Privacy Policy

We process your personal data only when we have a valid legal basis. The table below shows which basis applies to each processing activity:

Where we rely on legitimate interest, we have conducted balancing tests and determined that our interests do not override your rights and freedoms. You can request details of these assessments by contacting dpo@appuix.com.

Where we rely on consent, you may withdraw consent at any time without affecting the lawfulness of processing that occurred before withdrawal.

Account Information

When you create an account, we collect: name, email address, organization name, billing address, payment information (processed by Stripe; we do not store full credit card numbers), phone number (if provided for SMS verification), and IP address at registration.

Meeting & Session Data

• Video & Audio Streams: Real-time media relayed through our RustTURN servers. Streams are encrypted end-to-end and are not stored unless recording is explicitly enabled by the meeting host.
• Recordings: When enabled, meeting recordings are stored encrypted (AES-256-GCM) in your designated storage region.
• Transcriptions & Captions: Generated by AI speech recognition. Stored with your recordings and subject to your data retention settings.
• Chat Messages: In-meeting text chat is stored for the duration of the session and included in meeting records if recording is enabled.
• Metadata: Session duration, participant count, join/leave times, connection quality metrics, AI agent activation logs, and billing events.

AI-Processed Data

• Video Editing: Uploaded source video, AI-extracted clips, viral scores, transcriptions, thumbnails, and rendering outputs.
• AI Agent Outputs: Meeting notes, action items, translations, sentiment analysis results, and fact-check reports.
• Voice Clone Data: Voice samples provided for cloning are stored encrypted and used solely for voice synthesis within your account.
• Avatar Interactions: Conversation logs from AI avatar sessions, including participant responses and engagement metrics.

Calendar & Scheduling Data

When you use scheduling features, we collect: calendar events (synced from Google/Microsoft with your authorization), booking page configurations, invitee names and email addresses, timezone data, and meeting preferences.

Usage & Technical Data

We automatically collect: IP address, browser type, operating system, device information, pages viewed, referral URL, session duration, feature usage patterns, API call logs, and error reports.

We use collected personal data for the following purposes:

• Service Delivery: To provide, operate, maintain, and improve the V100.ai platform, including video conferencing, AI processing, scheduling, and billing.
• AI Processing: To power transcription, translation, content analysis, clip extraction, viral scoring, sentiment analysis, voice cloning, and avatar interactions as requested by you.
• Billing & Invoicing: To calculate usage-based charges, generate invoices, process payments, and prevent billing fraud.
• Security & Fraud Prevention: To detect and prevent unauthorized access, abuse, fraud (including impossible travel detection, credential stuffing, and brute force attacks), and violations of our Terms of Service.
• Communication: To send transactional emails (receipts, meeting invites, booking confirmations, security alerts), and with your consent, product updates and marketing communications.
• Legal Compliance: To comply with legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Service.
• Analytics: To analyze aggregate, de-identified usage patterns to improve the Service. We do not sell personal data.

Given the extensive AI capabilities of V100.ai, we provide specific transparency about AI data handling:

Transcription & Translation

Audio data is processed in real time by our speech recognition pipeline (Whisper + Deepgram). Audio segments are processed in memory and are not persisted beyond the transcription session unless recording is enabled. Transcripts are stored encrypted in your account.

Content Analysis (LLM Processing)

Video content submitted for AI auto-editing is analyzed by large language models (Claude, Gemini) for clip extraction and scoring. Your content is sent to these providers under data processing agreements that prohibit them from using your data for model training, retaining your data beyond the processing session, or sharing your data with third parties.

Sentiment & Mood Analysis

The Mood Tracker AI agent analyzes audio tone, speech patterns, and linguistic cues to estimate participant sentiment. This analysis is algorithmic and probabilistic. Results are stored as metadata within meeting records and are available only to the meeting host and authorized administrators.

Voice Cloning

Voice samples you provide for cloning are stored encrypted and used solely to generate synthetic speech within your account. Voice models are not shared across accounts. You may delete voice clone data at any time, which permanently destroys the model.

Automated Decision-Making (GDPR Article 22)

We share personal data only with vetted processors and recipients, each bound by data processing agreements (DPAs). The following is a complete list:

All third-party AI providers (Deepgram, Anthropic, Google) are contractually prohibited from using your data for model training, retaining your data beyond the processing session, or sharing your data with other parties.

Other Sharing Circumstances

• White-Label Hierarchy: If you access V100.ai through a white-label reseller, limited account and usage data is shared with your reseller as necessary for billing and support. Resellers cannot access your meeting content or recordings.
• Legal Requirements: We may disclose data when required by law, subpoena, court order, or government request; to protect the rights, property, or safety of Appuix, our users, or the public; or to detect, prevent, or address fraud, security, or technical issues.
• CSAM Reporting: As required by federal law (18 U.S.C. § 2258A), any detected child sexual abuse material is reported to NCMEC along with relevant account and content information.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

Appuix, Inc. is based in the United States. If you access V100.ai from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

We protect these transfers through the following safeguards:

• EU-US Data Privacy Framework: Appuix complies with the EU-US Data Privacy Framework principles for transfers from the EEA.
• Standard Contractual Clauses (SCCs): For transfers not covered by an adequacy decision, we rely on SCCs approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
• Data Processing Agreements (DPAs): Available upon request for enterprise customers. Contact dpo@appuix.com.

