Privacy Policy

Effective date: 2026-05-08 · Last updated: 2026-05-08

This Privacy Policy explains how Legendary Feather ("we", "us", "our"), collects, uses, and protects information when you use our real-time AI translation service available at legendaryfeather.com and related applications (the "Service").

We operate from Mexico as a registered individual with business activity (Persona Física con Actividad Empresarial) and serve users worldwide. This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), the California Consumer Privacy Act (CCPA), and similar regulations.

TL;DR. We collect the minimum data needed to translate your conversations and run your account. We never sell your data. Your voice recordings are processed in real time and not stored unless you explicitly create a voice profile (V2 feature, currently disabled). You can request deletion at any time by emailing legal@legendaryfeather.com.

1. Data Controller

Legendary Feather, operating as a Persona Física con Actividad Empresarial registered in Mexico, is the controller of your personal data.

Contact: legal@legendaryfeather.com

2. What We Collect

2.1 Account information

Email address and full name (you provide these at sign-up).
Hashed password (bcrypt; we never see your plaintext password).
Selected display language and translation language preferences.
Plan tier (Free, Travel Pass, Tourist, Tourist Pro).

2.2 Usage data

Number of translation sessions, duration in seconds, source/target language pairs, and timestamps.
Approximate IP address (for rate limiting and abuse prevention; not stored long-term).
Browser/device user-agent string (only when an error is logged).

2.3 Voice and text data

Microphone audio is captured locally in your browser, sent to our backend, transcribed via OpenAI Whisper, translated via DeepL, and synthesized via OpenAI Text-to-Speech. The original audio is processed in real time and not retained after the response is returned.
Transcripts and translations of each utterance are stored on our database (PostgreSQL on Railway) so you can see your conversation history. We retain these for as long as your account is active or as required by law.
Voice profiles for cloning: this feature is currently disabled and deferred to V2. When re-enabled, voice samples will be stored only with your explicit consent and watermarked for traceability.

2.4 Payment information

Payment is handled exclusively by Stripe. We never see or store your full card number.
We retain only the Stripe customer ID, the last 4 digits of your card, plan slug, and subscription status.

2.5 Cookies and local storage

We use minimal client-side storage:

lf_token (session token, signed JWT) — stored in browser sessionStorage, expires in 24 hours.
lf_session (your account details for the dashboard) — sessionStorage, deleted on sign-out.
lf_lang_picked_* (UI language preference) — localStorage, persists across sessions.

We do not use third-party advertising cookies, tracking pixels, or social-media plugins.

3. Why We Use Your Data (Legal Bases)

Purpose	Legal basis (GDPR Art. 6)
Provide translation, account access, billing	Performance of contract (6(1)(b))
Prevent fraud, abuse, security incidents	Legitimate interest (6(1)(f))
Send service emails (password reset, billing)	Performance of contract (6(1)(b))
Voice cloning (V2, opt-in)	Explicit consent (6(1)(a) + Art. 9 special)
Comply with tax / accounting law	Legal obligation (6(1)(c))

4. Third-Party Sub-Processors

We use the following service providers to operate the Service. Each is bound by their own privacy policy and a Data Processing Agreement (DPA) where applicable:

OpenAI, L.L.C. (USA) — speech-to-text (Whisper) and text-to-speech. Audio bytes are sent over TLS and not retained by OpenAI per their API terms.
DeepL SE (Germany) — translation. GDPR-compliant.
Stripe, Inc. (USA) — payment processing. PCI-DSS Level 1.
Railway Corp. (USA) — application hosting and PostgreSQL database.
Supabase, Inc. (USA) — auxiliary storage for FAQ, support templates, and audit logs.
Cloudflare, Inc. (USA) — DNS and edge protection.

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) and our providers' adequacy mechanisms.

5. Data Retention

Account data: kept while your account is active and for up to 6 months after deletion (in case of dispute or legal hold).
Translation transcripts: retained for the lifetime of your account; deleted on request.
Voice samples (V2): when re-enabled, retained for the lifetime of the voice profile; deleted on request.
Audit logs: 90 days, then automatically purged.
Billing records: 5 years (Mexican fiscal law) or 6 years (UK/EU equivalents).

6. Your Rights

Regardless of where you live, you have the right to:

Access — get a copy of the data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — request deletion of your account and data.
Portability — receive your data in a structured, machine-readable format.
Restriction / objection — limit or object to certain processing.
Withdraw consent — at any time, where processing is based on consent.
Lodge a complaint with your local supervisory authority (e.g., the Spanish AEPD, French CNIL, Mexican INAI, or California Attorney General).

To exercise any right, email legal@legendaryfeather.com from the address associated with your account. We respond within 30 days.

7. Security

All traffic is encrypted in transit (TLS 1.2+).
Passwords are hashed with bcrypt (12 rounds).
Session tokens are signed with HMAC-SHA256 and rotate on every login.
Database connections use TLS and connection pooling with pre-ping verification.
Rate limiting, IP blacklisting, and a Web Application Firewall (WAF) protect against common attacks.
API budget caps prevent runaway usage from compromising service availability.

No system is perfectly secure. If you believe your account has been compromised, email legal@legendaryfeather.com immediately.

8. Children

The Service is not intended for users under 16. We do not knowingly collect personal data from children under 16. If you believe we have, contact us and we will delete the account.

9. International Transfers

By using the Service you consent to the transfer of your data to the United States and other countries where our sub-processors operate. We use Standard Contractual Clauses where required by EU law.

10. Automated Decision-Making

The Service performs automated translation and language detection but does not make decisions that produce legal or significant effects on you. You can request a manual review of any automated output by emailing support.

11. Changes to This Policy

We may update this policy. Material changes will be announced by email or in-app notice at least 14 days before they take effect. Continued use of the Service after the change constitutes acceptance.

12. Contact

Privacy questions, complaints, or rights requests: legal@legendaryfeather.com