Privacy Policy

1. Introduction

Appuix, Inc., doing business as V100.ai ("we," "us," or "our"), is committed to protecting your privacy and the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our V100.ai platform and services (the "Services").

Corporate Entity: V100.ai is a brand name and DBA of Appuix, Inc., a Delaware corporation. All data processing activities are performed by Appuix, Inc.

By using the Services, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies and practices, do not use our Services.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide when using our Services:

• Account Information: Name, email address, phone number, company name, job title, password
• Payment Information: Credit card details, billing address (processed through secure third-party payment processors)
• Profile Information: Profile photo, bio, preferences, time zone
• Communications: Messages, support requests, feedback, survey responses
• Content You Upload: Videos, images, documents, recordings, transcripts

2.2 Information Automatically Collected

We automatically collect certain information when you use the Services:

• Usage Data: Pages visited, features used, time spent, clicks, navigation paths
• Device Information: IP address, browser type, operating system, device identifiers
• Log Data: Access times, error logs, performance data
• Cookies and Tracking: Session data, preferences, analytics (see Cookie Policy below)
• Video Conference Data: Participant information, meeting duration, bandwidth usage

2.3 Protected Health Information (PHI)

For healthcare customers, we may process PHI as defined under HIPAA. This includes:

• Video recordings of patient consultations
• Transcripts containing health information
• Patient names, dates, and identifiers in video content
• Health-related communications and documents

PHI is handled in accordance with our Business Associate Agreement (BAA) and HIPAA regulations. See Section 4 for HIPAA-specific protections.

2.4 Information from Third Parties

We may receive information from third-party services you connect to V100.ai:

• Calendar integrations (Google Calendar, Outlook, Apple Calendar)
• Cloud storage services for video import/export
• Social media platforms for authentication
• Analytics and marketing platforms

3. How We Use Your Information

3.1 Service Provision

We use your information to:

• Provide, operate, and maintain the Services
• Process video conferencing and AI editing requests
• Enable collaboration and communication features
• Store and manage your content securely
• Provide customer support and respond to inquiries
• Process payments and manage billing

3.2 Service Improvement

• Analyze usage patterns to improve performance
• Train and improve AI models (using anonymized data only)
• Develop new features and functionality
• Conduct research and analytics
• Monitor and enhance security

3.3 Communication

• Send service-related notifications and updates
• Respond to support requests and feedback
• Send marketing communications (with your consent)
• Conduct surveys and gather feedback

3.4 Legal and Security

• Comply with legal obligations and regulations
• Enforce our Terms of Service and policies
• Detect and prevent fraud, abuse, and security threats
• Protect rights, property, and safety of Appuix and users
• Respond to legal requests and prevent harm

4. HIPAA Compliance and PHI Protection

4.1 Business Associate Obligations

When we process PHI on behalf of Covered Entities or Business Associates, we act as a Business Associate under HIPAA. We:

• Use and disclose PHI only as permitted by the BAA
• Implement appropriate safeguards to protect PHI
• Report security incidents and breaches as required
• Ensure subcontractors comply with HIPAA requirements
• Make PHI available to individuals as required
• Account for PHI disclosures as required by HIPAA

4.2 Technical Safeguards for PHI

We protect PHI using:

• Encryption: AES-256-GCM encryption at rest, TLS 1.3+ in transit
• Access Controls: Role-based access with MFA required
• Audit Logging: Comprehensive logs retained for 6+ years
• Data Segregation: Logical separation of customer PHI
• Zero-Knowledge Architecture: End-to-end encryption prevents our access to unencrypted PHI
• Post-Quantum Cryptography: Future-proof encryption against quantum threats
• Automatic Logout: Session timeouts and automatic lockouts
• Data Integrity: Hash verification and corruption detection

4.3 Administrative Safeguards

• Designated privacy and security officers
• Regular HIPAA training for all staff with PHI access
• Documented policies and procedures for PHI handling
• Workforce background checks and confidentiality agreements
• Regular risk assessments and security audits
• Incident response and breach notification procedures

4.4 Physical Safeguards

• SOC 2 Type II certified data centers
• 24/7 physical security and monitoring
• Biometric access controls
• Environmental controls and redundancy
• Secure media disposal procedures

4.5 Breach Notification

In the event of a breach of unsecured PHI, we will:

• Notify you within 60 days of discovery as required by 45 CFR § 164.410
• Provide details of the breach, affected individuals, and mitigation steps
• Cooperate in your notification obligations to affected individuals and HHS
• Document the breach and our response in accordance with HIPAA requirements

4.6 Minimum Necessary Standard

We implement policies to ensure that we only access, use, and disclose the minimum amount of PHI necessary to accomplish the intended purpose.

4.7 Right to Audit

Covered Entities have the right to audit our HIPAA compliance. We will cooperate with reasonable audit requests and provide documentation of our safeguards and procedures.

5. How We Share Your Information

5.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information or PHI to third parties for their marketing purposes.

