WebappskiWebappski
РусскийPolskiDeutsch

Privacy Policy for End Users

AI Form Copilot Voice Assistant

Last Updated: [DATE]

Service Provider: [NAME] Individual Entrepreneur Staniszewskiego 19b 81-303 Gdynia, Poland NIP: -------- Email: info@webappski.com

1. Introduction

This Privacy Policy explains how AI Form Copilot ("the Service", "we", "us") processes your personal data when you use the voice-powered form filling widget on websites operated by our business clients.

Important: The website you are visiting (the "Website Owner") is the Data Controller responsible for collecting and using your data. AI Form Copilot acts as a Data Processor on behalf of the Website Owner. This means:

  • The Website Owner determines what data is collected and how it's used
  • We process data only as instructed by the Website Owner
  • For questions about your data rights, contact the Website Owner first

2. What Data We Collect

2.1 Data Collected When You Use Voice Input

When you click "Fill with Voice" and speak:

Voice Recording (Audio):

  • Your voice is recorded temporarily in your browser
  • The audio is transmitted to our servers via HTTPS
  • We (AI Form Copilot) do NOT store audio files - audio exists only in memory during transcription, then immediately discarded
  • Audio is sent to OpenAI Whisper API for speech-to-text conversion
  • However, OpenAI (our sub-processor) retains audio for 30 days for abuse monitoring per their API policy (see OpenAI Data Usage Policy)
  • We cannot control or shorten OpenAI's retention period

Voice Transcription (Text):

  • Your spoken words converted to text (e.g., "My name is John Smith, email is john@example.com")
  • Transcription is sent to OpenAI GPT-4o-mini for field mapping
  • Transcription IS logged (sanitized) in our system logs for debugging purposes
  • Logs are stored in Google Cloud Logging for 30 days, then automatically deleted
  • Sanitization: Emails, phone numbers, credit cards, and other PII automatically redacted before storage
  • OpenAI retains transcriptions for 30 days for abuse monitoring (raw data, not sanitized)

Extracted Form Data:

  • Information extracted from your speech (e.g., {name: "John Smith", email: "john@example.com"})
  • This data IS logged (sanitized) in our system logs for debugging
  • Stored in Google Cloud Logging for 30 days, then automatically deleted
  • Sanitization: Emails, phone numbers, credit cards, and other PII automatically redacted before storage

2.2 Form Field Metadata

We analyze the structure of web forms to provide intelligent AI-powered assistance:

Field Information Sent to AI (OpenAI GPT-4o-mini) - After Pre-Filtering:

  • Non-sensitive field labels only (e.g., "Full Name", "Email Address") - sensitive labels filtered locally first
  • Placeholder text (e.g., "Enter your name", "Min 8 characters")
  • Non-sensitive field types only (e.g., text, email, tel) - password/payment types excluded
  • Form title from the webpage
  • Page URL where the form is located
  • User Agent (your browser type and version)
  • First 3 options from dropdown/checkbox fields (for context)
  • Field structure metadata:
    • HTML tag names (e.g., "nz-select", "mat-select", "ion-datetime")
    • CSS classes (for UI library detection)
    • ARIA attributes (role, ariaHaspopup, ariaControls)
    • Data attributes (isPrivate, explicitLabel)

⚠️ IMPORTANT - How Field Filtering Works (Data Minimization):

  1. Local pre-filtering happens FIRST - Sensitive field labels are filtered locally BEFORE any transmission to OpenAI:
  • Fields with types: password, credit-card-number, cvv, ssn
  • Fields with labels matching our denylist: "Password", "Credit Card", "CVV", "SSN", "Social Security", "IBAN", "Passport", "Driver License", "Tax ID", "Medical Record", "Health Insurance", "Religious Belief", "Political Party", "Trade Union"
  • Fields marked with data-ai-private attribute by the Website Owner

  1. Only non-sensitive field metadata is sent to OpenAI GPT-4o-mini for form structure analysis and badge generation

  2. GPT assists with nuanced sensitivity detection for context-dependent fields (e.g., "Salary Range" may be sensitive in some forms but not others)

  3. Backend applies additional hard guardrails to ensure critical fields remain excluded

  4. Only verified non-sensitive fields are shown to you in the voice input interface

What This Means for You:

