Effective: 25 March 2026
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:
Spokest UG (haftungsbeschränkt)
Heubaumweg 21
91056 Erlangen
Germany
Commercial register: District Court of Fürth, HRB 22016
Managing Director: Phu Le
Email: privacy@spokest.com
Due to the size of the company, the appointment of a data protection officer is currently not required pursuant to Art. 37 GDPR in conjunction with Section 38 BDSG (German Federal Data Protection Act). For data protection inquiries, please contact us directly at: privacy@spokest.com
Spokest is a personal AI companion ("AI Brain") that remembers your conversations and memories. We take the protection of your data extremely seriously. Here are the key points:
During registration, we collect:
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
When you interact with your Spokest brain (e.g., via Telegram, WhatsApp, Discord, or Slack), your messages and the memories, consolidations, and insights derived from them are stored. This includes:
All brain data is encrypted with your personal AES-256 key. Your personal encryption key protects your data. Without your key, the stored data is unreadable - including by us.
Legal basis: Art. 6(1)(b) GDPR (performance of contract - storing memories is the core of the service).
Payments are processed exclusively through Stripe and PayPal. We store:
Complete payment information (card numbers, bank details) is processed solely by Stripe or PayPal and is never stored on our servers.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
When you visit our website, the following data is automatically collected:
This data is required for the technical operation and security of the website and is deleted after 7 days.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and functionality of the website).
Your brain data (memories, cognitive profile, consolidations) is encrypted at rest with your personal AES-256 key. Your personal encryption key protects your data. Decryption occurs only upon authorized access.
This means: Even our servers cannot read your data at rest. No Spokest employee has access to your memories in plain text.
Your encrypted data is stored on dedicated servers of a European cloud infrastructure provider in Germany (with strict data separation). Each user is logically isolated - you can only access your own data.
Account data (email, name, subscription status) is stored in a separate database on the same infrastructure.
Spokest automatically creates encrypted real-time backups of your brain data to your personal Google Drive. The backup files are encrypted with your personal key and are not readable without it. You retain these backups even after ending your Spokest subscription.
To provide our service, we work with the following sub-processors:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Hetzner Online GmbH | Hosting of shared infrastructure (dedicated servers) | Encrypted data blocks - plain text not accessible to Hetzner | Germany |
| Amazon Web Services (Cloud Computing) | Computation of vector embeddings for semantic memory search | Memory text (transient - hardware-enforced data processing with zero data retention) | Frankfurt, Germany |
| OpenAI | OpenAI language models for conversation processing and memory extraction | Conversation content (transient - not stored by OpenAI, not used for model training) | EU / USA (Data Processing Addendum) |
| Stripe | Payment processing | Email, payment method, transaction data | EU / USA (SCC) |
| PayPal | Payment processing | Email, payment method, transaction data | EU / USA (SCC) |
| Google (Drive API) | Real-time encrypted backup to the user's Google Drive | Encrypted backup files (not readable without user's key) | EU / USA (SCC) |
Data processing agreements pursuant to Art. 28 GDPR are in place with all sub-processors. For data transfers outside the EEA, we rely on Standard Contractual Clauses (SCC) and/or adequacy decisions of the European Commission.
Processing at AWS (embedding computation) and OpenAI (conversation processing) is exclusively transient. This means:
| Data Category | Retention Period |
|---|---|
| Account data (email, name, password hash) | As long as your account exists. Deleted within 30 days after account deletion, unless statutory retention obligations apply. |
| Brain data (memories, profile, consolidations) | Stored encrypted as long as your account is active (including read-only mode after trial/cancellation). Irreversibly deleted upon account deletion. |
| Payment data | In accordance with commercial and tax law retention obligations for up to 10 years (Section 147 AO, Section 257 HGB). |
| Technical server logs | 7 days, then automatically deleted. |
| Google Drive backups | Remain on your personal Google Drive and are under your control. Not deleted by Spokest. |
Spokest creates a cognitive profile based on your conversations. This profile is used exclusively to personalize your experience and is never used for automated decision-making with legal or similarly significant effects.
The AI analyzes your stored memories and conversation history to identify patterns in your thinking and communication. The analysis is performed automatically by artificial intelligence.
The cognitive profile is used exclusively to provide you with more personalized and relevant responses. No automated decisions with legal or similarly significant effects are made based on this profile (Art. 22(1) GDPR).
Legal basis: Art. 6(1)(b) GDPR (performance of contract - personalization is a core component of the service).
The provision of your personal data is neither legally nor contractually required. You are not obligated to provide personal data. However, the provision of certain data (name, email address, conversation content) is necessary for the use of the service. Without this data, we cannot provide the service.
Spokest uses artificial intelligence to provide its core service. When you interact with Spokest, your messages are processed by AI systems to generate responses and build your personal memory. Your data is encrypted, stored securely, and associated with your account only. No other user can access your information. You may export or delete your data at any time through your account settings. By using Spokest, you acknowledge that AI technology powers the service.
Legal basis: Art. 6(1)(b) GDPR (performance of contract). For information about automated processing, see also Section 7 (Cognitive Profiling) and Section 10 (EU AI Act Transparency Notice).
In accordance with the EU Regulation on Artificial Intelligence (EU AI Act, Regulation (EU) 2024/1689), we inform you of the following:
Spokest does not use cookies. We do not use analytics tools, advertising tracking, or social media plugins.
For font rendering, we use the Inter typeface. We host all fonts ourselves. No data is transmitted to Google.
As a data subject, you have the following rights under the GDPR:
| Right | Description | GDPR |
|---|---|---|
| Access | You may request information about the personal data we store about you at any time. | Art. 15 |
| Rectification | You have the right to have inaccurate data corrected. | Art. 16 |
| Erasure | You may request the deletion of your data ("right to be forgotten"). Upon account deletion, all brain data is irreversibly erased. | Art. 17 |
| Restriction | You may request the restriction of processing of your data. | Art. 18 |
| Data portability | You have the right to export your data in a machine-readable format (JSON). The real-time backup to Google Drive additionally ensures this automatically. | Art. 20 |
| Objection | You may object to the processing of your data at any time where processing is based on legitimate interests. | Art. 21 |
| Withdrawal of consent | Where processing is based on your consent, you may withdraw it at any time with effect for the future. | Art. 7(3) |
To exercise your rights, please contact: privacy@spokest.com
We will process your request within 30 days (Art. 12(3) GDPR).
We employ extensive technical and organizational measures to protect your data:
Your brain data is primarily processed and stored on servers in Germany. Transfers to third countries outside the EEA occur only in the following cases:
Data transfer to AWS takes place within the EU (Frankfurt, Germany).
Spokest is intended for persons aged 16 and older. We do not knowingly collect data from persons under the age of 16. If we become aware that a person under 16 has created an account, we will promptly delete that account and all associated data.
You have the right to lodge a complaint with the competent data protection supervisory authority:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
(Bavarian State Office for Data Protection Supervision)
Promenade 18
91522 Ansbach
Germany
Phone: +49 (0) 981 180093-0
Email: poststelle@lda.bayern.de
Website: www.lda.bayern.de
We reserve the right to update this privacy policy as necessary to adapt it to changed legal requirements or changes to the service. The current version is always available on this page. In the event of material changes, we will notify you by email.
For questions regarding data protection or to exercise your rights, you can reach us at:
Spokest UG (haftungsbeschränkt)
Heubaumweg 21
91056 Erlangen
Germany
Email: privacy@spokest.com
General inquiries: hello@spokest.com