Enter app

1. Introduction

Leyden is a service operated by Vantara Labs Ltd, a company registered in England & Wales under company number 17133349, whose registered office is at Gibson House, Hurricane Court, Hurricane Close, Stafford, ST16 1GZ, United Kingdom (referred to in this policy as "we", "us", or "our"). Vantara Labs Ltd is the data controller for personal data processed through Leyden.

Vantara Labs Ltd is registered with the UK Information Commissioner's Office (ICO) as a data controller under registration reference ZC129018.

We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we look after your personal data when you visit our website at leyden.app, use the Leyden web application at jar.leyden.app, or use the Leyden mobile application. It also tells you about your privacy rights and how the law protects you.

If you are located in the European Economic Area (EEA), the EU General Data Protection Regulation (GDPR) applies to our processing of your personal data. If you are located in the United Kingdom, the UK GDPR and Data Protection Act 2018 apply. If you are located in California, see Section 13 for additional rights under the California Privacy Rights Act (CPRA).

Status note. Leyden is currently in pre-launch / private access. We do not take payments today, so this policy does not describe billing or subscription processing. If and when we introduce paid plans, this policy will be updated and you will be notified before any change takes effect.

2. Information We Collect

2.1. Account Information

When you create an account we collect:

  • Name (or display name)
  • Email address
  • Authentication credentials (passwords are never stored in plain text — they are hashed by Firebase Authentication)
  • Account preferences and settings

2.2. Voice Recordings and Captured Ideas

Leyden's core feature is voice and text capture. When you use the Service we process:

  • Voice recordings that you initiate by tapping the capture button.
  • Transcribed text produced from those recordings.
  • Typed ideas, notes, tags, and links that you enter directly.
  • AI-generated metadata derived from your input (auto-titles, suggested tags, embedding vectors used for "smart linking").

Voice recordings are stored in Firebase Storage and are visible to you within the app. You can delete any recording or any captured idea at any time from the app, and the underlying file and database records are removed in accordance with §8.

2.3. Usage Data

We automatically collect certain information when you visit, use, or navigate our website. This information does not on its own reveal your specific identity and includes:

  • IP address (truncated by Google Analytics before storage; see §4.4)
  • Browser and device characteristics
  • Operating system
  • Referring URLs
  • Pages viewed and time spent on pages
  • Interactions with features (e.g. capture button presses, idea views)

2.4. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Service.

Strictly necessary cookies are required for the Service to function (authentication, session continuity). They do not require your consent under PECR.

Analytics cookies (Google Analytics 4) are used to understand how visitors interact with our marketing site. Google Consent Mode v2 is configured so that no advertising or remarketing identifiers are set; only first-party analytics measurement is enabled. You can prevent analytics cookies entirely by blocking them in your browser settings.

The table below lists the cookies in use today:

CookieProviderCategoryPurposeDuration
nuxt-sessionLeyden (nuxt-auth-utils)Strictly necessaryAuthenticated session for the web app7 days
_gaGoogle AnalyticsAnalyticsDistinguishes unique visitors2 years
_ga_<CONTAINER-ID>Google AnalyticsAnalyticsSession state2 years

If you refuse strictly necessary cookies, parts of the Service will not function.

3. How We Use Your Information

We use the information we collect for the following purposes:

PurposeLegal Basis
Provide, operate, and maintain your account and the ServicePerformance of a contract with you
Transcribe voice recordings into text and store the resulting ideasPerformance of a contract with you
Generate AI-assisted titles, tags, and "smart links" between your ideasPerformance of a contract with you
Send transactional emails (account verification, password reset, security notifications)Performance of a contract with you
Analyse website usage to improve the ServiceLegitimate interest (improving our product)
Detect and prevent fraud or abuseLegitimate interest (security)
Comply with legal obligationsLegal obligation

4. Third-Party Data Processors

We share your personal data with the following third-party service providers who process data on our behalf under appropriate contractual safeguards:

4.1. Firebase (Google Cloud)

  • What they process: Email address, authentication credentials, account data, captured ideas, transcripts, voice recording files, AI-generated metadata
  • Purpose: User authentication, database storage (Firestore), file storage (Cloud Storage), hosting, Cloud Functions, vector search
  • Data location: European Union and United States (regional buckets where supported; cross-region replication may apply)
  • Privacy policy: firebase.google.com/support/privacy

4.2. OpenAI (Whisper)

  • What they process: Audio data sent for transcription
  • Purpose: Converting voice recordings into text via the Whisper API
  • Data location: United States
  • Note: Audio is sent only when you initiate a capture. We use the OpenAI API tier; per OpenAI's API data usage policy, API inputs and outputs are not used to train OpenAI's models by default. Audio is retained by OpenAI for up to 30 days for abuse-monitoring purposes and then deleted by them.
  • Privacy policy: openai.com/policies/privacy-policy
  • Enterprise data agreement: openai.com/enterprise-privacy

4.3. Google AI (Gemini and Embeddings)

  • What they process: Transcribed text and typed ideas sent to Google's generative AI models
  • Purpose: Generating titles, tags, summaries, and embedding vectors that power "smart linking" between your ideas
  • Data location: European Union and United States
  • Note: We use Google's AI services via the paid Vertex AI / Gemini API. Per Google's terms for paid API usage, your prompts and the resulting completions are not used to train Google's foundation models or improve their products.
  • Privacy policy: policies.google.com/privacy
  • Generative AI terms: cloud.google.com/terms/generative-ai/preview

