
Vakyya operates under a defined controllership structure based on a three-way split of data. Parakletos acts as processor for Customer Personal Data contained in Customer Content where the Customer determines the purposes and means of processing, subject to the DPA. Parakletos remains controller for its own account, billing, support, security, analytics, legal, and operational records.
2.1 Customer Content (Processor Role)
Customer Content includes uploaded media, transcripts, translations, captions, summaries, glossaries, and review comments. The Customer determines the purposes and means of processing for this content and acts as the data controller. Parakletos processes Customer Content strictly as a data processor on behalf of the Customer and in accordance with the Data Processing Agreement (DPA).
2.2 Workflow Metadata (Mixed / Contract-Specific Role)
Workflow Metadata includes job status, timestamps, language settings, output formats, delivery state, and usage quantities. Depending on the specific contractual arrangements and use cases, this metadata may be processed by Parakletos as a processor or as a controller for operations and billing.
2.3 Operational Data (Controller Role)
Operational Data includes security logs, billing records, diagnostics, abuse signals, platform telemetry, and support records. Parakletos determines the purposes and means of processing for this data and acts as the data controller to secure, maintain, and manage the Services.
2.3 Data Processing Agreement
A signed Data Processing Agreement is executed alongside the Master Services Agreement at the commencement of every contract. The DPA forms an integral part of the contract; no separate request is required. The DPA addresses, at minimum:
- Subject matter, duration, nature, and purpose of processing
- Categories of data subjects and personal data
- Customer instructions and processing scope
- Confidentiality obligations on Parakletos personnel
- Security measures (Article 32)
- Sub-processor authorisation and notification
- Assistance with data subject rights and DPIAs
- Breach notification and cooperation
- Return or deletion of data on termination
- Audit rights
A reference DPA is available on request prior to contracting.
3. Personal Data We Process
3.1 Identity and Access Data (Parakletos as Controller)
| Data | Source | Purpose |
|---|---|---|
| Work email address | Customer organisation or direct sign-up | Authentication, service communication |
| Display name and role | Customer organisation or user | Personalisation, access control |
| Authentication tokens | Generated at sign-in | Session management |
| IP address (truncated) | Network connection | Security, anomaly detection, regional routing |
3.2 Customer Content (Parakletos as Processor)
| Data | Description | Purpose |
|---|---|---|
| Uploaded media | Audio and video files submitted by the customer | Service delivery |
| Transcripts | Source-language text generated from media | Service delivery |
| Translations | Target-language text generated from transcripts | Service delivery |
| Captions and delivery artefacts | Final caption files, captioned video outputs, transcript exports | Service delivery |
| Customer glossaries | Per-customer protected terminology lists | Service delivery |
| Audit and substitution logs | Records of processing operations and glossary applications | Service delivery, customer audit |
Customer Content may contain personal data of individuals appearing or referenced in the material. Parakletos processes Customer Content only on the documented instructions of the customer organisation, as set out in the DPA.
Biometric Data. The Service produces speech-to-text transcripts from voice recordings and may include speaker diarisation (the segmentation of audio into speaker turns labelled as “Speaker 1”, “Speaker 2”, etc.). Diarisation does not associate speakers with named individuals and is not used to uniquely identify any natural person. Parakletos does not perform speaker recognition, voice biometric matching, voiceprint enrolment, or facial recognition on Customer Content. Accordingly, Parakletos does not process biometric data for the purpose of uniquely identifying a natural person within the meaning of UK GDPR Article 9(1).
Special Category Data. Customer Content may, depending on the customer organisation’s use case, contain special category data within the meaning of UK GDPR Article 9 (for example, training content discussing health, religious belief, or trade union membership). Where a customer organisation intends to submit Customer Content containing special category data, this is scoped explicitly in the Data Processing Agreement, including identification of the applicable Article 9(2) condition relied upon by the customer organisation as controller, and any supplementary safeguards.
3.3 Contractual and Billing Data (Parakletos as Controller)
| Data | Description | Purpose |
|---|---|---|
| Organisation name, registered address, VAT number | Customer organisation | Contract administration, invoicing |
| Authorised signatory and billing contact | Named individuals | Contract administration |
| Subscription tier, term, and usage entitlements | Contract terms | Service delivery, billing |
| Invoice and payment records | Generated by Parakletos and payment processor | Billing, statutory record-keeping |
Card numbers, bank account numbers, and security codes are never stored on Parakletos systems. All card payment data is handled exclusively by Stripe Payments Europe Limited under PCI DSS Level 1 controls. Where invoicing is by bank transfer, the customer’s bank details are handled only to the extent needed to verify incoming payments.
