← Back to home

Privacy Policy

Voice Transcription Service — Dya Voice

Last updated: July 19, 2025

Dya Voice (the "Service") is published by Blue Lantern Sàrl ("Dya", "we"). We process personal data responsibly, in accordance with the Swiss Federal Data Protection Act (nFADP/FDPA) and, where applicable, the GDPR.

This policy describes what data we process, for what purposes, on what legal bases, where it is hosted, to whom it may be disclosed, and what rights data subjects have.

1. Contact

Blue Lantern Sàrl

Email: contact@dyahq.com

Website: https://www.dyahq.com

Application: https://app.dyahq.com

2. Definitions and Roles (GDPR)

2.1 Public Website (dyahq.com)

For data collected via the website (prospects, forms, audience metrics), Blue Lantern Sàrl acts as the data controller.

2.2 Application (app.dyahq.com)

Two situations coexist:

  • Patient/end-client data processed by a practice (e.g., audio, transcriptions, clinical notes): Dya acts as data processor; the practice/clinic is the data controller.
  • B2B customer account data (e.g., authorized users, billing, support): Dya acts as the data controller.

A Data Processing Agreement (DPA/AVV) governs the relationship with each practice (available upon request).

3. Categories of Data Processed

3.1 Visitors/Prospects (Website)

  • Data provided via forms (name, email, company, message)
  • Technical data (IP address, user-agent, logs, diagnostics)
  • Aggregated usage data (audience measurement)

3.2 Clients (Practices) & Authorized Users

  • Identity and professional contact details
  • Authentication data (hashed passwords), account settings
  • Support history (tickets, emails)
  • Contractual and billing data (usage, payment status, invoices) — excluding raw credit card data, managed by Stripe (see §7)

3.3 Data Processed in the Transcription Service (on behalf of practices)

Depending on usage:

  • Audio recordings (voice) and/or imported audio files
  • Transcriptions (text)
  • Automated outputs (e.g., summary, note structuring) generated from audio/text
  • Potentially sensitive data (e.g., health) if the user dictates clinical elements

3.4 Technical Logs

  • Access logs, security events, audit trails, application diagnostics

4. Minimization, Separation, and Privacy by Design

We apply data minimization and separation principles:

  • Patient identity fields: Identifying fields (e.g., name, surname, contact details, internal identifiers) are stored separately and are not included in requests to external processing services.
  • External requests: When we use external providers (e.g., OpenAI via API), we only send the elements necessary for processing (e.g., audio and/or text to be transcribed/structured).
  • Compartmentalization: Data access is restricted according to the "need to know" principle (RBAC), with logging of significant actions.

5. Purposes and Legal Bases (GDPR)

We process data for:

  1. Providing the Service (audio recording/import, transcription, summary/structuring generation, backup)
    Legal basis (B2B): contract performance. For patient data: the practice determines the applicable legal basis (Dya acts as processor).
  2. Security (incident prevention/detection, access control, audit logs)
    Legal basis: legitimate interest and/or legal obligation
  3. Customer support (assistance, incident resolution)
    Legal basis: contract performance and legitimate interest
  4. Billing (usage measurement, invoices, payment, operational communications)
    Legal basis: contract performance and legal obligations (accounting)
  5. Product improvement (aggregated/anonymized statistics, bug fixes)
    Legal basis: legitimate interest. We prioritize aggregated metrics and avoid analyzing patient content.

6. Hosting, Location, Transfers, and Subprocessors

6.1 Main Hosting in Switzerland

  • Database & storage: hosted in Switzerland (Zurich region) via Supabase (Zurich).
  • Application servers: hosted in Switzerland at Nine (nine.ch).

6.2 Subprocessors and Purposes

We use subprocessors to provide the Service. The list below may evolve; an updated version can be provided upon request.

  • Supabase (Switzerland – Zurich): database hosting, storage, authentication (where applicable). DPA: available upon request.
  • Nine (Switzerland – Zurich): application server hosting in Switzerland.
  • OpenAI: transcription and automated processing services via the OpenAI API (e.g., transcription, summary, structuring). Data sent via the OpenAI API: according to OpenAI documentation, data transmitted via the API is not used to train/improve OpenAI models. OpenAI DPA: https://openai.com/policies/data-processing-addendum/
  • Stripe (potentially outside Switzerland): payments, billing, and payment method management. Dya does not store raw credit card data. Stripe DPA: https://stripe.com/legal/dpa

6.3 Cross-border Transfers and Guarantees

When personal data is communicated to subprocessors located abroad (directly or indirectly), we implement appropriate safeguards where required (e.g., data processing agreements (DPA), standard contractual clauses, and technical/organizational measures).

