Tõlk.fm legal

Privacy Policy

This policy explains how Pixibit OÜ processes personal data when people use Tõlk.fm (also written as Tolk.fm), including live audio translation, captions, event control rooms, billing, waiting-list messages, and support.

Last updated14.06.2026

ControllerPixibit OÜ, registry code 14153351

Contactprivacy@tolk.fm

1. Who we are and our roles

Tõlk.fm is operated by Pixibit OÜ, an Estonian private limited company registered in the Estonian e-Business Register under registry code 14153351, with registered address Võlvi tn 6, Kesklinna linnaosa, Tallinn, Harju maakond, 10132, Estonia.

Controller activities. Pixibit OÜ is the controller for account, billing, product usage, security, waiting-list, support, website, and direct customer relationship data.
Processor activities. When an event organiser uploads or streams event audio, captions, translations, listener feedback, or speaker/open-mic content, we usually process that event content on behalf of the organiser. The organiser is responsible for notices, permissions, and lawful bases for recording or streaming people at the event.
Worldwide service. We operate from Estonia and may provide the service globally. If local law requires extra notices, consents, venue signage, recording announcements, labour consultation, accessibility accommodations, or event permits, the organiser must arrange them before using Tõlk.fm.

2. Data we process

Category	Examples	Source
Account and profile data	Name, email address, organisation, authentication identifiers, workspace settings, and login/session metadata.	You, your organisation, and our authentication provider.
Event setup data	Event title, description, join codes, target languages, speaker mode settings, selected AI provider, schedule, and control-room activity.	Organisers, admins, and event team members.
Live and prepared event content	Room audio, speaker microphone audio, open-mic audience audio, uploaded media, transcripts, captions, translations, translated audio, and related metadata.	Organisers, speakers, audience members who choose to speak, and devices connected to an event.
Listener and device data	Join code, selected language, playback/session status, device/browser information, IP address, approximate location from network data, logs, and troubleshooting diagnostics.	Your browser or device when you access a Tõlk.fm link.
Payments and billing data	Plan, credit usage, checkout status, invoice identifiers, tax details, payment method metadata, and billing communications. Full card data is handled by Stripe, not stored by us.	You, your organisation, and Stripe.
Support, feedback, and communications	Messages, email preferences, waiting-list signups, support requests, survey or event feedback, and attachments you send us.	You and people communicating with us.
Security and abuse-prevention data	Server logs, API requests, audit events, rate-limit information, fraud signals, suspicious activity indicators, and incident records.	Generated when the service is used.

Do not intentionally submit special-category data, health data, children’s data, government identifiers, payment card numbers, secrets, or highly confidential information to live AI translation channels unless you have a documented lawful basis and have confirmed in writing with us that the service is appropriate for that use.

3. Purposes and legal bases

Purpose	Legal basis under GDPR	Typical data
Providing accounts, event rooms, live translation, captions, playback, and support.	Performance of a contract or steps before entering a contract; where we process organiser-controlled event content, the organiser’s instructions under our data processing terms.	Account data, event setup data, live/prepared event content, listener/device data.
Billing, payment reconciliation, tax, accounting, and invoice management.	Performance of a contract and compliance with legal obligations.	Billing contact, invoice, usage, tax, and payment metadata.
Security, fraud prevention, debugging, reliability, moderation, and abuse prevention.	Legitimate interests in protecting Tõlk.fm, users, venues, providers, and the public; legal obligations where applicable.	Logs, IP addresses, device data, API events, content snippets where necessary for incident analysis.
Product analytics and service improvement.	Legitimate interests, using aggregated or minimized data where practical; consent where required by law for non-essential analytics.	Usage events, feature interactions, diagnostics, aggregated cost and quality metrics.
Marketing, waiting-list updates, and product news.	Consent or legitimate interests for existing customers where permitted by law, with an opt-out in every marketing email.	Email address, preferences, organisation, campaign metadata.
Responding to legal requests, enforcing terms, resolving disputes, and protecting rights.	Legal obligation and legitimate interests.	Account, billing, event, log, support, and correspondence data as relevant.

4. OpenAI, Google, and AI providers

Tõlk.fm sends event audio, text, prompts, settings, language choices, and generated translations to AI providers only as needed to provide the requested translation, captioning, dubbing, safety, quality, and troubleshooting features. We do not sell personal data to AI providers.

Provider	Purpose	Data shared	Important privacy posture
OpenAI	Realtime speech translation, captions, and related AI processing when an event uses OpenAI models.	Audio streams, text, prompts/instructions, language settings, session metadata, generated translations, and logs needed to operate and secure the service.	We use OpenAI business/API services under data-processing terms where OpenAI acts as a processor for customer data, processes data under customer instructions, supports subprocessor controls, and uses transfer safeguards such as EU Standard Contractual Clauses where needed.
Google / Gemini API / Google Cloud	Live translation, speech/audio AI features, hosting, storage, or infrastructure where enabled.	Audio, text, prompts/instructions, files, generated translations, usage metadata, technical logs, and infrastructure data.	For EEA, Swiss, and UK users of Gemini API exposed through Tõlk.fm, Tõlk.fm must use paid Gemini services; paid Gemini API terms state prompts and responses are not used to improve Google products and are processed under Google data-processing terms. Google Cloud may process customer data in countries where Google or its subprocessors maintain facilities, subject to the applicable DPA and transfer safeguards.
ElevenLabs or similar prepared dubbing providers	Prepared media translation or dubbing when an organiser uploads recorded media for translated playback.	Uploaded media, source and target languages, job identifiers, generated dubbed audio, and status metadata.	Used only for prepared media features when configured. Organisers must have the rights and notices required for the uploaded recordings and voices.

