Privacy Policy

1. Who We Are

This Privacy Policy is published by Actual Voice Inc., a British Columbia corporation, with offices at:

#404 – 777 Fort Street Victoria, BC, Canada V8W 1E1

For the purposes of applicable data protection laws:

• Organization as controller: when an Organization uses our platform to collect feedback from its people, the Organization is the data controller and Actual Voice is the data processor acting on the Organization's behalf.
• Actual Voice as controller: when we use anonymized, aggregated data to improve our service, Actual Voice acts as an independent controller. This is described further in Section 4.

If you are a Respondent and want to know how a specific Organization uses your feedback, contact that Organization directly. If you have questions about how Actual Voice handles data generally, contact us at privacy@actualvoice.ai.

---

2. Information We Collect

2.1 From Organizations

When an Organization signs up to use Actual Voice, we collect:

• Organization name and contact details
• Names and email addresses of users (administrators and members) within the Organization
• Authentication credentials (handled via Supabase Auth and, where enabled, Google OAuth)
• Account configuration: questions created, settings, distribution preferences
• Billing information (when paid plans are introduced)

2.2 From Respondents

When a Respondent submits voice feedback, we collect or generate:

• Voice recording. Up to approximately 90 seconds in length (we present a 60-second guideline to Respondents with a brief grace period to complete a thought). Stored temporarily — see Section 6.
• Transcript. A text version of the recording, generated by our processing pipeline.
• Processing outputs. Engagement signal (described below), sentiment analysis, thematic tags, and other features derived from the transcript and audio.
• Technical metadata. Browser type, device type, approximate timestamp, basic diagnostic information needed to operate the service.

We do not require Respondents to provide names, email addresses, or other identifying information. Respondents are asked to participate by the Organization that invited them; we do not link Respondents to identities ourselves.

2.3 Engagement Signal

Our platform produces an Engagement signal for each response, classified into one of four tiers: Invested / Engaged / Moderate / Passive. This signal reflects how invested the Respondent appears to be in providing useful feedback — based on factors like elaboration, specificity, and vocal markers of attention.

Engagement is an estimate, not a measurement of personal worth or character. It exists to help Organizations understand whether the feedback they're receiving is substantive or perfunctory, in aggregate. Engagement is never displayed at the individual level to Organizations.

2.4 What We Don't Collect

• We do not collect government identifiers (SSN, SIN, passport numbers).
• We do not collect financial information from Respondents.
• We do not collect health information. Our platform actively blocks questions designed to elicit Protected Health Information (see Section 12).
• We do not use cookies or tracking pixels to follow Respondents across other sites.
• We use first-party analytics cookies for Google Analytics and PostHog only with consent. Those cookies are confined to this site and are not used for cross-site advertising or personalization.

---

3. How We Process Voice Feedback

When a Respondent submits a recording, the following happens:

1. Upload. The recording is uploaded to Supabase Storage in our Canada Central region.
2. Processing. Our backend pipeline runs the recording through a configurable sequence of nodes — currently including transcription, content analysis, engagement and sentiment scoring, theme extraction, and safety/privacy checks. Specific AI providers used in this pipeline are listed in Section 5.
3. Materialization. The transcript and processing outputs are written to our database. Aggregate insights are computed.
4. Deletion. On successful processing, the original audio file is deleted from our storage. This typically completes within seconds to under a minute of upload.
5. Recovery cleanup. If processing fails or is interrupted, the audio may be retained briefly while the system retries or recovers, then deleted by a cleanup job. Errors in the deletion path are reported to our error monitoring system.

We do not allow Organizations to download original audio files. We do not allow Respondents to retrieve their own recordings (the audio is deleted; only the transcript and derived insights remain).

---

4. How We Use Information

4.1 To provide the service

We process voice feedback to deliver insights to the Organization that collected it. This includes generating transcripts, computing engagement and sentiment signals, identifying themes, and presenting aggregated dashboards.

