The problem nobody wants to look at
If you're a lawyer in Spain, France, or Germany and you use Otter, Plaud, Limitless, Granola, Fireflies, or Fathom to transcribe client meetings, there's a conversation you probably haven't had with your DPO: all six competitors process in the United States.
It's not marketing. It's what their DPAs and subprocessor pages say.
What changed in April 2026: the Spanish DPA guidance on AI transcription
On April 20, 2026, the Spanish Data Protection Agency (AEPD) published specific guidance on GDPR compliance for automated AI transcription tools. The short version, it requires four things:
- Session-specific consent. A generic notice when joining the service does not constitute valid consent. Each recording requires explicit acceptance.
- Right of access also applies to multi-speaker recordings. You cannot deny access to a data subject on the grounds of protecting third-party data in the same audio.
- Mandatory vendor due diligence. The data controller (= the business or professional doing the recording) must document that the transcription provider offers clear information about additional processing and where the data physically resides.
- Transcription ≠ technical feature. It is processing of personal data with ongoing governance, not a low-risk technical utility.
This changes the game in Spain. US meeting bots went from "gray area" to "failed due diligence" in a single official publication.
Why it matters: Schrems II is still in force
In July 2020, the CJEU invalidated the EU-US Privacy Shield (C-311/18). Since then, transferring European personal data to the US requires:
- Standard Contractual Clauses (SCCs) signed with the provider.
- Transfer Impact Assessment (TIA) documenting the risks.
- Additional technical measures (end-to-end encryption, pseudonymization) where applicable.
The EU-US Data Privacy Framework (Privacy Shield's successor, in force since 2023) is a valid mechanism but fragile: NOYB and others are litigating to invalidate it, just as the previous two versions were invalidated. Building your compliance on it is building on sand.
Compliance is hard. Spanish DPAs have fined companies for transferring data to the US without these safeguards (AEPD Resolution PS-00121/2023).
For a law firm, the content of a client meeting is information covered by professional secrecy. Processing it in a foreign jurisdiction without Schrems II safeguards is a double risk: regulatory and deontological.
What competitors do (May 2026)
| Product | Model | Processed in | DPA | Active 2026 lawsuits |
|---|---|---|---|---|
| Otter | Auto-join bot | US (AWS) | Yes | 4 federal (wiretapping CA) |
| Fireflies | Auto-join bot | US | Yes | 2 Illinois (BIPA biometric) |
| Fathom | Auto-join bot | US | Yes | — |
| Read.ai | Auto-join + emotion analytics | US | Yes | — |
| tl;dv | Auto-join (DE opt) | DE/US | Yes | — |
| Granola | Audio-first local | US | Yes | — |
| Plaud | Hardware + cloud | US (AWS) | Yes | — |
| Limitless | Always-on hardware | US | Yes | — |
Having a DPA is necessary but not sufficient. The question is where the data physically resides during processing. And the answer for all eight is: on US territory.
The active lawsuits are not anecdotal. Otter and Fireflies are still operating — the risk is not existential — but the reputational and legal-defense cost is passed on to whoever uses them to record client meetings in European jurisdiction.
How AudioMap does it
AudioMap is designed differently: EU-first by architecture, not by configuration.
- Storage: Cloudflare R2 with EU jurisdiction explicitly (not global, which routes to the US).
- Transcription: AssemblyAI via its European endpoint (`api.eu.assemblyai.com`).
- Whisper local fallback: self-hosted sidecar on Hetzner DE (faster-whisper large-v3-turbo) — no byte leaves Germany if AssemblyAI does not respond.
- Language models: Google Vertex AI in `europe-west1` (Netherlands).
- Workers and database: dedicated Hetzner server in Germany (Falkenstein).
- Sentry: EU region.
[Public subprocessor list](/legal/subprocessors) · [Data sovereignty policy](/legal/data-residency) · [AEPD April 2026 compliance](/legal/aepd-compliance).
How we meet the 4 AEPD requirements
- Session-specific consent: every note or recording asks for explicit consent before upload. Immutable audit log with IP + User Agent + legal text version + timestamp in the database. Consent types segregated (audio_storage, processing, marketing, third_party_sharing, biometric_data, recording_party_acknowledgement) per Art. 7 and Art. 9 GDPR.
- Multi-speaker right of access: the user can access, export, and delete their notes. We're building the public endpoint so non-user third parties (a recorded participant without an account) can request deletion directly, without having to go through the host.
- Vendor due diligence: public documentation of each subprocessor with its actual jurisdiction. Vertex EU + AssemblyAI EU + R2 EU + Hetzner DE. Whisper local removes the cloud dependency entirely if you need it.
- Transcription = processing: explicit policy "we don't train models with your content", 30-day retention after account closure, documented legal basis (contract + consent + legitimate interest per operation).
What we don't do
We don't have a bot that joins the video call to record. We don't promise "silent recording" as a value proposition. We don't process voices in the US and then say we "respect GDPR." We don't use Google Calendar OAuth to auto-join your meetings.
If this sounds familiar
If you run a law firm, a clinic, or a tax advisory in Spain and need transcription + AI analysis of client meetings without international transfer risk, try AudioMap. First hour is free, no card. And if you take it to production, we sign DPAs with standard GDPR Article 28 clauses.
[Start free](/dashboard) · [Talk to us](mailto:hello@audiomap.ai)
---
Cited sources: - AEPD guidance on automated voice transcription, 20 April 2026. - Schrems II — CJEU C-311/18 (16 July 2020). - AEPD Resolution PS-00121/2023 (international transfers without SCC). - Art. 542 LOPJ — Spanish lawyer professional secrecy. - GDPR Art. 6, 7, 9, 12-22, 28, 33-34, 35.