  • Existing form field VALUES are NEVER sent to OpenAI - We do NOT read or transmit data already filled in the form by you or others
  • Your spoken input IS sent to OpenAI - When you speak ("My name is John Smith"), your voice transcription is sent to OpenAI GPT-4o-mini for field mapping
  • Sensitive labels (passwords, payment, health, etc.) are NEVER sent to OpenAI - filtered locally first before transmission
  • Pre-filtering happens in your browser/our backend - Sensitive field metadata filtered before any external transmission
  • ⚠️ Company-specific sensitive labels (e.g., "Internal Reference Code", "Confidential Project Name") require the Website Owner to mark them with data-ai-private attribute

Important Distinction:

  • What we DON'T send: Data already in form fields (e.g., if "Name" field contains "Jane Doe", we don't send "Jane Doe")
  • What we DO send: Your spoken words (e.g., if you say "My name is John Smith", we send this transcription to OpenAI for analysis)

Important Note on Filter Exhaustiveness: Our local denylist filtering materially reduces risk but cannot catch all variants of sensitive field labels. If you notice field labels that should be private but are not filtered, contact the Website Owner to add data-ai-private attribute to those fields.

2.3 Technical Data

Data Collected:

  • Page URL (where the form is located)
  • User Agent (your browser type and version)
  • Browser language preference (for UI localization)
  • IP Address (logged automatically by infrastructure for security purposes only; 30-day retention)

⚠️ URL Privacy Risk: The page URL is sent to OpenAI for form analysis. If the website includes personal information in URLs, this information will be transmitted to OpenAI.

Examples of URLs that may contain personal data:

  • Query parameters: ?email=user@example.com&token=abc123
  • User IDs: /profile/12345/edit
  • Session identifiers: ?session=sensitive_token
  • Names: /users/john-smith/dashboard

Your Responsibility: If you notice that the website URL contains your personal information (email, name, ID), DO NOT use the voice feature or contact the Website Owner to fix their URL structure.

User Agent (Browser Fingerprinting): Your User Agent is sent to OpenAI to help detect UI library components and provide better form analysis. This data can be used for device fingerprinting but is NOT used for tracking purposes by our Service.

IP Address (Security and Abuse Prevention): IP addresses are logged automatically by Google Cloud Platform infrastructure for security purposes:

  • Purpose: DDoS protection, abuse detection, rate limiting, debugging production errors
  • Retention: Maximum 30 days in infrastructure logs, then automatically deleted
  • Legal Basis: Legitimate interests under GDPR Article 6(1)(f) for network and information security (see GDPR Recital 49)
  • NOT used for: Tracking, profiling, marketing, or identifying individual users
  • Note: IP addresses may indirectly identify you when combined with other data, but we do not attempt such identification

Joint Controller Role for Security Logs (GDPR Article 26): For infrastructure security logging (IP addresses, timestamps, error codes), we and the Website Owner act as Joint Controllers under GDPR Article 26. This means:

  • We jointly determine the purposes and means of this specific security logging (security is necessary for service provision)
  • Security logging is inextricably linked to providing the voice input service (CJEU Fashion ID C-40/17)
  • Both parties benefit: Website Owner needs reliable service; we need operational stability
  • Our legitimate interest: protecting Service infrastructure from abuse and attacks (GDPR Recital 49)
  • This is separate from processing your voice data (where we act as Processor for the Website Owner)
  • Your rights: You may contact either us (info@webappski.com) or the Website Owner to exercise your GDPR rights regarding security logs
  • Primary contact for security logs: info@webappski.com (Subject: "Security Logs - GDPR Request")
  • Detailed allocation of responsibilities: See Data Processing Agreement Appendix D (https://webappski.com/legal/dpa)

What We DO NOT Collect:

  • ❌ Cookies are NOT set by our widget
  • ❌ No cross-site tracking or profiling
  • ❌ No persistent user identifiers

3. How We Use Your Data

Purpose: Form completion assistance only

Your data is used to:

  1. Convert your voice to text (via OpenAI Whisper)
  2. Map your speech to appropriate form fields (via OpenAI GPT-4o-mini)
  3. Translate your input to the form's language if needed
  4. Debug errors and improve service quality (system logs)

We DO NOT:

  • Use your data for marketing
  • Share your data with third parties (except OpenAI as our subprocessor)
  • Train AI models on your data
  • Profile or track you across websites
  • Sell your data

4. Data Sharing & Third Parties

4.1 OpenAI (Subprocessor)

Your voice and transcribed text are sent to OpenAI for processing:

OpenAI Whisper API (speech-to-text):

  • Audio transmitted via HTTPS
  • Audio stored for 30 days (OpenAI abuse monitoring policy)
  • Data NOT used for model training (per OpenAI API terms)

