Compliance & Data Protection
Last updated: 11 April 2026
LingoVoice is built for organisations that handle sensitive communications — healthcare, legal, government, education, and regulated businesses. This page is the canonical reference for our security posture, data handling, sub-processors, and certification status. We update it whenever anything material changes.
If you are evaluating LingoVoice for procurement, this page exists so you can answer the questions on your security questionnaire without contacting us. If you need anything in writing, our Data Processing Agreement is available on request — email hello@lingovoice.ai.
1. At a glance
| Topic | Status |
|---|---|
| UK GDPR & Data Protection Act 2018 | Compliant |
| Encryption in transit | TLS 1.3 with modern cipher suites only |
| Encryption at rest | AES-256 on encrypted block storage |
| Data residency | UK and EU regions only |
| Voice audio storage | Never stored. Processed in real time and discarded. |
| Chat message storage | Deleted automatically when the room closes |
| Session recording | Opt-in only. Host controls. Deletable on demand. |
| AI training on customer data | Never. Hard-prohibited in all sub-processor agreements. |
| Right to erasure (GDPR Art. 17) | Honoured within 30 days of request |
| Cyber Essentials | Application in progress — target end Q2 2026 |
| NHS Data Security & Protection Toolkit (DSPT) | Application in progress |
| ISO 27001 | Planned 2027 |
| SOC 2 Type II | Planned post-ISO 27001 |
| Professional Indemnity Insurance | £1M cover (Lingo Service Translations Ltd) |
| Public Liability Insurance | £2M cover |
2. Data we process and how long we keep it
2.1 Voice audio
Voice audio is streamed in real time to speech-recognition services for transcription, then immediately discarded. No voice audio is ever stored on LingoVoice servers — unless the host of a session explicitly enables session recording, in which case the recording is stored under the host’s control and can be deleted at any time.
2.2 Chat messages and translations
Chat messages and their translations exist only for the duration of the active interpreting room. When the last participant leaves, all messages for that room are deleted automatically. Messages are never archived or backed up.
2.3 Session recordings (opt-in only)
Session recording is disabled by default. A host may enable recording on a per-session basis with explicit consent from participants. Recordings include the audio and the bilingual transcript, are stored in UK cloud storage (London region), and remain entirely under the host’s control. Hosts can delete any recording at any time. We never access recordings ourselves except for direct technical support requested by the customer.
2.4 AI session summaries (opt-in only)
If a host requests an AI summary of a session, the summary is generated from the room transcript and stored against the host’s account. Summaries are deletable by the host at any time and never used to train AI models.
2.5 Account and billing data
Your name, email, organisation, billing address, and transaction history are retained for the lifetime of your account and for the period required by UK tax law (six years from the end of the relevant accounting period, per HMRC).
2.6 Usage metadata
Per-session metadata (date, duration, languages used, minutes consumed, cost) is retained for billing transparency, organisational reporting, and dispute resolution. This metadata does not include any conversation content.
2.7 Right to erasure
You can request deletion of your account and associated data at any time by emailing hello@lingovoice.ai. We will action the request within 30 days as required by UK GDPR Article 17, except where we are legally required to retain certain records (such as billing data for tax compliance).
3. Encryption
3.1 In transit
All communication between your browser and LingoVoice is secured with TLS 1.3 using modern cipher suites only. HTTP connections are automatically redirected to HTTPS. Real-time interpreting sessions use encrypted WebSocket (WSS) connections for all audio, text, and control messages. HSTS is enforced.
3.2 At rest
All stored data resides on AES-256 encrypted block storage. Database, file storage, and any session recordings are protected by full-disk encryption.
3.3 Passwords
User passwords are hashed with bcrypt at 12 salt rounds. Passwords are never stored in plaintext or in any reversible format. We never see, log, or transmit passwords beyond the moment of authentication.
3.4 Access tokens
Access tokens have a 15-minute expiry and are automatically refreshed in the background. Refresh tokens are stored as SHA-256 hashes and delivered as httpOnly cookies inaccessible to JavaScript. A database compromise cannot yield valid tokens.
4. Data residency
All processing happens within the United Kingdom and European Union. Our primary infrastructure is hosted in London. Speech recognition, translation, and text-to-speech processing are performed in UK and EU regions only.
Where any sub-processor handles data in a country outside the UK/EU, that transfer is governed by Standard Contractual Clauses (SCCs) or the UK–US Data Bridge (where applicable). The categories of data transferred outside the UK/EU are limited to email addresses for transactional notifications — we never transfer conversation content, voice audio, or session transcripts outside the UK/EU.
