Audio recordings are personal data. A meeting, a sales call, an interview, or a customer voicemail almost always contains names, opinions, and sometimes sensitive details, so the moment you send that file to a transcription tool you are processing personal data under the GDPR and, for UK businesses, the UK GDPR. This guide is a practical walk through the obligations that matter and how RealtimeVoiceKIT helps you meet them. It is general information, not legal advice, so check your own situation with a qualified advisor.
Start with roles, because they decide who is responsible for what. You are the data controller of the content you upload: you choose why the recording exists and what happens to it. RealtimeVoiceKIT acts as your data processor and processes that audio only on your instructions. Clear roles are the foundation of a defensible setup, and a signed DPA, a data processing agreement, puts those roles in writing. A DPA is available on request.
Lawful processing comes next. The GDPR asks you to have a lawful basis for every recording you transcribe, usually legitimate interests or consent, and to tell people their audio may be processed. Practical hygiene goes a long way: record only what you need, keep transcripts no longer than necessary, and limit who can access them. RealtimeVoiceKIT does not train models on your content and does not sell personal data, so your recordings are used to deliver your transcription and nothing else.
Data subject rights are where compliance becomes day to day work. People can ask to see, export, or delete the personal data you hold about them, and you need to be able to act on that. RealtimeVoiceKIT supports the rights that depend on your tooling: you can export your data for portability and permanently delete transcripts or your whole account from account settings, which covers erasure. Because deletion is permanent, you stay in control of your retention.
Sub-processors are the part teams forget. To transcribe and translate audio we rely on a small set of trusted providers, including our speech-to-text processing provider, Google Cloud for storage, OpenAI for translation and AI features, and Stripe for billing. We maintain a public Sub-processors page so you can see who touches your data, and we require those providers to protect it. Where data moves between regions, we rely on appropriate safeguards such as Standard Contractual Clauses. This is the diligence a GDPR audit will ask you to show.
Security underpins all of it. Your data is encrypted in transit with TLS and at rest on Google Cloud, so recordings are protected on the wire and on disk. We also honor granular cookie consent and the Global Privacy Control, GPC signal, so the privacy choices people make in their browser are respected rather than ignored.
If you operate in California or serve US customers, the same setup helps with the CCPA. Not selling personal data, honoring GPC, and offering export and deletion are core CCPA expectations as well as GDPR ones, so a privacy-first transcription workflow tends to satisfy both at once. Powered by leading frontier AI from OpenAI (ChatGPT), Anthropic (Claude), and Google (Gemini), RealtimeVoiceKIT pairs accurate transcription with the controls a compliant business needs. The tooling supports your obligations, but the responsibility for your own compliance stays with you, so document your basis, set your retention, and review the Sub-processors page before you scale.
The RealtimeVoiceKIT team writes about audio, AI, and the workflows that turn recordings into reach for the RealtimeVoiceKIT team.