OpenAI GPT-4o-mini API (field mapping):

  • Voice transcription and field metadata sent via HTTPS
  • Data stored for 30 days (OpenAI abuse monitoring policy)
  • Data NOT used for model training (per OpenAI API terms)

OpenAI Privacy: https://openai.com/policies/privacy-policy OpenAI Data Processing Addendum: https://openai.com/policies/data-processing-addendum

4.2 Google Cloud Platform (Infrastructure)

  • System logs stored in Google Cloud Logging (30 days retention)
  • Firestore database stores client configurations only (NO user data)
  • Google acts as subprocessor for infrastructure services

4.3 No Other Third Parties

We do NOT share your data with:

  • Advertisers
  • Data brokers
  • Marketing platforms
  • Analytics services (we use Plausible Analytics which is privacy-first and cookie-less for our own website only, NOT for tracking widget users)

5. Data Retention

Data Type Storage Location Retention Period Sanitization
Audio recording (our systems) Memory buffer only 0 seconds (not stored by us) N/A
Audio recording (OpenAI) OpenAI servers 30 days (abuse monitoring) No (raw audio)
Voice transcription (sanitized) Google Cloud Logging 30 days Yes - emails, phones, cards redacted
Extracted form data (sanitized) Google Cloud Logging 30 days Yes - emails, phones, cards redacted
Voice transcription OpenAI API 30 days (abuse monitoring) No (raw data)
Field metadata (non-sensitive only) OpenAI API 30 days (abuse monitoring) Pre-filtered - sensitive labels excluded
Infrastructure logs (IP, User Agent, URL, timestamps) Google Cloud Run logs (httpRequest.remoteIp) 30 days Not sanitized (infrastructure level)

Sanitization Details:

  • Application logs automatically redact: emails, phone numbers, credit cards, IBAN, API keys, JWT tokens, names, addresses
  • Correlation IDs used for error tracking without exposing personal data
  • IP addresses: Not included in application logs (our code); however, Google Cloud Run infrastructure automatically logs client IP addresses in httpRequest.remoteIp field for all HTTP requests (retention: 30 days). We and the Website Owner act as Joint Controllers for these infrastructure security logs under GDPR Art. 26 and Art. 6(1)(f).

After 30 days, all data is automatically and permanently deleted.

Litigation Hold: Retention periods may be extended where required by law or necessary to establish, exercise, or defend legal claims (litigation hold).

6. Your Data Rights (GDPR)

As a data subject in the European Union, you have the following rights:

6.1 Right to Access

You may request a copy of your data. Contact the Website Owner first, or email us at info@webappski.com.

6.2 Right to Rectification

You can request correction of inaccurate data.

6.3 Right to Erasure ("Right to be Forgotten")

⚠️ Technical Limitations:

Due to the distributed nature of our infrastructure and sub-processor policies, immediate deletion is not technically possible:

  1. Our application logs (Google Cloud Logging): No API exists to delete individual log entries by correlation ID
  2. OpenAI retention: OpenAI retains data for 30 days for abuse monitoring per their API terms; we cannot expedite deletion
  3. Infrastructure logs (Cloud Run): Managed by Google Cloud Platform; we cannot manually delete individual HTTP request logs

What happens to your data:

  • All data is automatically and permanently deleted after 30 days
  • We do NOT transfer data to long-term storage
  • No backups are created beyond the 30-day retention period

If you need your data removed:

  • Contact us at info@webappski.com with your request
  • We will document your erasure request and confirm automatic deletion timeline
  • We will investigate if any early deletion is technically feasible (best-effort basis, but cannot guarantee)
  • For data processed on behalf of the Website Owner, contact the Website Owner first

Prevention is best: If you are concerned about data retention, do not use the voice feature—type form data manually instead.

6.4 Right to Restrict Processing

You can request we limit how we process your data.

6.5 Right to Data Portability

You can request your data in a machine-readable format.

6.6 Right to Object

You can object to voice input processing by simply not using the feature and typing manually instead.

6.7 Right to Lodge a Complaint

You can file a complaint with your local data protection authority:

To exercise your rights: Email info@webappski.com with your request.