4.2 To operate and improve our service

We use de-identified, aggregated data to:

• Calibrate and improve our analysis models
• Develop new features and signals
• Generate cross-organization benchmarks (where they can be produced without identifying any individual or any single Organization)

When we use data this way, we act as an independent controller. We do not use one Organization's identifiable data to train models for another Organization's benefit. We anonymize first.

4.3 To communicate

We use Organization contact information to send service-related notices (security incidents, terms changes, account issues) and, where Organizations have opted in, product updates.

4.4 To comply with law

We may use or disclose information when required by law, court order, or legitimate legal process — and only to the extent legally required.

4.5 What we do not do

• We do not sell personal data.
• We do not share Respondent data with advertisers.
• We do not enable surveillance, retaliation, or re-identification (these are explicitly prohibited under our Terms of Service).

---

5. Sub-Processors and Data Sharing

We use the following sub-processors to operate the service. Each is bound by their own privacy and security commitments.

5.1 OpenAI data handling

Voice and text data sent to OpenAI is processed under OpenAI's standard API terms. As of the effective date of this policy, OpenAI's standard terms include retention of API inputs and outputs for up to 30 days for abuse monitoring, after which they are deleted by OpenAI.

We do not currently operate under OpenAI's Zero Data Retention configuration. Organizations with enhanced retention requirements should contact us before signing up.

5.2 Changes to sub-processors

We will provide reasonable advance notice when we add a new sub-processor that processes Respondent data.

Organizations may object to new sub-processors. If they object, we will work to find an alternative or, if that's not feasible, allow the Organization to terminate without penalty.

We do not share data with third parties beyond these sub-processors except (a) with the Organization that collected the feedback, (b) where required by law, or (c) in connection with a corporate transaction (merger, acquisition, sale of assets), in which case continued protection of the data will be a condition of the transaction.

---

6. Audio Storage and Deletion

6.1 Where audio is stored

Voice recordings are stored in Supabase Storage in our Canada Central region. Supabase may use object storage infrastructure underneath; our direct storage provider is Supabase.

6.2 How long audio is retained

• Successful processing: the original audio file is deleted from our storage on completion of processing. This typically occurs within seconds to under a minute of upload.
• Failed or interrupted processing: audio may be retained briefly while the system retries or recovers, then deleted by a cleanup job. We do not retain audio for analytical or training purposes after deletion.
• No backup retention: we do not maintain long-term backups of audio recordings.

6.3 Operational safeguards

To support reliable deletion, we operate:

• An immediate deletion attempt after successful processing
• Cleanup jobs for recordings flagged as pending deletion
• Cleanup jobs for stale processing tasks
• Error capture (via Sentry) on deletion failures, surfaced for engineering review

We do not currently publish a real-time audio inventory dashboard. If you have questions about a specific recording's status, contact privacy@actualvoice.ai.

6.4 What persists

After audio deletion, what remains is the transcript, the processing outputs (engagement signal, sentiment, themes, related metadata), and the technical metadata described in Section 2.

---

7. Anonymization and Aggregation

7.1 Five-response threshold

We apply a hard minimum threshold of five responses before any segmented or filtered view of feedback is shown to an Organization. If a question, segment, or filter has fewer than five responses, the data is suppressed in the dashboard.

This applies across all use cases — there is no per-category override.

7.2 What Organizations see

Organizations see aggregated insights:

• Counts and distributions of engagement and sentiment
• Theme summaries across multiple responses
• Trends and patterns over time

Organizations do not see:

• Original audio recordings (deleted)
• Individual transcripts attributed to specific Respondents
• Re-identifiable views of small groups

7.3 Quotation handling

Where the platform surfaces representative excerpts, those excerpts are drawn from transcripts and are presented in a way intended to avoid identifying the Respondent. Respondents should still avoid including names, contact details, or other identifying information in their recordings. We caution Respondents about this before recording.

---

8. Security

We rely on the security controls of our infrastructure providers and apply additional operational practices appropriate for our scale.

