Privacy Policy

Last updated: 29 March 2026

1. Who We Are

SiteVoice AI is a product of Deskwright, a registered business operating in the United Kingdom. We are the data controller for the personal data processed through this application.

2. What Data We Collect

We collect and process the following data:

  • Account data: name, email address, company name, job title, phone number
  • Project data: project names, addresses, client details, contract types
  • Report data: voice transcripts, structured report content, photos, GPS coordinates, weather data
  • Team data: team membership, roles, permissions
  • Usage data: audit logs of actions taken within the application

3. Lawful Basis for Processing

We process your data under the following lawful bases (UK GDPR):

  • Contract: processing necessary to provide the SiteVoice AI service you have subscribed to
  • Legitimate interest: maintaining business records, improving the service, and preventing fraud
  • Consent: for optional features such as AI photo captioning and voice recording

4. How We Use Your Data

  • To provide the daily site report generation service
  • To transcribe voice recordings using third-party AI services (OpenAI Whisper)
  • To generate structured reports using AI (Anthropic Claude or OpenAI)
  • To send PDF reports to specified recipients
  • To maintain audit trails for CDM 2015 compliance purposes
  • To manage team access and permissions

5. Data Storage and Security

  • All data is hosted in the United Kingdom (AWS eu-west-2, London)
  • Data is encrypted in transit (TLS 1.3) and at rest
  • Passwords are hashed using bcrypt with 12 rounds
  • Session tokens are encrypted using AES-256
  • Voice recordings are processed and the audio deleted after transcription

6. Third-Party Processors

We use the following third-party services to process your data:

  • OpenAI (USA) — voice transcription and report generation. Subject to Standard Contractual Clauses for international data transfer.
  • Anthropic (USA) — AI report structuring. Subject to Standard Contractual Clauses.
  • Stripe — payment processing. PCI DSS Level 1 compliant. We do not store card data.

7. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (right to be forgotten) — request via Settings or email
  • Restrict processing
  • Data portability — export your data in machine-readable format
  • Object to processing based on legitimate interest

To exercise any of these rights, contact us at solodeskstudio@gmail.com.

8. Data Retention

  • Account data: retained while the account is active, deleted within 30 days of account deletion request
  • Project and report data: retained for 7 years (CDM 2015 compliance requirement)
  • Voice recordings: deleted within 24 hours of transcription
  • Audit logs: retained for 7 years

9. Cookies

We use essential cookies only (session authentication). No tracking cookies, no advertising cookies, no third-party analytics cookies.

10. Contact

For privacy enquiries: solodeskstudio@gmail.com

You may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data rights have been breached.