7. Data Security

We implement industry-standard security measures:

Encryption:

  • All data transmitted via HTTPS (TLS 1.2+)
  • No unencrypted data transmission

Access Control:

  • System logs accessible only to authorized administrators
  • API keys stored securely in Firebase Cloud Functions secrets
  • No client-side exposure of credentials

Infrastructure Security:

  • Firebase Cloud Functions (Google Cloud Platform)
  • Automatic security patches and updates
  • DDoS protection via Google Cloud

Incident Response:

  • In case of data breach, we will notify affected parties within 72 hours as required by GDPR

8. Children's Privacy

Age Restriction: Our Service is NOT intended for children under 16 years of age.

  • We do NOT knowingly collect data from children under 16
  • If you are under 16, DO NOT use the voice feature
  • Parents: If you believe your child has provided data, contact us immediately at info@webappski.com

COPPA (US): For US users under 13, parental consent is required before using voice features.

9. International Data Transfers

Data Location:

  • Servers located in: United States (Google Cloud us-central1 region)
  • Data transferred from EU to US for processing

Legal Basis for Transfers:

  • EU Standard Contractual Clauses (SCCs)
  • OpenAI Data Processing Addendum (DPA)
  • Google Cloud Data Processing Terms

Your Rights: You can object to international transfers by not using the voice feature.

10. User Responsibilities & Warnings

⚠️ CRITICAL - What NOT to Speak:

DO NOT use voice input for the following types of information:

Highly Sensitive Data:

  • Passwords, PINs, security codes, 2FA codes
  • Government-issued ID numbers (SSN, passport, driver's license, tax IDs)
  • Financial information (credit card numbers, CVV codes, bank account numbers)
  • Medical records, diagnoses, prescriptions, health insurance numbers
  • Biometric data
  • Any information you consider confidential or trade secrets

Why? While we use AI to identify and hide sensitive fields from the voice input UI, our detection is NOT perfect. Additionally, we CANNOT prevent you from speaking sensitive information if you choose to do so.

If in doubt, type manually instead of using voice.

You are responsible for:

  • Choosing what information to speak aloud
  • Understanding that spoken data is transmitted to OpenAI and logged for 30 days
  • Using voice input only for non-sensitive form fields

Important Limitations:

  • We cannot prevent you from voluntarily speaking sensitive information into the system
  • You assume the risk if you choose to speak sensitive data despite our warnings and field filtering
  • Field labels sent for analysis: While we pre-filter sensitive labels, company-specific confidential field labels may still be transmitted unless marked with data-ai-private by the Website Owner

For highly sensitive forms, we strongly recommend typing manually instead of using voice input.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective immediately upon posting.

Notification:

  • Major changes: We will notify the Website Owner, who may notify you
  • Minor changes: Updated "Last Updated" date at the top of this document

Your Consent: Continued use of the voice feature after changes constitutes acceptance of the updated Privacy Policy.

12. Contact Information

Data Processor (AI Form Copilot): [NAME] Staniszewskiego 19b 81-303 Gdynia, Poland Email: info@webappski.com

Data Controller (Website Owner): Contact the website you are visiting for their contact information.

For Data Protection Inquiries:

Two Types of Requests:

  1. Voice Data Processing Requests (we act as Processor for the Website Owner):
  • Email: info@webappski.com
  • Subject: "GDPR Data Request - [Your Request Type]"
  • Examples: Access/deletion requests for voice transcriptions, form field metadata, extracted form data
  1. Security Logs Requests (we and Website Owner act as Joint Controllers per GDPR Art. 26):
  • Email: info@webappski.com
  • Subject: "Security Logs - GDPR Request - [Your Request Type]"
  • Examples: Access/deletion requests for infrastructure logs (IP addresses, timestamps, error codes)

Why Two Types?

  • For voice data processing, we follow the Website Owner's instructions (Processor role)
  • For security logs, we and the Website Owner act as Joint Controllers (both jointly determine purposes/means; see DPA Appendix D)
  • Specifying the correct subject line helps us route your request to the appropriate team and apply the correct legal framework

Polish Data Protection Authority: Urząd Ochrony Danych Osobowych (UODO) Website: https://uodo.gov.pl/ Email: kancelaria@uodo.gov.pl

13. Legal Basis for Processing (GDPR Article 6)

For Voice Data and Form Metadata Processing: The legal basis for processing your voice data and form metadata is determined by the Website Owner (Data Controller). We act as a Data Processor following the Website Owner's documented instructions. The Website Owner typically relies on:

  • Consent (Article 6(1)(a)) - Your consent when clicking "Fill with Voice"
  • Contract (Article 6(1)(b)) - Processing necessary to provide the service you requested