5.2 Service Providers

We share information with trusted service providers who assist us in operating the Services:

• Cloud hosting and infrastructure providers (AWS, Google Cloud)
• Payment processors (Stripe)
• Analytics services (Google Analytics - anonymized data only)
• Customer support tools
• Email and communication services

All service providers with access to PHI sign Business Associate Agreements and are bound by HIPAA requirements.

5.3 Legal Requirements

We may disclose information when required by law or in response to:

• Court orders, subpoenas, or legal processes
• Government or regulatory requests
• Requests to protect rights, property, or safety
• Emergencies involving potential harm to individuals

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you and ensure continued protection of your data.

5.5 With Your Consent

We may share information with third parties when you explicitly consent, such as when you integrate third-party services or share content publicly.

6. Data Security

6.1 Security Measures

We implement comprehensive security measures to protect your data:

• Encryption: AES-256-GCM for data at rest, TLS 1.3+ for data in transit
• Post-Quantum Cryptography: Kyber, Dilithium, SPHINCS+ algorithms
• Zero-Knowledge Architecture: End-to-end encryption prevents unauthorized access
• Network Security: Firewalls, intrusion detection, DDoS protection
• Access Controls: RBAC, MFA, principle of least privilege
• Monitoring: 24/7 security operations center, automated threat detection
• Penetration Testing: Regular third-party security audits
• Secure Development: Security code reviews, vulnerability scanning

6.2 Certifications

Our security practices are validated by:

• SOC 2 Type II certification
• HIPAA compliance validation
• ISO 27001 (in progress)
• Regular third-party penetration testing

6.3 Limitations

While we implement robust security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and notifying us immediately of any unauthorized access.

7. Data Retention

7.1 Retention Periods

We retain your information for as long as necessary to provide the Services and fulfill legal obligations:

• Account Data: For the duration of your account plus 30 days after termination
• Video Content: Until you delete it or your account is terminated
• PHI: As required by HIPAA (typically 6 years from creation or last use)
• Audit Logs: 6 years for HIPAA compliance
• Billing Records: 7 years for tax and accounting purposes
• Anonymized Analytics: Indefinitely for service improvement

7.2 Data Deletion

Upon account termination or at your request, we will:

• Delete or anonymize your personal information within 30 days
• Remove your content from active systems
• Retain only what is legally required (audit logs, billing records)
• Securely destroy backup copies according to our retention schedule

7.3 Backup and Disaster Recovery

Data in backups may persist for up to 90 days after deletion from production systems. Backup data is encrypted and protected with the same security measures as production data.

8. Your Privacy Rights

8.1 Access and Portability

You have the right to:

• Access your personal information
• Export your data in a portable format (JSON, CSV)
• Request copies of PHI in your account

8.2 Correction and Amendment

You may update or correct your personal information through your account settings or by contacting us.

8.3 Deletion

You may request deletion of your personal information, subject to legal retention requirements. We will honor deletion requests within 30 days.

8.4 Opt-Out

You can opt out of:

• Marketing emails (unsubscribe link in emails)
• Non-essential cookies (browser settings)
• Data sharing with third-party analytics (privacy settings)

8.5 California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of sale of personal information (we don't sell data)
• Right to deletion of personal information
• Right to non-discrimination for exercising CCPA rights

8.6 European Privacy Rights (GDPR)

EU residents have rights under the General Data Protection Regulation:

• Right to access personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with supervisory authority

8.7 Exercising Your Rights

To exercise any of these rights, contact us at privacy@v100.ai. We will respond within 30 days and may require identity verification to process your request.

9. Cookies and Tracking Technologies

9.1 What Are Cookies

Cookies are small text files stored on your device that help us recognize you and provide a better experience. We use cookies and similar tracking technologies.

9.2 Types of Cookies We Use

• Essential Cookies: Required for the Services to function (authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use the Services
• Marketing Cookies: Track your activity for advertising purposes (with consent)

9.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block all cookies (may impact functionality)
• Clear cookies when closing the browser

9.4 Do Not Track

We respect Do Not Track (DNT) signals. When DNT is enabled, we will not use non-essential tracking technologies.

10. International Data Transfers

10.1 Data Location

Our Services are operated in the United States. If you access the Services from outside the U.S., your information may be transferred to, stored, and processed in the U.S.

10.2 EU-U.S. Data Transfers

For EU customers, we comply with applicable data transfer mechanisms, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data residency options for EU data to remain in EU data centers
• Supplementary measures to ensure adequate protection

10.3 Data Residency Options

Enterprise customers can select geographic data residency to ensure data is stored and processed in specific regions for compliance purposes.

11. Children's Privacy

Our Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we discover that we have collected information from a child under 18, we will promptly delete it.

If you believe we have collected information from a child under 18, please contact us at privacy@v100.ai.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website
• Updating the "Last Updated" date at the top of this page
• Sending email notification for significant changes
• Displaying a prominent notice in the Services

Your continued use of the Services after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: