VoCalm Privacy Policy

This Privacy Policy explains how VoCalm ("VoCalm", "we", "us", "our") collects, uses, shares, and protects information when you use our website and application (collectively, the "Service"). It also describes your privacy rights and choices under laws such as the EU/UK GDPR and U.S. state privacy laws (including the California Consumer Privacy Act as amended by the CPRA).

If you do not agree with this Privacy Policy, do not use the Service.

1. Who we are (Controller)

VoCalm is the operator of the Service and acts as the "data controller" for personal data processed under the GDPR/UK GDPR.

• Service name: VoCalm
• Website: https://vocalm.io
• Contact: [email protected] (write "Privacy Request" in the subject line)
• Mailing address: available upon request (contact [email protected])

2. Who this policy applies to

This policy applies to:

• Visitors to our website
• Users who create an account and use VoCalm's voice sessions, journaling, summaries, tips, and related features

3. Important notes (wellness app)

VoCalm is a mental wellness app and users may share sensitive information in voice sessions or journal entries. VoCalm is not a medical provider and the Service is not designed to meet HIPAA requirements unless we explicitly state otherwise.

Please avoid sharing information you do not want stored (for example, third-party personal information) and do not use the Service for emergencies.

4. Information we collect

A. Information you provide

• Account information: email address (used for magic-link authentication), and optional profile preferences.
• User content (highly sensitive by nature):
  • Voice session audio recordings (what you say during a session)
  • Transcripts generated from your audio
  • Journal entries (including edits you make)
  • Optional metadata you add (e.g., titles)
• Support communications: messages you send to us (and any information you include).

B. Information we generate from your use of the Service

To provide the Service, we may generate and store:

• Session metadata: timestamps, duration, processing status.
• Wellness insights derived from your content: summaries, coping tips, mood labels/scores, tags, trends, and similar outputs.

C. Information collected automatically

• Device and usage data: IP address, device/browser type, operating system, log events, pages/screens viewed, and approximate location derived from IP.
• Cookies and similar technologies: used for essential functionality (e.g., authentication and security) and, if enabled, analytics.

D. Payment information (if you purchase)

If we offer paid plans, payments are processed by third-party payment processors (e.g., Stripe). We generally receive limited billing information (such as plan purchased, payment status, and transaction identifiers) but do not store full payment card details.

5. How we use your information

We use personal data to:

• Provide and operate the Service, including authentication, session recording/upload, transcription, journaling, narration generation, and delivering summaries/tips.
• Process and secure your content, including storing audio and transcripts and making them available to you.
• Improve reliability and performance, such as debugging, monitoring, and preventing abuse.
• Communicate with you, including sending magic-link emails and service-related notices.
• Comply with legal obligations and enforce our terms.

We do not use your voice recordings or transcripts to identify you (biometric identification), and we do not sell your personal information.

6. Our legal bases (GDPR/UK GDPR)

Where the GDPR/UK GDPR applies, we process personal data under one or more of the following legal bases:

• Contract: to provide the Service you request (e.g., creating your account, storing sessions, providing your journal history).
• Consent: where required (e.g., microphone access; and, where applicable, processing of sensitive content you choose to provide). You can withdraw consent at any time, but this may limit features.
• Legitimate interests: to secure, maintain, and improve the Service (e.g., fraud prevention, service analytics, debugging), balanced against your rights.
• Legal obligation: to comply with applicable laws and lawful requests.

If your content includes information that may be considered special category data (for example, mental health information), we process it because you choose to provide it for the purpose of using the Service, and we take steps to protect it as described here.

7. How we share information

We share personal data only as needed to run the Service, including with:

• AI and speech providers (processors): to support realtime voice interactions, transcription, and generation of summaries, tips, and journal content. This may involve sending audio and/or text to these providers to perform requested processing.
• Cloud infrastructure and storage providers (processors): to store session audio and generated narration audio (for example, S3-compatible object storage such as Wasabi) and to host the Service.
• Email delivery providers (processors): to send magic-link authentication emails (for example, SendGrid).
• Payment processors (independent controllers or processors depending on the provider): to process paid subscriptions and transactions (for example, Stripe).
• Professional advisors: lawyers, accountants, auditors, and insurers, when necessary.
• Legal and safety disclosures: if we believe it is reasonably necessary to comply with law, enforce our terms, or protect users, the public, or the Service.

We do not share user audio, transcripts, or journal content with admins for routine operations; admin access is intended to focus on aggregated usage and wellness trends rather than individual content.

8. Cookies and similar technologies

We use cookies and similar technologies for:

• Essential features (e.g., login/session functionality, security protections).
• Analytics (if enabled) to understand usage and improve the Service.

You can control cookies through your browser settings. If you disable cookies, some features may not work properly.

9. Automated processing (AI)

VoCalm uses automated processing, including AI systems, to generate features such as transcripts, summaries, tips, and journal text. These outputs are intended for informational and wellness purposes. We do not use AI to make decisions that produce legal or similarly significant effects about you (for example, decisions about eligibility, employment, credit, or housing).

10. Data retention

We keep personal data for as long as needed to provide the Service and for legitimate business and legal purposes.

• Account data: retained while your account is active.
• Voice session audio, transcripts, journal entries, and derived insights: by default, retained until you delete them or delete your account.
• Backups: deleted on a rolling basis; residual copies may persist for a limited period.

You can request deletion of your account and associated data by contacting [email protected], and (where available) using in-app deletion controls.

11. Security

We use reasonable administrative, technical, and organizational measures designed to protect personal data, including:

• Encryption in transit (TLS)
• Access controls and authentication
• Private object storage with controlled access (e.g., signed URLs or API-mediated access)

No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

12. International data transfers

We may process and store data in countries other than where you live (including the United States), and we may use service providers that operate globally. When required, we use appropriate safeguards for international transfers, such as Standard Contractual Clauses and other lawful transfer mechanisms.

13. Your rights and choices

A. GDPR/UK GDPR rights (EEA/UK users)

Depending on your location and the law that applies, you may have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your data
• Restrict processing
• Object to processing
• Data portability
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with your local supervisory authority

B. U.S. state privacy rights (including California)

Depending on your state of residence and applicable law, you may have rights to:

• Know/access the personal information we collected about you
• Delete personal information
• Correct inaccurate personal information
• Opt out of "sale" or "sharing" of personal information (as those terms are defined by law)
• Limit the use and disclosure of "sensitive personal information" (California)
• Not be discriminated against for exercising privacy rights

Sale/Sharing: VoCalm does not sell personal information. We also do not share personal information for cross-context behavioral advertising based on your voice sessions or journal content.

C. How to exercise your rights

Contact us at [email protected]with the subject "Privacy Request". We may need to verify your identity before fulfilling your request.

You may also be able to access, export, or delete certain information directly within the Service, depending on the feature.

14. Children's privacy

VoCalm is not intended for children. If you are under 18 (or the age of majority where you live), do not use the Service. If you believe a child has provided personal data, contact us at [email protected].

15. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify you (for example, by posting an update in the Service). The "Last updated" date above indicates when this policy was last revised.

16. Contact us

Questions or requests:

• Email: [email protected]