KuuloPrivacy Policy
Kuulo processes audio and transcripts on-device — your recordings never leave your iPhone or Mac. This policy explains what data we collect and your rights under UK GDPR, EU GDPR, and California law (CCPA/CPRA).
Kuulo is provided by CL3 Holdings Ltd (company number 16504597), a private limited company incorporated in England and Wales, trading under the name Kuulo. Our registered office is at 167–169 Great Portland Street, London, England, W1W 5PF.
This Privacy Policy explains what personal data we collect when you use the Kuulo app and website, how we use it, and what rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are the data controller in respect of your personal data.
Effective date: 9 June 2025
Last updated: 19 June 2026
If you have questions, contact us at support@kuulo.ai.
1. Our core privacy principle: on-device processing
Kuulo is built around a single architectural commitment: your audio recordings and transcripts never leave your device.
All speech recognition, speaker identification, and AI summarisation runs locally on your iPhone or Mac using Apple's Neural Engine and on-device machine learning models. We do not receive, store, or process your audio. We do not receive your transcripts unless you explicitly share them with us (for example, by emailing a support query that includes a note).
This means the most sensitive data you create in Kuulo — recordings of meetings, consultations, lectures, and conversations — is private by architecture, not merely by policy.
2. Personal data we collect
2.1 Account data
When you create a Kuulo account, we collect:
- Your name and email address
- Password (stored in hashed form; we never store your plaintext password)
- The date your account was created
We use this data to operate your account, send you transactional emails (password reset, subscription receipts), and provide customer support.
2.2 Subscription and payment data
Subscriptions are processed exclusively through Apple's App Store. We do not collect or store your payment card details. Apple provides us with:
- Subscription status (active, expired, trial)
- Subscription tier (Free, Pro, etc.)
- The App Store transaction identifiers required to verify your entitlement
Payment card data is governed by Apple's own Privacy Policy, available at apple.com/legal/privacy.
2.3 Usage and diagnostic data
With your consent (requested when you first open the app), we may collect anonymised, aggregated analytics to understand how the app is used and to diagnose crashes. This may include:
- App version, device model, and operating system version
- Session duration and feature interaction counts (e.g. number of recordings started)
- Crash logs and stack traces
This data is collected at the device level and cannot be used to identify you individually. It does not include any content from your notes, recordings, or transcripts.
You can opt out of analytics collection at any time in Settings → Privacy → Analytics within the app.
2.4 Support communications
If you contact us by email or through any in-app feedback tool, we collect the contents of your message and your email address. We use this solely to respond to your query and improve the product.
2.5 Data we do NOT collect
We do not collect:
- Audio recordings (these stay on your device)
- Transcripts or note content (these stay on your device)
- Location data
- Contacts or calendar data beyond what you explicitly share with us
- Health, biometric, or sensitive personal data
- Data from third-party advertising networks
3. Legal basis for processing (UK GDPR)
| Data type | Legal basis |
|---|---|
| Account data | Contractual necessity (Article 6(1)(b)) — needed to provide the service |
| Subscription/entitlement data | Contractual necessity (Article 6(1)(b)) |
| Analytics (with consent) | Consent (Article 6(1)(a)) |
| Support communications | Legitimate interests (Article 6(1)(f)) — responding to your queries |
| Legal compliance | Legal obligation (Article 6(1)(c)) |
4. How we use your data
We use your personal data only for the purposes described in this policy:
- To create and manage your account
- To verify and manage your subscription entitlements
- To send you transactional emails (receipts, security alerts, password resets)
- To diagnose crashes and improve the product (analytics data, with consent)
- To respond to your support requests
- To comply with applicable law
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects. We do not use your data for targeted advertising.
5. AI model training
We do not use your personal data — including any anonymised or de-identified data — to train AI models operated by third parties such as OpenAI, Anthropic, Google, or Apple. Any AI model training Kuulo undertakes uses only fully anonymised, aggregate, synthetic, or internally generated datasets. Your audio, transcripts, and note content are never used for model training because we never receive them.
6. Data sharing and third parties
We share personal data only in the following limited circumstances:
6.1 Service providers
We work with a small number of third-party service providers who process data on our behalf, under data processing agreements that require them to protect your data:
| Provider | Purpose | Data shared |
|---|---|---|
| Apple Inc. | App distribution, subscription billing, push notifications | Device token, subscription status |
| Hosting provider (e.g. Cloudflare) | Website and API hosting | Account data (encrypted in transit and at rest) |
| Email service provider | Transactional email delivery | Email address, name |
| Analytics provider (if consent given) | Crash reporting and usage analytics | Anonymised device/session data |
6.2 Legal requirements
We may disclose personal data where required to do so by law, court order, or a lawful request from a public authority.
6.3 Business transfers
If Kuulo or CL3 Holdings Ltd is involved in a merger, acquisition, or asset sale, your personal data may be transferred to the acquirer. We will provide notice before your data becomes subject to a different privacy policy.
6.4 No sale of data
We do not sell your personal data to any third party for any purpose.
7. Data retention
We retain your personal data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for longer by law (for example, financial records we are required to keep under UK company law).
Anonymised analytics data that cannot be used to identify you may be retained indefinitely for product improvement purposes.
8. Data security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction, including:
- Encryption of data in transit (TLS 1.2 or higher)
- Encryption of data at rest
- Access controls limiting who within our team can access your data
- Regular review of our security practices
No method of transmission over the internet or electronic storage is completely secure. If you believe your account has been compromised, contact us immediately at support@kuulo.ai.
9. International data transfers
We are a UK-based company and aim to process personal data within the UK or the European Economic Area wherever possible. Where we use service providers outside the UK or EEA, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR (for example, the UK International Data Transfer Agreement, or equivalent standard contractual clauses).