3.4 Service Telemetry (Parakletos as Controller)
| Data | Description | Purpose |
|---|---|---|
| Job submission records | Job ID, timestamps, file sizes, durations, language pairs, model selection | Service delivery, billing, audit |
| Pipeline performance metrics | Stage durations, queue times, error codes | Service operation, capacity planning |
| Authenticated user activity | Authorised user, job submitted, time of submission | Customer audit, security |
| Application error reports | Stack traces, environment metadata (no Customer Content payloads) | Stability and incident response |
Service telemetry does not include the substantive content of Customer Content. Where error reports are generated by the processing pipeline, payloads are redacted before submission to error-tracking infrastructure.
3.5 Website Enquiry and Booking Data (Parakletos as Controller)
When you submit the booking or compliance-pack request form on the Vakyya website, Parakletos processes the following as controller, in order to respond to your enquiry, provide the requested documents, and arrange an introductory call.
| Data | Description | Purpose |
|---|---|---|
| Name, work email, company, role | Provided by you in the enquiry form | Responding to and qualifying the enquiry; arranging a call |
| Workflow context and jurisdiction | Optional free-text and country/region selection (booking form) | Understanding the prospective use case |
| Request metadata | Truncated and hashed IP address, user-agent, referring page, timestamp | Spam prevention, security, and abuse monitoring |
Enquiry details are delivered to our sales inbox by our transactional email provider, and — where you choose to book a call — your name, work email, company, and role are passed to our scheduling provider to set up the meeting (both identified in Section 6.3). The lawful basis is Article 6(1)(f) legitimate interests in responding to business enquiries about the Service; any subsequent marketing is governed by Section 4. This data is not used for any other purpose.
4. Lawful Bases for Processing
Parakletos relies on the following lawful bases under UK GDPR Article 6:
| Processing Purpose | Lawful Basis |
|---|---|
| Provision of the Service under contract with the customer organisation | Article 6(1)(b): performance of a contract |
| Service delivery to individual authorised users | Article 6(1)(b): performance of a contract; Article 6(1)(f): legitimate interests (operation of the business relationship between Parakletos and the customer organisation that authorised the user) |
| Billing, invoicing, and statutory financial record-keeping | Article 6(1)(b) and Article 6(1)(c): legal obligation (Companies Act 2006, HMRC requirements) |
| Security monitoring, fraud detection, and incident response | Article 6(1)(f): legitimate interests in protecting the Service and customer data |
| Service telemetry, capacity planning, and operational reliability | Article 6(1)(f): legitimate interests in operating a reliable service |
| Marketing communications to corporate subscribers (limited companies, LLPs, and other corporate bodies) | Article 6(1)(f): legitimate interests in promoting the Service to organisations likely to have a business need for it, subject to a clear and prominent opt-out in every communication, in accordance with PECR |
| Marketing communications to individual subscribers (sole traders, non-LLP partnerships in England, Wales and Northern Ireland, and individuals) | Article 6(1)(a): consent, in accordance with PECR |
| Service-related communications to existing customers (notices, security alerts, material policy changes) | Article 6(1)(b): performance of a contract; Article 6(1)(f): legitimate interests |
| Compliance with legal and regulatory obligations | Article 6(1)(c): legal obligation |
| Defence of legal claims | Article 6(1)(f): legitimate interests |
Legitimate Interests Assessments have been documented for each processing activity relying on Article 6(1)(f). These are available to customer organisations on request under NDA.
For Customer Content processed by Parakletos as processor, the lawful basis is determined by the customer organisation as controller.
5. Hosting, Data Residency, and Architecture
5.1 Primary Hosting
The Service is hosted on Google Cloud Platform, exclusively in the following regions:
| Region | Location | Use |
|---|---|---|
| europe-west2 | London, United Kingdom | Primary region for UK-routed customers |
| europe-west3 | Frankfurt, Germany | Primary region for EU-routed customers |
Customer organisations are routed to a single region at the point of contract. Customer Content, transcripts, translations, captions, customer glossaries, and audit logs remain in the assigned region throughout the processing pipeline. Inference (transcription, translation, glossary application) is executed in the assigned region.
