Privacy Policy
Last updated: July 2026
Who we are
Babel is operated by Hakol Sound, a company registered in Israel (registered address: [to be inserted by counsel]; company number: [to be inserted by counsel]). For the personal data described in this policy, Hakol Sound is the data controller — except event content (audio, transcripts, speaker names), which organizers entrust to us to process on their behalf. For anything in this policy, contact RonP@hakolsound.co.il.
What we process
Babel is a live translation service, so the data we handle is mostly the content of your event:
- Broadcast audio — the sound feed you send us during an event, so we can transcribe and translate it in real time. We don't store it: it streams to our speech-recognition provider live and is never written to Babel's servers.
- Transcripts — the text of what was said, in the source language and in each translated language.
- Account email — the address you sign in with, used for authentication and service messages.
- Voice samples (opt-in) — if a speaker opts into voice cloning, a short voice clip is used to carry their voice across languages and is deleted when the event ends.
- Usage and cost telemetry — how many minutes were broadcast, how many listeners joined, translation latency, and what the event cost us to run. This is operational data about events, not profiles of people.
- Payment records — handled by Stripe. Card details go to Stripe directly; we keep only the purchase record (what was bought, for which event).
Listeners: no account, no personal data requested
People who scan the QR code at an event don't create accounts, and we don't ask them for any personal information — no name, no email, nothing. To deliver audio and captions to a listener's phone, their device's connection details (such as IP address) are processed transiently, the way any website processes a visitor's connection — we use them to deliver the stream, not to identify anyone. What we keep from the listening side is aggregate: how many people listened, in which languages.
We may enable product analytics (PostHog, hosted in the EU) to understand how the service is used — for example, which pages are visited and where sign-ups drop off. If we enable it, our intent for listener pages is an anonymous, cookieless configuration that does not identify individual listeners. This policy will be updated when analytics goes live.
Why we're allowed to process it (legal bases)
Where the GDPR applies, we rely on:
- Contract — for organizers: processing your account, event content, and payments is what delivering the service you bought consists of.
- Legitimate interest — for service telemetry and transient connection data: keeping the service running, secure, and improving.
- Consent — for voice cloning: a speaker's voice is only cloned if that speaker explicitly opts in, and it can be turned off at any time during the event.
Who processes it for us
Delivering live translation involves these subprocessors:
- ElevenLabs
Speech recognition and voice synthesis — the broadcast audio is transcribed and, where enabled, spoken in a synthetic or cloned voice. Based in the United States.
- Anthropic
Translation — transcript text is translated by Anthropic's Claude models. Based in the United States.
- Cartesia
Voice synthesis — translated text may be spoken using Cartesia voices, including opt-in cloned voices. Based in the United States.
- Google Cloud
Fallback translation and voice synthesis — used only if a primary provider is unavailable. Based in the United States.
- Supabase
Storage and authentication — accounts, event data, and transcripts live here, hosted in the EU (Ireland region).
- Stripe
Payments — card details go to Stripe directly; we never see or store them. Based in the United States.
- Vercel and Fly.io
Hosting — the web app and the real-time translation workers run on this infrastructure. Based in the United States.
International transfers
Our stored data lives in the EU (Supabase, Ireland region). But live translation necessarily sends event content to providers in the United States — ElevenLabs, Anthropic, Cartesia, and Google for the AI pipeline; Stripe for payments; Vercel and Fly.io for hosting. For data covered by the GDPR, we are putting EU Standard Contractual Clauses in place with these providers. If your event content is especially sensitive, contact us — we offer stricter deployment options for enterprise customers.
How long we keep it
| Data | How long we keep it |
|---|---|
| Transcripts (source + translated) | Kept for the organizer as part of the service, until the organizer deletes the event or asks us to remove them. |
| Voice clips and cloned voices (opt-in) | Deleted automatically when the event's broadcast ends. Cloned voices are removed from the synthesis provider at teardown. |
| Account data (email, events, settings) | Kept for the life of the account, then deleted — except records we must keep to meet legal obligations (e.g. invoicing and tax). |
| Payment records | Held by Stripe and retained as required by tax and accounting law. We never store card details. |
| Service telemetry (latency, usage, cost metrics) | Kept in aggregate to operate and improve the service; not used to profile individuals. |
| Live audio | Not stored by Babel. Broadcast audio streams to our speech-recognition provider in real time; synthesized audio is ephemeral and discarded after delivery. |
If you want an event's transcripts or any other data deleted, contact us and we'll remove it.
Security
Data is encrypted in transit everywhere — between your browser and us, and between us and every provider we use. Access to stored event data is controlled with database row-level security, so an organizer's data can only be written by that organizer. Administrative access to our systems is role-based and limited to the people who operate the service. No system is perfectly secure, and we don't claim ours is — if we learn of a breach affecting your data, we'll tell you.
Your rights and how to reach us
You can ask us for access to the personal data we hold about you, to correct it, to delete it, to receive a copy in a portable format, or to object to processing based on legitimate interest. Email RonP@hakolsound.co.il. We answer these ourselves, quickly.
These rights come from the GDPR where it applies to you, and from Israel's Privacy Protection Law for data processed in Israel. If you believe we've handled your data unlawfully, you also have the right to complain to a supervisory authority — your local EU data protection authority, or the Israeli Privacy Protection Authority.
Children
Babel is a tool for event organizers and is not directed at children under 16. We don't knowingly collect personal data from children; if you believe a child has given us personal data, contact us and we'll delete it.
Changes to this policy
When this policy changes, we'll update the date at the top. For material changes — like a new subprocessor or a new use of your data — we'll tell account holders by email before the change takes effect.