Data Use Policy

Last updated: January 1, 2026

This Data Use Policy explains in detail how Scandeer LLC processes, stores, and protects data within the VOX Voice AI Platform. This document supplements our Privacy Policy and is intended for customers, enterprise users, and their data protection officers.

1. Data Categories and Processing Purposes

1.1 Tenant Account Data

  • Data: Name, email, hashed password, organization name, billing details
  • Purpose: Authentication, account management, billing
  • Legal basis: Contract performance
  • Retention: Duration of account + 90 days post-cancellation

1.2 Agent Configuration Data

  • Data: Agent names, prompts, voice settings, tool configurations, knowledge base documents
  • Purpose: Powering voice agent behavior
  • Legal basis: Contract performance
  • Retention: Until deleted by tenant or account closure

1.3 Conversation Data

  • Data: Transcripts (text), conversation metadata (timestamps, duration, latency, turn counts, token usage)
  • Purpose: Analytics, quality review, agent improvement
  • Legal basis: Legitimate interests / contract performance
  • Retention: 12 months default; configurable per tenant; deletable on demand

1.4 Audio Recordings

  • Data: Raw audio of voice conversations (opt-in only)
  • Purpose: Quality assurance, agent fine-tuning
  • Legal basis: Consent (tenant enables; tenant responsible for end-user consent)
  • Retention: 30 days default; configurable

1.5 Usage and Telemetry Data

  • Data: API request logs, latency metrics, error rates, feature usage events
  • Purpose: Platform reliability, performance monitoring, billing calculation
  • Legal basis: Legitimate interests
  • Retention: 90 days in raw form; aggregated metrics indefinitely

2. Data Storage and Location

Data TypeStorage SystemProviderRegion
Tenant config, agents, API keysPostgreSQLSupabaseUS East
Conversation transcriptsMongoDBMongoDB AtlasUS East
Session state, queuesRedisRedis CloudUS Central
Knowledge base vectorsQdrantSelf-hostedOVHCloud EU/US
AI model inferencevLLM / STT / TTSSelf-hosted GPUOVHCloud EU/US

3. Sub-processors

We engage the following sub-processors to operate the Service:

  • Supabase Inc. — PostgreSQL database hosting
  • MongoDB Inc. — MongoDB Atlas document database
  • Redis Ltd. — Redis Cloud cache and pub/sub
  • OVHCloud SAS — VPS and GPU compute infrastructure
  • Stripe Inc. — Payment processing
  • Cloudflare Inc. — DNS, CDN, and tunnel services

4. Data Security Measures

  • Encryption in transit: TLS 1.3 for all API and WebRTC connections
  • Encryption at rest: AES-256 for all stored data via provider-managed encryption
  • Authentication: Bcrypt (cost factor 12) for password hashing; optional OAuth SSO
  • Access control: Role-based access (owner / admin / agent / viewer) with principle of least privilege
  • Infrastructure: Private networking between services; no public database endpoints
  • Secrets management: Environment-variable injection via Coolify; no secrets in Git
  • Audit logging: All admin actions logged with timestamp and actor

5. AI Model Data Usage

Conversation data processed by our self-hosted AI models (Llama 3.3, Parakeet STT, CosyVoice2 TTS) never leaves our infrastructure. We do not send voice or transcript data to external AI API providers. During development, we use OpenAI gpt-4o-mini as a fallback LLM; in this case OpenAI's data processing terms apply.

6. Data Portability and Deletion

  • Tenants can export all agent configurations and conversation transcripts in JSON format from the Dashboard → Account → Export Data page
  • Individual conversation logs can be deleted from the Conversations view
  • Full account deletion (including all data) can be requested at [email protected] and will be completed within 30 days
  • API keys are immediately invalidated on deletion and cannot be recovered

7. Breach Notification

In the event of a data breach affecting your tenant data, we will notify you by email within 72 hours of discovery, consistent with GDPR Article 33 obligations. Notification will include the nature of the breach, data affected, likely consequences, and measures taken.

8. GDPR and CCPA Compliance

For EU/EEA customers, we act as a data processor for conversation data and a data controller for account data. Data Processing Agreements (DPAs) are available upon request for Pro and Enterprise customers. For California residents, we honor all CCPA rights including the right to know, delete, and opt out of sale (we do not sell personal data).

9. Contact

Data protection inquiries:
Scandeer LLC — Data Protection
Email: [email protected]
Website: scandeer.ai