Privacy Policy
Last updated: March 2026
This Privacy Policy describes how VoxeNova ("we", "us", or "our") collects, uses, and protects your personal data when you use our AI meeting facilitation platform ("Service"). We are committed to protecting your privacy and handling your data transparently and lawfully.
1. Data Controller
VoxeNova, registered in Ireland, is the data controller responsible for the processing of your personal data. For questions about data processing, contact us at [email protected].
2. Data We Collect
2.1 Account Data
When you register for the Service, we collect your company name, contact name, email address, and preferred data region. This data is necessary to create and manage your account.
2.2 Payment Data
Payment processing is handled entirely by Stripe, our PCI DSS-compliant payment processor. We do not store credit card numbers, CVVs, or other sensitive payment credentials on our systems. We retain only Stripe customer and subscription identifiers for billing management.
2.3 Meeting Content
When you use the Service in meetings, we process:
- Audio transcripts of meeting conversations
- Participant names (as provided by the video conferencing platform)
- Extracted requirements, decisions, action items, and risks
- AI-generated meeting summaries
2.4 Diagram Data
AI-generated diagrams, visual artifacts, and associated layout state created during meetings are stored as part of your meeting data.
2.5 Usage Data
We collect aggregated usage information including meeting count, meeting duration, and feature usage patterns to manage billing, monitor service health, and improve the platform.
2.6 Technical Data
We collect IP addresses, browser type, and device information for security monitoring and abuse prevention. We use essential cookies only (session JWT and CSRF token) and do not use tracking or advertising cookies.
3. Legal Basis for Processing
We process your personal data on the following legal bases:
- Contract performance (Article 6(1)(b) GDPR): Processing meeting content for AI facilitation, extraction, and delivery of meeting artefacts is necessary to perform the service you have contracted for.
- Legitimate interest (Article 6(1)(f) GDPR): Service improvement, security monitoring, fraud prevention, and system diagnostics. We balance these interests against your rights and freedoms.
- Consent (Article 6(1)(a) GDPR): Where applicable, for marketing communications. You may withdraw consent at any time.
4. Data Storage Regions
During registration, you select a data region. Your data is stored and processed exclusively within your chosen region. We offer the following regions:
| Region | Location | Governing Law |
|---|---|---|
| EU Germany | Falkenstein, Nuremberg | German and EU law (GDPR) |
| EU Finland | Helsinki | Finnish and EU law (GDPR) |
| US East | Ashburn, Virginia | United States law |
| US West | Hillsboro, Oregon | United States law |
| Asia-Pacific | Singapore | Singaporean law (PDPA) |
Data does not leave your selected region except where necessary for AI processing via AWS Bedrock, which operates under our Data Processing Addendum with appropriate safeguards.
5. Third-Party Processors
We use the following third-party service providers to deliver the Service. Each operates under a data processing agreement with VoxeNova:
| Processor | Purpose | Compliance |
|---|---|---|
| Stripe | Payment processing and subscription billing | PCI DSS Level 1 compliant |
| Recall.ai | Meeting bot platform for audio capture | SOC 2 Type II |
| AWS Bedrock (Claude) | AI processing, transcription analysis, extraction | SOC 2, ISO 27001, GDPR DPA |
| Deepgram | Speech-to-text transcription | SOC 2 Type II |
| Cartesia | Text-to-speech voice synthesis | DPA available on request |
| Hetzner Cloud | Virtual machine hosting and infrastructure | ISO 27001, GDPR compliant |
6. Data Retention
Meeting content and extracted artefacts are retained for a default period of 365 days from the date of the meeting. This retention period is configurable per customer upon request. After the retention period expires, data is securely deleted in accordance with our deletion procedures.
Account data is retained for the duration of your subscription and for up to 30 days following termination to allow for data export. Billing records may be retained longer as required by applicable tax and financial regulations.
7. Your Rights
Under applicable data protection laws (including GDPR), you have the following rights:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure: Request deletion of your personal data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to restriction: Request restriction of processing in certain circumstances
- Right to object: Object to processing based on legitimate interest
To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection authority.
8. Security Measures
We implement comprehensive technical and organizational measures to protect your data:
- Encryption at rest: LUKS full-disk encryption on all customer data partitions
- Encryption in transit: TLS 1.2+ for all network communications
- Tenant isolation: Dedicated virtual machines per customer with network-level separation
- Authentication: SSH Certificate Authority for infrastructure access (no password authentication)
- Audit logging: Append-only audit trails with actor fingerprinting for all administrative actions
- Admin access: Multi-factor authentication (MFA) required for all administrative access
- Log sanitization: Automated PII redaction in system logs
9. Cookies
We use essential cookies only:
- Session JWT: Maintains your authenticated session
- CSRF token: Protects against cross-site request forgery attacks
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No consent banner is required for essential cookies under GDPR, though we provide a notice for transparency.
10. Children's Privacy
The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at [email protected] and we will take steps to delete such data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' written notice via email. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Contact
If you have questions about this Privacy Policy or our data practices, contact us at:
VoxeNova — Privacy Team
Email: [email protected]
Data Protection Officer: [email protected]