AI outputs can be inaccurate, incomplete, delayed, offensive, or unsuitable for regulated decisions. Human review is required for high-stakes, legal, medical, financial, safety, employment, migration, or emergency contexts.
Organisers should announce AI translation before and during events, display venue notices where required, and provide non-AI alternatives if local accessibility, labour, or recording laws require them.
If an organiser chooses a provider or region setting, the organiser is responsible for choosing an option appropriate for the event location, audience, and data sensitivity.

5. Other sharing and subprocessors

We share personal data only where needed to provide, secure, bill, support, or improve Tõlk.fm, or where required by law.

Recipient type	Examples	Purpose
Cloud, database, and hosting providers	Supabase, Vercel, Google Cloud, or similar infrastructure providers.	Authentication, database storage, file storage, serverless hosting, logs, and realtime features.
Payment providers	Stripe and banking/payment infrastructure.	Checkout, invoices, subscriptions, tax, fraud checks, refunds, and payment disputes.
AI and media providers	OpenAI, Google/Gemini, ElevenLabs, and similar providers enabled for the service.	Translation, captions, dubbing, speech processing, generated audio, and abuse monitoring.
Communications and support tools	Featurebase, email, transactional notification, customer support, and incident-management tools.	In-app support chat, product feedback, help articles, changelog, surveys, magic links, service notices, waiting-list updates, and incident response.
Professional advisers and authorities	Lawyers, accountants, auditors, regulators, courts, law enforcement, and public authorities.	Compliance, accounting, dispute resolution, lawful requests, and enforcement of rights.
Event organisers and workspace admins	The organisation or person that created the event or invited you.	Event management, listener statistics, feedback review, support, and compliance with organiser obligations.

Where a vendor acts as our processor or subprocessor, we require appropriate contractual, confidentiality, security, and data-protection obligations. Where a recipient acts as an independent controller, its own privacy terms may also apply.

6. International transfers

Because Tõlk.fm operates worldwide and uses global providers, personal data may be processed outside Estonia, the European Economic Area, the United Kingdom, or Switzerland. For restricted transfers, we use appropriate safeguards such as adequacy decisions, EU Standard Contractual Clauses, UK transfer mechanisms, transfer impact assessments, encryption, access controls, and provider data-processing addenda where applicable.

Some realtime AI and cloud services may process data transiently in multiple countries to provide low-latency service, security monitoring, logging, or abuse prevention. If your event requires a specific processing region, tell us before using the service and do not start the event until the appropriate configuration is confirmed.

7. Retention

Data	Default retention approach
Account and workspace data	Kept while the account or workspace is active, then deleted or anonymised after a reasonable closure period unless legal, billing, security, or dispute needs require longer retention.
Live audio streams	Processed transiently for realtime translation unless a feature or organiser action stores audio, captions, transcripts, diagnostics, or replays.
Uploaded media and generated translated assets	Kept until the organiser deletes them, the workspace is closed, or retention is otherwise limited by plan, contract, or operational policy.
Event metadata, captions, feedback, and usage records	Kept as needed for event history, billing, troubleshooting, quality, abuse prevention, and legal claims, then deleted or anonymised.
Payment, invoice, accounting, and tax records	Kept for statutory accounting and tax periods required under Estonian and applicable law.
Security logs and incident records	Kept as long as reasonably necessary for security, fraud prevention, audit, incident response, and legal claims.
Marketing and waiting-list data	Kept until you unsubscribe, withdraw consent, or the campaign purpose ends, subject to suppression lists needed to honour opt-outs.

8. Your rights

If GDPR or similar law applies, you may have rights to access, correct, delete, restrict, object to processing, receive a portable copy of your data, withdraw consent, and lodge a complaint with a supervisory authority. In Estonia, the supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

To exercise rights, contact privacy@tolk.fm. We may need to verify your identity and may direct event-content requests to the organiser where the organiser is the controller. Withdrawing consent does not affect processing that happened before withdrawal or processing based on another lawful basis.

9. Security

We use organisational and technical measures designed to protect personal data, including role-based access, encryption in transit, provider access controls, environment-separated secrets, logging, backups where appropriate, and least-privilege operational practices. No online service can guarantee absolute security. You must protect join links, admin credentials, API keys, uploaded files, and event-room access from unauthorised use.

10. Children

Tõlk.fm is a professional event translation service and is not directed to children. You must be at least 18 to create an account, buy services, administer events, or use Google Gemini API-backed functionality through Tõlk.fm. Organisers must not direct events or API clients to children unless they have confirmed all required parental consent, school, safeguarding, and local-law requirements with us in writing.

11. Cookies and local storage

We use cookies and similar browser storage for essential authentication, session, security, language, playback, and event-join functionality. We may use analytics or marketing cookies only where permitted by law and, when required, after consent. You can control cookies in your browser, but blocking essential cookies may prevent login, billing, audio playback, captions, or event participation.

12. Changes and contact

We may update this policy as Tõlk.fm, providers, law, or our processing practices change. Material changes will be posted on this page and, where appropriate, notified through the service or by email. If there is a conflict between this policy and a signed data processing agreement or enterprise contract, the signed agreement controls for that customer.

Questions can be sent to privacy@tolk.fm. For service terms, see the Terms and Conditions.