5.2 No Cross-Region Movement of Customer Content by Default
Customer Content does not move between regions in the ordinary course of operation. Cross-region transfer occurs only under one of the following conditions:
- The customer organisation has elected, in writing, to enable encrypted disaster-recovery replication of source content and final delivery artefacts to the secondary region. This option is available on enterprise tier and is scoped in the DPA. Where enabled, replication is encrypted in transit and at rest, limited to source and delivered artefacts (transcripts and intermediate processing artefacts are not replicated), and never crosses the UK/EU boundary as a whole.
- A regulatory, judicial, or law-enforcement instruction requires it; in such cases Parakletos will notify the customer organisation unless legally prohibited from doing so.
5.3 Content Delivery and Edge Routing
Delivery of artefacts to the customer organisation, and protection of the Vakyya web properties from network attack, uses Cloudflare. Cloudflare, Inc. is a US-incorporated entity. TLS termination and edge handling for the Vakyya zone occur at the Cloudflare points of presence serving the request, which may include data centres outside the United Kingdom and European Union. Where Customer Content transits Cloudflare on delivery, the transfer safeguards described in Section 8 apply, specifically the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
Parakletos plans to enable Cloudflare’s Data Localisation Suite with Regional Services for the EU/UK, which would constrain Cloudflare-side handling of the Vakyya zone to that region. This Policy and the Sub-processors page will be updated when that configuration is in operation.
Cloudflare acts as a sub-processor under a data processing agreement with Parakletos. Cloudflare metadata (connection logs, security event data) is processed in accordance with Cloudflare’s published data protection terms.
5.4 Encryption
- In transit: TLS 1.3 for all customer-facing endpoints and inter-service communication.
- At rest: AES-256 for all stored Customer Content, transcripts, translations, and audit logs.
- Customer-managed encryption keys (CMEK): not currently offered. Enterprise key-management arrangements may be scoped separately on request, subject to technical validation and an Order Form.
5.5 Access Controls
Access to production systems and Customer Content is restricted to a named subset of Parakletos personnel under the principle of least privilege. Access is authenticated via SSO with hardware-key second factor, logged, and reviewed quarterly. All personnel with production access are subject to written confidentiality obligations.
6. Sub-Processors
Parakletos engages the following sub-processors. The list is version-controlled and customer organisations are notified in writing at least thirty days before any addition or material change.
6.1 Infrastructure Sub-Processors
| Sub-Processor | Role | Location of Processing | Data Categories |
|---|---|---|---|
| Google Cloud EMEA Limited (Google Cloud Platform) | Compute, storage, networking | UK (europe-west2) and Germany (europe-west3) | All categories |
| Cloudflare, Inc. (US entity) | Edge routing, DDoS protection, TLS termination | Cloudflare points of presence serving the Vakyya zone (see Section 5.3) | Customer Content in transit, connection metadata |
6.2 AI Processing Sub-Processors
| Sub-Processor | Role | Location of Processing | Customer Content Used for Model Training or Fine-Tuning |
|---|---|---|---|
| Parakletos AI Limited (self-hosted) | Speech-to-text (Whisper-family models) | UK or Germany (assigned region) | No |
| Parakletos AI Limited (self-hosted) | Translation (Opus-MT / MarianMT) | UK or Germany (assigned region) | No |
| Google Cloud EMEA Limited (Vertex AI Translation) | Translation (Translation LLM and Cloud Translation NMT models) | UK (europe-west2) or Germany (europe-west3) | No |
Customer Content and Workflow Outputs are not used to train general-purpose AI models. Limited processing for service delivery, security, abuse prevention, support, debugging authorised by the Customer, legal compliance, and aggregated/anonymised operational analytics may still occur. All AI processing sub-processors are contractually prohibited from using Customer Content to train or fine-tune their models.