V100.ai also supports data residency controls for customers with geographic data storage requirements:

• Recordings, transcriptions, and media assets can be stored in your selected region (US, EU, APAC).
• Real-time media is relayed through the nearest RustTURN node and is not persisted outside of recordings.
• Metadata and billing records are processed in the United States.
• Data residency controls are available on Growth and Scale plans.

We retain your data only as long as necessary for the purposes for which it was collected. Specific retention periods are:

You may request early deletion of your data at any time, subject to legal retention obligations. Data deletion requests are processed within 30 days.

We implement comprehensive security measures to protect your data:

• Encryption: AES-256-GCM for all data at rest. TLS 1.3 for all data in transit. End-to-end encryption for media streams.
• Post-Quantum Readiness: Our encryption infrastructure supports post-quantum cryptographic algorithms to protect against future quantum computing threats.
• Infrastructure: SOC 2 Type II audited. Multi-region deployment with automatic failover. Per-tenant encryption key isolation.
• Access Controls: Role-based access control, multi-factor authentication, API key scoping, and least-privilege principles for all internal systems.
• Monitoring: 24/7 infrastructure monitoring, automated threat detection, intrusion detection systems, and real-time alerting.
• Testing: Regular third-party penetration testing, vulnerability scanning, and security code reviews.
• Incident Response: Documented incident response procedures with breach notification within 72 hours as required by GDPR Article 33 and applicable laws.

For customers who execute a Business Associate Agreement (BAA) with Appuix:

• Protected Health Information (PHI) is processed, stored, and transmitted in compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
• PHI is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3 + E2E media encryption).
• Access to PHI is restricted by role-based access controls with admin, provider, and patient role separation.
• Audit trails for all PHI access are maintained for a minimum of 7 years.
• De-identification procedures follow the Safe Harbor method under 45 CFR § 164.514(b).
• BAAs are available on Growth and Scale plans. Contact compliance@appuix.com to execute a BAA.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access (Art. 15): Request a copy of the personal data we hold about you, including information about the purposes of processing, categories of data, and recipients.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances, such as when you contest the accuracy of data or object to processing.
• Right to Data Portability (Art. 20): Request your data in a structured, commonly used, machine-readable format (JSON or CSV) and have it transmitted to another controller.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds.
• Right Regarding Automated Decision-Making (Art. 22): Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. You may request human review.
• Right to Withdraw Consent (Art. 7): Where processing is based on consent, you may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority (data protection authority) if you believe your data has been processed unlawfully.

How to Exercise Your Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Know: Right to know what personal information we collect, use, disclose, and sell.
• Delete: Right to request deletion of your personal information.
• Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Correction: Right to request correction of inaccurate personal information.
• Limit Use of Sensitive Personal Information: Right to limit the use and disclosure of sensitive personal information.

To exercise CCPA/CPRA rights, contact privacy@v100.ai. We will verify your identity before processing requests. Requests are fulfilled within 45 days.

Categories of personal information collected in the last 12 months: Identifiers (name, email, IP), commercial information (billing records, usage data), internet/electronic activity (logs, feature usage), audio/visual information (recordings, voice clones), and professional/employment information (organization, title).

V100.ai uses cookies organized into three categories:

• Essential Cookies: Required for authentication, session management, security, consent tracking, and core platform functionality. Cannot be disabled. Includes: v100_cookie_consent, v100_access_token, v100_refresh_token, v100_csrf.
• Analytics Cookies: Used to understand how the platform is used, identify performance issues, and improve the Service. Require your consent. We do not share analytics data with advertising networks.
• Marketing Cookies: We do not currently use marketing cookies or third-party advertising trackers. If we add them in the future, they will require your explicit consent.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or retargeting programs.

You can manage your cookie preferences at any time by clicking Cookie Settings or visiting our detailed Cookie Policy.

If your browser sends a Do Not Track (DNT) signal, we automatically reject all non-essential cookies.

V100.ai is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16 years of age, in accordance with GDPR Article 8 and the US Children's Online Privacy Protection Act (COPPA, age threshold 13).

If we discover that we have collected personal information from a child under the applicable age threshold, we will delete that information immediately and terminate the associated account.

If you believe a child has provided us with personal information, please contact us immediately at privacy@v100.ai.

Educational institutions using V100.ai for students under 18 must comply with COPPA, the Family Educational Rights and Privacy Act (FERPA), and applicable state student privacy laws. Such use requires a separate agreement addressing student data protection.

We may update this Privacy Policy from time to time. We will notify you of material changes through:

• An email notification to the address associated with your account.
• A prominent notice on the Service (banner or in-app notification).
• At least 30 days advance notice before material changes take effect.

The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

Where required by GDPR, we will seek fresh consent for any new processing activities that require it.

While Appuix is not legally required to appoint a Data Protection Officer (DPO) under GDPR Article 37, we have voluntarily designated a DPO to oversee data protection compliance. For any privacy-related inquiries, requests, or complaints, please contact:

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.