10. Children's privacy
Kuulo is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete that information promptly. If you believe a child under 13 has created a Kuulo account, please contact us at support@kuulo.ai.
If you are between 13 and 16 years old, your use of Kuulo is subject to consent from a parent or guardian where required by UK GDPR Article 8.
11. Your rights under UK GDPR
You have the following rights in relation to your personal data:
Right to access. You can request a copy of the personal data we hold about you.
Right to rectification. You can ask us to correct inaccurate or incomplete data.
Right to erasure. You can request that we delete your personal data, subject to any legal obligations we have to retain it.
Right to restriction. You can ask us to restrict how we process your data in certain circumstances.
Right to data portability. You can request your data in a structured, commonly used, machine-readable format.
Right to object. You can object to our processing of your data where we rely on legitimate interests as our legal basis.
Right to withdraw consent. Where we process your data on the basis of consent (e.g. analytics), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, email support@kuulo.ai with "Data Rights Request" in the subject line. We will respond within one month of receiving your request. We may need to verify your identity before fulfilling the request.
Right to lodge a complaint. If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). The ICO can be reached at ico.org.uk or by calling 0303 123 1113.
12. Cookies and tracking
Website
Our website (kuulo.ai) may use cookies for the following purposes:
- Essential cookies: required for the site to function (e.g. session management)
- Analytics cookies: used (with your consent) to understand how visitors use the site, using anonymised data
You can manage cookie preferences through our cookie consent banner when you first visit the site, or by adjusting your browser settings. Refusing non-essential cookies will not affect your ability to use the website.
App
The Kuulo app does not use cookies. Any analytics collected within the app use Apple's standard privacy-preserving frameworks and are subject to your in-app analytics consent.
13. Apple platform-specific disclosures
App Tracking Transparency
Kuulo does not track you across apps or websites owned by other companies and does not request permission to do so under Apple's App Tracking Transparency (ATT) framework.
HealthKit
Kuulo does not access or write to Apple HealthKit. Note content you create in the app is not shared with the Health app.
Microphone access
The Kuulo app requires microphone access to record audio for transcription. All processing is on-device. We never receive your audio. You can revoke microphone access at any time via Settings → Privacy & Security → Microphone on your iPhone or Mac.
iCloud
If you enable iCloud sync, your notes and transcripts may be synced to your iCloud account under Apple's iCloud terms and privacy policy. This is governed by Apple, not Kuulo. We never receive data via iCloud.
14. California residents (CCPA / CPRA)
If you are a resident of California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.
Categories of personal information collected
In the past 12 months we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, account ID | Yes |
| Commercial information | Subscription tier, purchase history | Yes |
| Internet or network activity | App usage analytics (with consent), crash logs | Yes (with consent) |
| Audio and electronic data | Voice recordings, transcripts | No — processed on-device only, never received by us |
| Sensitive personal information | Passwords (hashed) | Yes |
Your California rights
Right to know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose for collecting it, and the categories of third parties with whom we share it.
Right to delete. You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
Right to correct. You have the right to request that we correct inaccurate personal information we hold about you.
Right to opt out of sale or sharing. We do not sell your personal information and do not share it for cross-context behavioural advertising. No opt-out action is needed.
Right to limit use of sensitive personal information. We use sensitive personal information (hashed passwords) only for account security purposes — we do not use it for any additional purposes that would require you to exercise a right to limit.
Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
How to submit a request
To exercise your California rights, contact us at support@kuulo.ai with the subject line "California Privacy Request". We will acknowledge your request within 10 business days and respond within 45 calendar days. We may need to verify your identity before processing a request.
You may also designate an authorised agent to submit a request on your behalf, provided the agent can verify their authority to act for you.
15. EU and EEA residents (EU GDPR)
If you are located in a European Union member state or the European Economic Area, the EU General Data Protection Regulation (EU GDPR) applies to our processing of your personal data in addition to the UK GDPR provisions described in this policy.
Data controller
CL3 Holdings Ltd, 167–169 Great Portland Street, London, England, W1W 5PF is the data controller for personal data processed in connection with Kuulo.
Legal bases for processing
| Processing activity | Legal basis (EU GDPR) |
|---|---|
| Account creation and management | Article 6(1)(b) — performance of a contract |
| Subscription and entitlement verification | Article 6(1)(b) — performance of a contract |
| Analytics (with consent) | Article 6(1)(a) — consent |
| Support communications | Article 6(1)(f) — legitimate interests |
| Legal compliance | Article 6(1)(c) — legal obligation |
International transfers
We are based in the United Kingdom. Following the UK's exit from the EU, the European Commission has issued an adequacy decision for the UK (Commission Implementing Decision 2021/1772), meaning personal data can be transferred from the EU to the UK without additional safeguards. Where we use service providers outside the UK and EU/EEA, we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs).
Your EU GDPR rights
You have the following rights under EU GDPR, which mirror those described in Section 11 (UK GDPR) of this policy:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Right to withdraw consent at any time (Article 7(3))
To exercise any of these rights, email support@kuulo.ai with the subject line "EU GDPR Request". We will respond within one month.
Right to lodge a complaint
If you are located in the EU or EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu/about-edpb/board/members.
16. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice in the app before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised. Continued use of Kuulo after the effective date of any changes constitutes your acceptance of the revised policy.
17. Contact
CL3 Holdings Ltd (trading as Kuulo)
167–169 Great Portland Street
London, England
W1W 5PF
Company number: 16504597
Privacy and data protection enquiries: support@kuulo.ai
For formal UK GDPR requests, please use the subject line "Data Rights Request".