• Encryption. Data is encrypted in transit and at rest using our infrastructure providers' standard controls (Supabase, Vercel).
• Authentication. Access to administrative interfaces requires authentication via Supabase Auth or Google OAuth.
• Role-based access. Within an Organization, users are assigned administrator or member roles with different permission levels.
• Production access. Direct access to production systems by Actual Voice personnel is limited and logged.
• Error monitoring. Sentry captures application errors for review, including failures in the deletion pipeline.

We do not currently hold a SOC 2 attestation or formal third-party penetration test. Both are planned as the company matures and as enterprise customers require them.

If you discover a security issue, please email security@actualvoice.ai. We commit to acknowledging good-faith reports.

---

9. Data Retention

Organizations may request deletion of specific questions, response sets, or their full account at any time by emailing privacy@actualvoice.ai.

---

10. International Data Transfers and Data Residency

Our primary database and storage operate in Canada (Supabase, Canada Central region). However, several of our sub-processors — OpenAI, Vercel, PostHog, Sentry, Resend, and Google — operate from the United States and may process data outside Canada.

Where required, data transfers are protected by:

• Sub-processor commitments to applicable data protection law
• Standard Contractual Clauses or equivalent transfer mechanisms where applicable
• Encryption in transit and at rest

If you are a Respondent and have concerns about cross-border transfers, contact privacy@actualvoice.ai or contact the Organization that invited you to participate.

---

11. Your Rights

The rights available to you depend on where you live. We do our best to honor reasonable requests regardless of jurisdiction.

11.1 If you are a Respondent

You may request:

• Confirmation of whether we hold data about you (note: because we don't link recordings to identifiable Respondents, we may not be able to locate your data without information from the Organization that invited you)
• Deletion of your data (we will coordinate with the Organization that collected it)
• Information about how your data has been used

In most cases the most direct path is to contact the Organization that invited you to participate. If they direct you back to us, email privacy@actualvoice.ai.

11.2 If you are in Canada (PIPEDA)

You have rights of access, correction, and complaint. You may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

11.3 If you are in California (CCPA / CPRA)

You have rights to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as defined by the CCPA.

11.4 If you are in the European Union or United Kingdom

We do not currently target the European Union or United Kingdom and do not knowingly market our services to organizations or individuals in those regions. If you are an EU or UK resident and believe we hold your data, please contact us before using the service so we can determine the appropriate path forward.

11.5 Response timeline

We aim to respond to verifiable requests within 30 days. We may need to verify your identity or coordinate with the relevant Organization before completing a request.

---

12. Healthcare Contexts

Actual Voice is not currently HIPAA-compliant and is not designed to receive Protected Health Information (PHI).

To enforce this, our platform applies an automated check on questions created within healthcare-coded categories: questions that appear designed to elicit PHI (medical conditions, treatments, medications, diagnoses) are blocked at creation.

Healthcare organizations that need full HIPAA-compliant infrastructure (BAA, audit logs, enhanced controls) should contact sales@actualvoice.ai. This is on our product roadmap but is not currently available.

---

13. Children's Data

Our service is not directed at children under 13 (or the equivalent age in your jurisdiction). We do not knowingly collect data from children.

Organizations that wish to collect feedback from minors are responsible for obtaining parental consent and for complying with applicable laws (e.g., COPPA, FERPA).

If you believe we have collected data from a child, contact privacy@actualvoice.ai and we will delete it.

---

14. Changes to This Policy

We may update this Privacy Policy as our service evolves or as required by law. When we make material changes, we will notify Organizations via email at least 30 days before the changes take effect. The "Last Updated" date at the top reflects the most recent revision.

Continued use of the service after a material update constitutes acceptance of the updated policy. If you do not agree with the changes, you may terminate your account before the effective date.

---

15. Contact

Mailing address

Actual Voice Inc. #404 – 777 Fort Street Victoria, BC, Canada V8W 1E1

A formal Data Protection Officer has not yet been appointed. Privacy inquiries are handled by company leadership.

---

End of Privacy Policy