LiveInterpret.AI ← back

Data Processing Addendum (DPA)

Version 1.0, published 2026-07-12. Between the organization using the service ("Controller") and Ondřej Plevka, sole trader, IČO 88181782, registered seat Nad úžlabinou 445/20, 108 00 Praha 10 – Malešice, Czech Republic ("Processor"). Applies whenever the service processes personal data on the Controller's behalf (Art. 28 GDPR). Forms part of the Terms of Service.

1. Subject matter and instructions

Processing is limited to operating the live-translation service: relaying and translating event audio in real time, optional transcript archiving, operator account management, and usage metering. The Controller's documented instructions are given through the service's settings and these documents; the Processor processes personal data only on those instructions and for no purpose of its own beyond security and billing records, and will inform the Controller if an instruction appears to infringe data-protection law.

2. Duration, nature, and categories

Processing lasts for the term of the service and the applicable retention settings. Data subjects: speakers at the Controller's events; the Controller's operators and volunteers. Data: live speech audio (transient, not stored), caption text (only when archiving is enabled, which is off by default for LiveInterpret.AI organizations), operator account names and hashed credentials, sender-device names, and usage records. Speech at religious events may reveal special-category data (Art. 9); the Controller is responsible for the lawful basis for capturing, translating, and archiving its event audio.

3. Security measures

TLS on all connections; per-organization isolation (separate service instances and data directories); per-device revocable sender credentials; operator authentication with salted password hashes; audit logging of control actions; EU-only primary hosting; nightly backups; and access limited to the Processor. Transient event audio is never written to disk by the service.

4. Subprocessors

The Controller authorizes the following subprocessors:

SubprocessorPurposeLocation
Google (Gemini API, developer API, paid tier)real-time speech translation; no use of Controller data for model training per Google's paid-services termsglobal processing per Google's Gemini API terms
Hetzner Online GmbHhosting and computeGermany (EEA)
DigitalOcean, LLCmanaged PostgreSQL for account, credit and billing recordsGermany (fra1, EEA)
Cloudflare, Inc.DNS, TLS, CDN/proxy and bot protection (liveinterpret.app)global edge; SCCs
Stripe (Stripe Payments Europe, Ltd.)payments and tax calculationEU entity for EU customers
Resendtransactional e-mail (sign-in, account)US; SCCs

The Processor imposes data-protection terms on each subprocessor no less protective than this DPA and remains liable for their performance. Changes are announced 14 days in advance to the contact e-mail on file; the Controller may object on reasonable data-protection grounds.

5. International transfers

Primary hosting, storage, and payments use EU infrastructure and entities. Real-time translation uses the Google Gemini API (developer API) on a paid (billed) plan, under which Google does not use Controller data to train its models; Google processes this data on a global basis that may occur outside the EEA under Google's Gemini API terms. An EEA data-residency option for this translation model is not currently available (it is not yet offered on Google Vertex AI). Transactional e-mail (Resend) and edge/DNS/CDN (Cloudflare) may also process limited data outside the EEA under the EU Standard Contractual Clauses (Art. 46 GDPR) in their data processing agreements.

6. Assistance, breaches, deletion

The Processor assists the Controller with data-subject requests and DPIAs to the extent the service holds relevant data; notifies the Controller of personal data breaches without undue delay after becoming aware; and on termination deletes or returns the Controller's instance data (transcripts, accounts, devices) except billing records retained under accounting and tax law. Usage ledgers contain no audience personal data.

7. Audits

On request, the Processor provides a written description of measures and relevant logs to demonstrate compliance with Art. 28; on-site audits are limited to once per year, at the Controller's cost, with 30 days' notice, subject to confidentiality and without access to other organizations' data.

Reviewed for accuracy against the live platform on 2026-07-12. Working version prepared by the Processor and not legal advice; independent Czech/EU counsel should confirm it before general availability. Signed copies on request.