6.3 Business Operations Sub-Processors
| Sub-Processor | Role | Location of Processing | Data Categories |
|---|---|---|---|
| Stripe Payments Europe Limited | Card payment processing | Ireland (EU); US (Stripe Inc., where strictly necessary under SCCs) | Billing data, card data (Parakletos does not see card numbers) |
| Resend, Inc. (US entity) | Transactional and service-related email, including booking and compliance-pack enquiry notifications sent to the Parakletos sales inbox | United States; transfer covered by UK International Data Transfer Addendum to the EU Standard Contractual Clauses | Authorised user email addresses; website enquiry contact details (name, work email, company, role); message content; delivery metadata |
| Calendly LLC (US entity) | Scheduling of introductory calls booked from the Vakyya website | United States; transfer covered by UK International Data Transfer Addendum to the EU Standard Contractual Clauses | Name, work email, company, and role of individuals booking a call |
| Self-hosted Sentry (deployed in europe-west2) | Error tracking and stability monitoring | UK | Application error reports with Customer Content payloads redacted |
| Vercel, Inc. (US entity) | Hosting and delivery of the public Vakyya website (vakyya.com). Not used for the customer portal, API, or any Customer Content. Planned to be migrated to Google Cloud (europe-west2). | Vercel global edge network; transfer covered by UK IDTA / UK Addendum to EU SCCs | Website visitor request metadata (IP addresses, request headers); no Customer Content |
The Vakyya website does not currently operate any analytics product, first-party or third-party. If analytics is introduced in the future it will be a self-hosted, first-party platform operated by Parakletos in the United Kingdom, will be added to this table at that time, and will be set only after the visitor has provided consent through the cookie controls described in the Cookie Policy.
Parakletos does not use Google Analytics, Google Tag Manager, Firebase Analytics, Meta Pixel, LinkedIn Insight Tag, or any third-party advertising or behavioural-tracking technology on the Vakyya properties.
6.4 In-App AI Assistant
The Service does not include any in-app conversational AI assistant. No in-app assistant traffic is generated, and no Customer data is transmitted to assistant-model providers.
7. Retention
7.1 Default Retention Periods
Default retention is configurable per contract. The default values, applied unless the customer organisation specifies otherwise in the DPA, are:
| Data Category | Default Retention |
|---|---|
| Uploaded source media | 30 days from job completion |
| Generated transcripts, translations, captions, delivery artefacts | 30 days from job completion |
| Customer glossaries | Retained for the duration of the contract |
| Audit and substitution logs | 12 months from job completion |
| Service telemetry (operational metrics) | 90 days |
| Application error reports | 90 days |
| Authenticated user accounts | Duration of the contract plus 30 days |
| Billing and invoice records | 7 years (UK Companies Act 2006, HMRC) |
| Truncated IP addresses for security purposes | 30 days |
| Marketing consent records (where opted in) | Duration of consent plus 3 years from withdrawal |
7.2 Contractual Variation
Customer organisations may, in the DPA, specify alternative retention periods for any of the above categories, for example same-day deletion of source media on delivery, extended audit log retention for regulated industries, or scheduled purge cycles aligned to the customer’s own data lifecycle. Any variation that conflicts with statutory retention obligations on Parakletos (notably billing records) will be implemented to the maximum extent legally permissible.
7.3 Deletion Process
On expiry of a retention period or on contract termination, data is purged from primary storage within seven days. Encrypted backup copies are purged within a further thirty days. Customer organisations may request a deletion certificate confirming purge completion.
7.4 Legal Hold
Where Parakletos is subject to a legal hold, regulatory request, or active dispute affecting specific data, the minimum necessary data will be retained for the required period notwithstanding the schedule above. Affected customer organisations will be notified unless prohibited from such notification by law.
8. International Transfers
Vakyya is designed to operate without transfers of Customer Content outside the United Kingdom or European Economic Area. In the ordinary course of operation:
- Customer Content is stored, processed, and inferred-on exclusively in the UK (europe-west2) or Germany (europe-west3).
- AI processing sub-processors operate exclusively in the UK or EU.
- Substantive processing of Customer Content, which includes storage, transcription, translation, captioning, glossary application, and audit-log retention, occurs only in the assigned UK or Germany region.
- Edge routing for the Vakyya zone is delivered through Cloudflare points of presence. A regional-geography constraint on Cloudflare (Data Localisation Suite / Regional Services for the EU/UK) is planned but not yet operational; transit through Cloudflare in the meantime is covered by the safeguards in the table below.
Limited transfers of non-content data may occur in the following narrowly scoped circumstances:
| Transfer | Recipient | Safeguard |
|---|---|---|
| Card payment processing | Stripe Inc. (US), where strictly necessary | UK-approved SCCs; UK International Data Transfer Addendum |
| Cloudflare metadata for global threat intelligence (no Customer Content) | Cloudflare Inc. (US) | UK-approved SCCs; UK International Data Transfer Addendum; aggregated/non-identifying metadata only |
| Public website hosting and delivery (no Customer Content) | Vercel, Inc. (US) | UK International Data Transfer Addendum to the EU Standard Contractual Clauses |
| Booking and compliance-pack enquiry notifications (no Customer Content) | Resend, Inc. (US) | UK International Data Transfer Addendum to the EU Standard Contractual Clauses |
| Scheduling of introductory calls for prospective customers (no Customer Content) | Calendly LLC (US) | UK International Data Transfer Addendum to the EU Standard Contractual Clauses |
Transfer Risk Assessments are documented for each transfer and are available to customer organisations on request under NDA.