4.4. Google Analytics

  • What they process: Truncated IP address, device and browser information, pages viewed, session duration, referral source
  • Purpose: Understanding how visitors use the marketing site in order to improve the Service
  • Data location: United States
  • Note: Google Analytics 4 truncates IP addresses before they are stored. We do not enable Google Signals or User-Provided Data collection on our Analytics property, and Consent Mode v2 is configured to deny advertising storage by default.
  • Privacy policy: policies.google.com/privacy

4.5. SendGrid (Twilio)

  • What they process: Email address, name, email content, delivery metadata
  • Purpose: Sending transactional emails (account verification, password resets, security notifications)
  • Data location: United States
  • Privacy policy: twilio.com/legal/privacy

4.6. Use of your content for AI training

We do not use your voice recordings, transcripts, or captured ideas to train any AI model — neither our own models nor any third-party model. Where we send your content to Google AI or OpenAI, it is only for the purpose of producing the immediate output you have asked for (a transcript, a title, a tag, an embedding). We use those providers under their paid-API terms, which contractually prohibit them from using API inputs to train their general-purpose models.

If we ever introduce a feature that uses your content for model training, it will be strictly opt-in and we will update this policy and notify you before any such processing begins.

5. International Data Transfers

Your personal data may be transferred to and processed in the United States and other jurisdictions by the third-party processors listed above. These transfers are protected by appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-US Data Privacy Framework (where the processor is certified)
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs

Each of our processors maintains appropriate safeguards for international data transfers in accordance with applicable data protection law.

6. Data Sharing and Disclosure

Beyond the processors listed in Section 4, we may share your information in the following situations:

6.1. Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.

6.2. Legal Requirements

We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.

6.3. With Your Consent

We may disclose your personal information for any other purpose with your consent.

We do not sell your personal data to third parties, and we do not share it for cross-context behavioural advertising.

7. Data Security

We have implemented appropriate technical and organisational security measures designed to protect the security of personal information we process, including:

  • Encrypted data transmission (HTTPS/TLS)
  • Encryption at rest for stored audio files and database records (provided by Firebase / Google Cloud Storage)
  • Hashed password storage (via Firebase Authentication)
  • Role-based access controls and multi-factor authentication for administrative systems
  • Regular security reviews and dependency audits
  • Secrets stored in Google Secret Manager, never in source control

Despite our safeguards and efforts to secure your information, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure.

7.1. Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to affected individuals, we will also notify you directly without undue delay.

8. Data Retention

We retain your personal data for the following periods:

Data TypeRetention Period
Account data (name, email, preferences)Duration of your account, plus 30 days after deletion
Captured ideas, transcripts, AI-generated metadataUntil you delete the item, or 30 days after account deletion
Voice recording files (Firebase Storage)Until you delete the recording, or 30 days after account deletion
Audio data sent to OpenAI for transcriptionUp to 30 days (retained by OpenAI for abuse monitoring; not retained by us beyond the time needed to receive the transcript)
Analytics data (Google Analytics)14 months (GA4 configured retention)
Email delivery logs (SendGrid)30 days
Authentication logs90 days

When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required by law to retain certain records.

9. Your Data Protection Rights

Depending on your location, you have the following rights regarding your personal information:

  • Right to Access: You have the right to request copies of your personal data.
  • Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • Right to Erasure: You have the right to request that we erase your personal data, under certain conditions.
  • Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
  • Right to Object to Processing: You have the right to object to our processing of your personal data, under certain conditions.
  • Right to Data Portability: You have the right to request that we transfer the data we have collected to another organisation, or directly to you, under certain conditions.
  • Right to Withdraw Consent: Where we process your data based on consent, you may withdraw consent at any time.

If you make a request, we have one month to respond. Contact us at [email protected].

9.1. Right to Complain to a Supervisory Authority

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a data protection supervisory authority:

  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • EU/EEA countries: Your local data protection authority

10. Children's Privacy

Leyden is not directed at children. You must be at least 16 years old to create an account, in line with the UK GDPR / EU GDPR age of digital consent. We do not knowingly collect personal data from anyone under the age of 16. If you are a parent or guardian and become aware that a child under 16 has provided us with personal data, please contact us at [email protected] and we will delete the information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "date" field at the top. For material changes, we will notify registered users by email at least 30 days before the changes take effect.

You are advised to review this Privacy Policy periodically. Changes are effective when posted on this page (or, for material changes, after the 30-day notice period).

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

  • By email: [email protected]
  • By post: Vantara Labs Ltd, Gibson House, Hurricane Court, Hurricane Close, Stafford, ST16 1GZ, United Kingdom

13. California Residents (CPRA)

If you are a California resident, you have the following rights under the California Privacy Rights Act (CPRA) in addition to the rights set out in Section 9:

  • Right to Know what personal information we have collected, used, disclosed, and the purposes for which it was collected
  • Right to Delete the personal information we have collected about you, subject to legal exceptions
  • Right to Correct inaccurate personal information we hold about you
  • Right to Limit Use of Sensitive Personal Information to purposes reasonably necessary to provide the Service
  • Right to Opt Out of Sale or Sharing of personal information for cross-context behavioural advertising
  • Right to Non-Discrimination for exercising your privacy rights

We do not sell or share your personal information for cross-context behavioural advertising. To exercise any of the rights above, contact us at [email protected]. We will verify your identity using information associated with your account before acting on your request.