For Infrastructure Security Logs (Joint Controller Role per GDPR Article 26): For infrastructure security logging (IP addresses, timestamps, error codes), we and the Website Owner act as Joint Controllers based on:

  • Legitimate Interests (Article 6(1)(f)) - Network and information security (GDPR Recital 49)
  • Joint legitimate interest: Security is inextricably linked to service provision (CJEU Fashion ID C-40/17)
  • Both parties jointly determine purposes (service provision with security) and means (Google Cloud Platform logging)
  • This is separate from voice data processing where we act solely as Processor for the Website Owner
  • Detailed allocation of GDPR obligations: See Data Processing Agreement Appendix D

How Consent is Obtained:

  • First-time use: When you click "Fill with Voice" for the first time, the Website Owner should display a consent notice explaining that:
    • Your voice will be sent to OpenAI for transcription
    • Form field labels will be sent to OpenAI for analysis
    • Your data will be logged for 30 days
    • Data will be transferred to the United States
  • Continuing use: Each time you click "Fill with Voice", you reaffirm your consent
  • Explicit consent required: If forms contain Special Categories of Personal Data under GDPR Article 9 (health, political opinions, religious beliefs), the Website Owner MUST obtain separate explicit consent before allowing voice input

What Consent Covers:

  • ✅ Voice recording and transcription via OpenAI Whisper
  • ✅ Field metadata (labels, placeholders) sent to OpenAI for analysis
  • ✅ Page URL and User Agent sent to OpenAI
  • ✅ 30-day retention in Google Cloud Logging
  • ✅ International data transfer to United States (OpenAI, Google Cloud)
  • OpenAI 30-day retention limitation (see below)

⚠️ IMPORTANT: OpenAI Data Retention Limitation

By clicking "Fill with Voice" or "Enable Voice Input", you explicitly acknowledge and consent to the following:

  1. OpenAI (our Sub-processor) retains voice data for 30 days for abuse monitoring per their API policy (https://openai.com/policies/usage-policies)
  2. We CANNOT provide immediate deletion before 30 days due to technical limitations of OpenAI's system
  3. You acknowledge this limitation and consent to 30-day retention
  4. Alternative available: If you do NOT accept this limitation, DO NOT USE voice input - you can fill forms manually instead (typing)

Legal Basis: Your informed and specific consent to this processing condition is required under GDPR Article 6(1)(a). This is a technical limitation of the Sub-processor we use, which we transparently disclose to you before you use the voice feature. Voice input is an optional feature - you can always choose to fill forms manually.

This consent is separate from your right to erasure: While GDPR Article 17 gives you the right to erasure "without undue delay", this right has limitations. In this case, the technical architecture of the service (OpenAI's 30-day abuse monitoring retention) means immediate deletion is not feasible. By providing informed consent to this limitation, you acknowledge that you understand and accept the 30-day retention period as a condition of using the voice input feature.

What Consent Does NOT Cover:

  • ❌ Special Categories (Article 9) data - requires separate explicit consent
  • ❌ Marketing or tracking - we do NOT use your data for these purposes
  • ❌ Third-party sharing beyond OpenAI/Google Cloud - we do NOT share with others

Withdrawal of Consent:

  • You can withdraw consent at any time by simply NOT using the voice feature
  • Type form data manually instead of using voice
  • Withdrawal does NOT affect lawfulness of processing before withdrawal
  • Data already in 30-day retention cannot be immediately deleted (automatic deletion after 30 days)

Consent for Children:

  • Users under 16 require parental consent (GDPR Article 8)
  • US users under 13 require parental consent (COPPA)
  • Website Owner is responsible for obtaining parental consent before allowing minors to use voice feature

14. Automated Decision-Making

AI Processing: We use AI (OpenAI GPT-4o-mini) to map your speech to form fields.

No Profiling: We do NOT use automated decision-making that produces legal effects or significantly affects you.

Human Review: You review and confirm all AI-suggested values before form submission.

Appendix: Technical Details

For detailed technical information about data flows, see our Technical Documentation at [TECHNICAL.md].

Key Technical Points:

  • Audio: WebM/WAV format, streaming (never stored)
  • Encryption: TLS 1.2+ (HTTPS)
  • APIs: OpenAI Whisper, GPT-4o-mini
  • Logs: Google Cloud Logging (30 days, then auto-deleted)
  • Cache: 5 minutes in-memory only (no persistent storage)

By using the AI Form Copilot voice feature, you acknowledge that you have read, understood, and agree to this Privacy Policy.