9. Automated Decision-Making
The Vakyya pipeline performs automated processing of Customer Content (transcription, glossary application, translation, captioning) and automated routing decisions (region assignment, model selection per the customer’s configuration). None of this processing constitutes automated decision-making that produces legal effects concerning a data subject, or that similarly significantly affects a data subject, within the meaning of UK GDPR Article 22.
Parakletos does not engage in profiling for the purpose of evaluating personal aspects of data subjects, nor does it make automated decisions about credit, employment, access to services, or eligibility.
10. Rights of Data Subjects
Where Parakletos is the controller (as set out in Section 2.1), the following rights are available under UK GDPR:
- Access (Article 15): obtain confirmation of processing and a copy of personal data held.
- Rectification (Article 16): correction of inaccurate or incomplete data.
- Erasure (Article 17): deletion of personal data in defined circumstances.
- Restriction (Article 18): restriction of processing in defined circumstances.
- Portability (Article 20): receipt of personal data in a structured, commonly used, machine-readable format.
- Objection (Article 21): objection to processing based on legitimate interests, and to direct marketing in all cases.
- Withdrawal of consent (Article 7): where processing is based on consent.
- Complaint to a supervisory authority (Article 77): see Section 12.
Requests should be directed to privacy@vakyya.com. Parakletos will respond within one month of receipt. Identity verification may be required before action.
Your right to object to direct marketing
You have an absolute right to object to the processing of your personal data for direct marketing purposes at any time, under UK GDPR Article 21(2). On receipt of such an objection, Parakletos will stop processing your personal data for direct marketing without further qualification or balancing test. To exercise this right, email privacy@vakyya.com with “Marketing objection” in the subject line, or use the unsubscribe link in any marketing message you have received from us.
Rights in respect of Customer Content
Where Customer Content contains personal data of a third party and Parakletos is acting as processor, data subject rights are exercised against the customer organisation as controller. Parakletos will route any such requests received directly to the relevant customer organisation and will assist that organisation in responding, as required by the DPA.
11. Security and Breach Notification
Parakletos maintains a written information security policy, incident response plan, and breach notification procedure. Security measures are reviewed at least annually and updated in response to material changes in the threat landscape or the Service architecture.
Personal data breach notification:
- To the Information Commissioner’s Office, where required, within 72 hours of becoming aware (UK GDPR Article 33).
- To affected data subjects where a breach is likely to result in a high risk to their rights and freedoms (UK GDPR Article 34).
- To affected customer organisations, in respect of breaches affecting Customer Content, without undue delay and in accordance with the timelines set out in the DPA.
Certification roadmap: Parakletos does not currently hold ISO/IEC 27001 or SOC 2 certification. Security documentation and the current certification roadmap are available to customer organisations on request under NDA.
12. Complaints
A data subject who is dissatisfied with how Parakletos has handled their personal data is invited to contact privacy@vakyya.com in the first instance. Parakletos will investigate and respond.
A data subject also has the right to lodge a complaint with the Information Commissioner’s Office:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
Where the data subject is in the European Economic Area, complaints may also be lodged with the relevant national supervisory authority in the data subject’s member state of residence.
13. Children
Vakyya is a business-to-business service and is not directed at, marketed to, or intended for use by children. Parakletos does not knowingly collect personal data from children.
Where Customer Content uploaded by a customer organisation contains personal data of children (for example, in safeguarding or educational training materials), the customer organisation as controller is responsible for compliance with the applicable provisions of UK GDPR relating to children’s data and, where applicable, the Age Appropriate Design Code.
14. Changes to this Policy
Parakletos may update this Policy from time to time. Material changes will be notified to customer organisations in writing at least thirty days before they take effect. Non-material changes (typographical corrections, clarifications, updates to sub-processor contact details) may be made without notice and will be reflected in the “Last Updated” date.
A version history of this Policy is available on request.
15. Contact
Data Protection Contact
Parakletos AI Limited
First Floor, 85 Great Portland Street
London W1W 7LT
United Kingdom
privacy@vakyya.com
General Enquiries
hello@vakyya.com
Commercial and Contract
sales@vakyya.com
This Privacy Policy was last updated on 29 May 2026.