Privacy notice to end-users
When a visitor clicks the orb for the first time, Spelo shows a short privacy notice. It exists because:
- GDPR / CCPA require disclosure when processing personal data
- Some users are surprised to discover audio is sent to a third party
- It’s honest
What it says by default
This page uses voice AI. Your voice will be sent to OpenAI to power the conversation. We do not store your audio. Transcripts may be retained for up to 30 days.
[Continue] [Cancel] — [Read our privacy policy →]
Click Continue and the widget requests mic permission. Click Cancel and the orb closes.
Customization
Dashboard → Privacy → Notice text.
Fields:
| Field | Default | Notes |
|---|---|---|
| Title | ”This page uses voice AI.” | Short — keeps the notice scannable |
| Body | (see above) | Keep under 3 sentences |
| Privacy policy URL | unset | If set, the “Read our privacy policy” link appears |
| Retention disclosure | ”up to 30 days” | Computed from your transcript_retention_days setting |
| Accept button text | ”Continue” | |
| Cancel button text | ”Cancel” |
When it’s shown
Once per visitor per site. We track acceptance in localStorage (key: spelo:notice:<site_id>). If the visitor clears cookies / storage, the notice is shown again.
If you change the notice content, a notice_version field bumps, and visitors see the notice again on their next session. This ensures updated terms are re-acknowledged.
Turning it off
You can’t. GDPR / CCPA legally require disclosure of third-party data processing for voice-capable services. If your jurisdiction has different rules, contact support@spelo.ai and we’ll configure it.
(If you’re absolutely sure you don’t need it — e.g. an internal admin dashboard where users are logged-in employees who’ve signed an AUP — we can disable it on your site via support. Requires written attestation.)
Privacy policy link
If you provide a privacy policy URL, the notice shows a link to it. Recommended structure for your privacy policy:
- What we collect — audio (in transit only), transcripts (stored X days), session metadata (duration, function calls)
- Who sees it — OpenAI (processor), Spelo (controller), you (us-the-customer)
- How long we keep it — 30 days for transcripts by default; audio is not stored
- Legal basis (GDPR) — legitimate interest + consent via the on-screen notice
- User rights — right to erase via the user-data deletion endpoint
- DPA — link OpenAI’s DPA and Spelo’s DPA
See Privacy + GDPR for our recommended boilerplate.
Cookies
The notice does NOT set a third-party cookie. It uses localStorage only. So you don’t need to expand your cookie banner to cover the widget.
If your cookie banner is aggressive and clears localStorage after rejection, the notice will re-appear every session. That’s correct behavior but users may find it annoying. Move the Spelo storage out of the “optional cookies” category if your cookie consent library supports it.
Styling
The notice is rendered inside the widget’s Shadow DOM, so your site’s CSS cannot affect it. We’ve designed it to be legible against any background; dark-mode and light-mode adapt automatically.
Enterprise customers can request custom-branded notice styling. Contact sales.
Localization
The default notice is in your site’s configured language. We ship translations for: English, Spanish, French, German, Italian, Portuguese, Dutch, Japanese, Korean.
For any other language, set the title/body manually in the dashboard — the notice supports arbitrary text.
Accessibility
- The notice is keyboard-navigable (Tab cycles through the buttons)
- Screen-readers announce the title and body on open
- Respects
prefers-reduced-motion(no animation on appear)
See also
- Privacy + GDPR — full guidance
- Security — data handling
- Restricted topics