6.4 Registry

We maintain an internal register of processing activities and subprocessors, available upon request.

7. Payments (Stripe)

Payments are processed via Stripe. Dya does not store raw credit card data. Stripe processes payment data in accordance with its own contractual documents and policies.

8. Retention

8.1 Audio

  • Audio files are deleted no later than 24 hours after their creation/import (often earlier, once processing is complete).
  • This rule also applies to temporary files related to processing.

8.2 Account Data, Transcriptions, Notes

  • Retained as long as the account is active.
  • Upon account closure/deletion, data is purged within one month (≤ 1 month), subject to legal obligations (e.g., accounting) and technical backup constraints.

8.3 Billing Data and Legal Obligations

Certain data (invoices, records, evidence) may be retained longer if required by Swiss law (accounting obligations), even after closure.

8.4 Technical Logs

Retained for a limited duration proportionate to security and audit needs. Backups: backup copies may exist for a limited period; complete purging occurs according to backup cycles, no later than the above deadlines, unless legally required.

9. User Rights (B2B Clients)

Subject to legal limits and role (controller/processor), you have the following rights:

9.1 Access

Obtain confirmation that data concerning you is being processed and access it.

9.2 Rectification

You can correct/update entered data (patients, titles, notes, etc.) via the application when available, or by contacting us.

9.3 Erasure (Deletion) & Selective Deletion

  • Account deletion: A "Delete account" option (or email request) triggers immediate logical deletion then purge ≤ 1 month.
  • Audio: purge ≤ 24h.
  • Selective deletion: you can request deletion of a specific item (e.g., transcription, patient, note) via the interface when available, or via email.

9.4 Portability (Export)

Upon request (or via the interface when available), you can download a JSON/CSV export (ideally a ZIP) typically including: Profile & settings, Patients (data entered in the app), Consultations/transcriptions/notes, Usage and billing elements excluding raw Stripe payment data.

9.5 Objection/Restriction

In certain cases, you may object to certain processing or request its restriction.

9.6 Complaint

If GDPR applies, you may lodge a complaint with an EEA supervisory authority. In Switzerland, you can contact the FDPIC (Federal Data Protection and Information Commissioner).

10. Rights of Recorded Third Parties (e.g., patients, companions)

The Service may be used to record the voice and information of third parties (e.g., patients). In this context:

  • The practice is generally the data controller for patient data; Dya acts as processor.
  • Third parties can exercise their rights primarily with the practice (access, rectification, erasure, etc.).
  • Dya assists the practice, upon instruction, in responding to requests regarding data processed via the Service.

Important: The practice/user is responsible for: informing data subjects (e.g., notice display in the room, oral information), obtaining any required consent, ensuring a valid legal basis for recording and processing, including in the presence of sensitive data.

11. DSAR Procedure (GDPR/nFADP Requests)

For any request (access, export, deletion, etc.):

  • Channel: contact@dyahq.com
  • Timeframe: We respond in principle within 30 days (extendable if the request is complex, in accordance with GDPR).
  • Identity verification: We may request additional reasonable information to verify identity and/or authority (e.g., practice user).
  • Traceability: We maintain a log of requests (date, nature, outcome) for compliance purposes.

12. Security

We implement technical and organizational measures appropriate to the risk, including:

  • Encryption in transit (TLS) and, where applicable, at rest
  • Security logging and monitoring
  • Backups and restoration testing
  • Vulnerability and secrets management

No measure guarantees zero risk, but we strive to maintain a security level appropriate to data sensitivity.

13. Cookies and Similar Technologies

Public Website

Necessary cookies (language, security) and, where applicable, limited audience measurement. Non-essential cookies require consent.

Application

Google Analytics and Vercel Analytics for audience measurement; necessary authentication cookies and local storage for interface preferences.

14. Modifications

We may update this policy in the event of legal, technical, or operational changes. In case of substantial changes, appropriate notice will be provided (email and/or in-app message). The published version prevails.