5. Sub-processors
LingoVoice uses a small number of carefully vetted sub-processors to deliver core platform capabilities. The categories below describe what each provider does. The full sub-processor list with named providers, contractual data-protection terms, and certification details is available to current customers and qualified prospects on request — email hello@lingovoice.ai.
| Category | Purpose | Data processed | Region |
|---|---|---|---|
| Cloud hosting | Platform infrastructure | All platform data | UK (London) |
| File storage | Document and recording storage | User-uploaded files, opt-in recordings | UK (London) |
| Translation engines | Real-time text translation | Chat message text only | UK / EU |
| Speech recognition | Voice-to-text conversion | Voice audio (in transit only, never stored) | UK / EU |
| Text-to-speech | Voice synthesis | Translated text (in transit only) | UK / EU |
| Payment processing | PCI-compliant card payments | Payment instrument data only | EU |
| Transactional email | Account, billing, and notification emails | Email address only | UK / EU |
All sub-processors are bound by data-processing agreements that prohibit the use of customer data for AI model training or any purpose beyond delivering the contracted service.
6. Certifications and assessments
| Standard | Status | Target |
|---|---|---|
| UK GDPR & Data Protection Act 2018 | Compliant | — |
| Cyber Essentials | Application in progress | End Q2 2026 |
| Cyber Essentials Plus | Planned | Q3 2026 |
| NHS Data Security & Protection Toolkit (DSPT) | Application in progress | Q3 2026 |
| ISO 27001 (Information Security) | Planned | 2027 |
| ISO 9001 (Quality Management) | Renewal in progress | Q3 2026 |
| ISO 17100 (Translation Services) | Renewal in progress | Q3 2026 |
| SOC 2 Type II | Planned | Post-ISO 27001 |
| WCAG 2.2 AA accessibility | Self-assessed | Independent audit Q4 2026 |
| ICO registration | Held by parent company Lingo Service Translations Ltd | — |
We will not claim certifications we do not currently hold. If a certification matters to your procurement process and ours is in progress, we are happy to share evidence of where we are in the assessment cycle — including the assessor name and target audit date.
7. AI use, ethics, and the EU AI Act
LingoVoice is classified as a limited-risk AI system under the EU AI Act — we provide assistive translation and transcription, not autonomous decision-making. We comply with the relevant transparency and human-oversight obligations.
For clinical and legal use we follow these principles:
- Human-in-the-loop for safety-critical decisions. LingoVoice is intended to augment human professionals, not replace them. For sworn legal proceedings, court appearances, end-of-life conversations, or any safety-critical setting, a qualified human interpreter should always be used.
- No training on customer data. Your conversations are never used to train AI models, and our sub-processor agreements prohibit it explicitly.
- Audit trail. Every session generates a metadata audit log (date, duration, participants, languages) that customers can export.
- Domain-tuned modes. Clinical and legal modes apply domain-appropriate translation behaviour to reduce terminology errors in regulated contexts.
8. Authentication and access control
8.1 Account access
Email and password (bcrypt 12 rounds) plus optional Google or Microsoft single sign-on. Two-factor authentication is on the roadmap.
8.2 Organisation roles
Three role tiers: Owner (full administrative control including billing), Admin (can manage members and rooms but not billing), and Member (standard access to interpreting sessions and shared resources).
8.3 Guest access
Guest tokens are room-specific, time-limited, single-use where appropriate, and revocable at any time by the host. Guests do not see organisation data.
9. Incident response and notification
In the event of a personal data breach affecting LingoVoice customers, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach where required under UK GDPR Article 33, and we will notify affected customers without undue delay.
Security disclosures and responsible disclosure: security@lingovoice.ai. We commit to acknowledge security reports within two working days.
10. Insurance
- Professional Indemnity: £1,000,000 cover, held by parent company Lingo Service Translations Ltd. Carrier details on request.
- Public Liability: £2,000,000 cover.
- Cyber Insurance: Application in progress alongside Cyber Essentials.
11. Subject access requests, complaints, and contact
General compliance enquiries: hello@lingovoice.ai
Data Protection Officer: dpo@lingovoice.ai
Security disclosures: security@lingovoice.ai
Right of complaint: If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner’s Office at ico.org.uk.
LingoVoice is a product of Lingo Service Translations Ltd, registered in England & Wales (Company No. 09343595). Cardiff, United Kingdom.