Privacy Policy

Vocarel collects information to provide, maintain, and improve our Service. The types of information we collect include:

Personal Information:

• Name, email address, and contact details provided during account registration.
• Billing information, including payment card details processed securely through Stripe.
• Company name, business address, and other business-related information.
• Profile information and preferences you configure within the Service.

Usage Data:

• Log data such as IP address, browser type, operating system, referring URLs, and pages visited.
• Device information, including device identifiers and screen resolution.
• Feature usage patterns, session duration, and interaction data within the platform.
• API usage metrics and integration activity logs.

Communication Data:

• Customer conversation transcripts processed through our AI agents.
• Chat messages, SMS content, email correspondence, and phone call transcripts handled by the platform.
• Knowledge base content you upload to train your AI agents.
• Customer contact information provided by your end users during conversations.

Vocarel uses the information we collect for the following purposes:

• Service Delivery: To provide, operate, and maintain the Service, including processing customer communications through AI agents and delivering analytics.
• Account Management: To create and manage your account, process payments, and communicate with you about your subscription.
• AI Agent Training: To train and improve your personalized AI agents using the knowledge base content and conversation data you provide.
• Service Improvement: To analyze usage patterns, diagnose technical issues, and develop new features and functionality.
• Communication: To send you service-related notices, updates, security alerts, and administrative messages.
• Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
• Marketing: With your consent, to send you promotional materials about new features, products, or services. You may opt out at any time.

Vocarel uses artificial intelligence and machine learning technologies as a core component of the Service. This section explains how AI processes your data and the choices available to you.

How AI Processes Your Data:

• Your knowledge base content is processed to create vector embeddings that enable your AI agent to understand and respond to customer inquiries accurately.
• Customer conversations are processed in real-time by large language models (LLMs) to generate contextually appropriate responses on your behalf.
• Conversation history is analyzed to provide analytics, sentiment analysis, and performance metrics for your dashboard.
• AI models may use conversation context within a session to provide coherent, multi-turn dialogue with your customers.

Training Data Usage:

• Your knowledge base content is used exclusively to train your own AI agent and is not shared with or used to train agents for other customers.
• Vocarel may use anonymized, aggregated data derived from platform usage to improve our general AI models and service quality. This data is stripped of all personally identifiable information and cannot be traced back to individual users or their customers.
• We do not sell your data or conversation transcripts to third-party AI model providers for their training purposes.

Third-Party AI Providers:

• We utilize third-party AI services, including OpenAI, to process certain requests. Data sent to these providers is subject to their respective data processing agreements and privacy policies.
• We have data processing agreements in place with all AI providers that prohibit them from using your data to train their general-purpose models.

Data Retention for AI:

• Vector embeddings generated from your knowledge base are retained as long as your account is active and are deleted upon account termination.
• Conversation data used for analytics is retained according to our general data retention policies outlined in the Data Retention section.
• AI model outputs (responses generated for your customers) are stored as part of conversation transcripts.

Your Choices:

• You may opt out of anonymized data usage for general model improvement by contacting our support team or adjusting your privacy settings in the account dashboard.
• You may request deletion of all AI-processed data, including vector embeddings and conversation transcripts, at any time.
• You control what content is uploaded to your knowledge base and can modify or delete it at any time through the platform.

Vocarel shares your information with third parties only in the following circumstances:

Service Providers / Data Processors: We share data with the following subprocessors strictly for the purpose of operating the Service. Each has a data processing agreement (DPA) in place:

• OpenAI — AI language-model inference. Conversation content is sent to OpenAI's API to generate AI responses, subject to OpenAI's enterprise data-processing terms.
• Twilio — SMS, WhatsApp, and voice telephony. Twilio processes phone numbers, message bodies, and call media to deliver communications on your behalf.
• Meta — direct-message channel delivery for the platform's social DM integrations. Used only when the tenant explicitly enables those channels.
• Stripe — Payment processing and subscription billing. PCI-DSS Level 1 certified.
• Resend — Transactional email delivery (account verification, password reset, receipts, alerts).
• UploadThing — Managed file storage for knowledge-base documents you upload.
• Firecrawl — Web crawling for knowledge-base website scraping, scoped to URLs you provide.
• Helicone — AI observability proxy in front of OpenAI. Helicone logs request and response metadata for cost and performance monitoring.
• Sentry — Error and performance telemetry. Sentry receives stack traces and request metadata; we scrub PII before transmission where feasible.
• Axiom — Structured log aggregation (currently deferred from Phase 1, pending re-evaluation). When enabled, receives application logs with PII-redaction applied.
• Grafana Cloud — Metrics dashboards (CPU, memory, queue depth, request latency). Aggregate metrics only; no message content.
• UptimeRobot — External HTTP health checks against our public endpoints. No user data is transmitted.
• Healthchecks.io — Cron job heartbeat monitoring. Ping-only; no user data is transmitted.

Other Circumstances:

• Legal Requirements: We may disclose your information if required to do so by law or in response to valid legal process, such as a subpoena, court order, or government request.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity.
• With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.
• Aggregated Data: We may share anonymized, aggregated statistics that do not identify any individual.

We do not sell your personal information to third parties.

Vocarel implements industry-standard security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 encryption.
• Access Controls: Role-based access controls limit employee access to customer data on a need-to-know basis.
• Authentication: Multi-factor authentication is available for all accounts and required for administrative access.
• Monitoring: Continuous security monitoring, intrusion detection, and regular security audits are conducted.
• Payment Security: Payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider. We never store complete credit card numbers on our servers.
• Infrastructure: Our infrastructure is hosted on secure cloud platforms with SOC 2 compliance certifications.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

In the event of a data breach that affects your personal information, we will notify you and the relevant authorities in accordance with applicable data breach notification laws.

Vocarel retains your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained for the duration of your active account plus 30 days after account closure to allow for data export.
• Conversation Transcripts: Retained for the duration of your subscription. You may delete individual conversations or request bulk deletion at any time.
• Knowledge Base Content: Retained while your account is active. Deleted within 30 days of account termination.
• Billing Records: Retained for 7 years in accordance with financial record-keeping requirements.
• Usage Logs: Retained for up to 12 months for operational and security purposes.
• Anonymized Data: Anonymized, aggregated data may be retained indefinitely as it cannot be linked to any individual.

Upon request, we will delete or anonymize your personal information within 30 days, subject to any legal obligations that require continued retention.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of Access & Portability (GDPR Article 15 & 20): You may request a machine-readable copy of all data we hold about your organization. Owners and admins can trigger a self-service export via POST /api/tenant/export from within the dashboard — the response is a streaming ZIP archive containing one JSON file per tenant-scoped table.
• Right to Deletion (GDPR Article 17): You may request that we delete your organization and all associated data. Owners can trigger a self-service deletion via POST /api/tenant/delete. Deletion is soft-scheduled with a 7-day grace window during which the request can be canceled via DELETE /api/tenant/delete. After the grace expires, a daily sweep cron hard-deletes all tenant-scoped rows, closes the Twilio sub-account, and deletes the Stripe customer. Completion is committed within 30 days per GDPR Article 17.
• Right to Correction: You may update inaccurate or incomplete personal information through your account dashboard.
• Right to Object: You may object to processing for direct marketing at any time.
• Right to Restrict Processing: You may request that we limit the processing of your personal information in certain circumstances.
• Right to Withdraw Consent: Where processing is based on consent (e.g., SMS marketing), you may withdraw at any time by replying STOP to any SMS, or by revoking consent in the dashboard.

To exercise any of these rights, use the self-service endpoints where available or contact us using the information in the Contact Information section. We respond to all data-subject requests within 30 days.

If you are a resident of the European Economic Area (EEA), you also have the right to lodge a complaint with your local data protection authority. If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected and the right to opt out of the sale of personal information (we do not sell personal information).

Vocarel uses cookies and similar tracking technologies to enhance your experience, analyze usage patterns, and deliver relevant content.

Types of Cookies We Use:

• Essential Cookies: Required for the operation of the Service, including authentication, session management, and security features. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website and platform, allowing us to improve the Service. These collect anonymized usage data.
• Functional Cookies: Remember your preferences and settings to provide a personalized experience.
• Marketing Cookies: Used with your consent to deliver relevant advertisements and track campaign performance.

You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse cookies or alert you when a cookie is being set. Please note that disabling essential cookies may affect the functionality of the Service.

We may also use web beacons, pixel tags, and similar technologies in our emails to track open rates and click-through rates for the purpose of improving our communications.

The Service is not intended for use by individuals under the age of 16 ("Children"). Vocarel does not knowingly collect personal information from Children.

If you are a parent or guardian and you become aware that your child has provided us with personal information, please contact us immediately. If we discover that we have collected personal information from a child under the age of 16 without verification of parental consent, we will take steps to remove that information from our servers promptly.

If you are between the ages of 16 and 18, you may use the Service only with the involvement and consent of a parent or legal guardian.

Vocarel is based in the United States, and the information we collect is processed and stored in the United States and other countries where our service providers operate.

If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States or other jurisdictions that may have different data protection laws than your country of residence.

For transfers of data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not deemed to provide an adequate level of data protection, we rely on:

• Standard Contractual Clauses approved by the European Commission.
• Data processing agreements with our service providers that include appropriate safeguards.
• Your explicit consent, where applicable.

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions as described in this Privacy Policy.

Vocarel may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Send an email notification to the address associated with your account.
• Display a prominent notice within the Service or on our website.

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after the posting of changes constitutes your acceptance of such changes.

If you do not agree with the revised Privacy Policy, you should discontinue your use of the Service and contact us to request deletion of your personal information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Website: vocarel.com

For data protection inquiries from the European Economic Area, you may also contact our designated Data Protection Officer at [email protected].

We will respond to all privacy-related inquiries within 30 days of receipt.