Privacy Policy

Last updated: May 2026

Vocatron AI ("we," "us," or "our") is committed to protecting the privacy of organizers, guests, and visitors. This policy explains what data we collect, how we use it, and your rights.

1. What Data We Collect

Organizer accounts:

• Email address (used for authentication and notifications)
• Event data: titles, dates, venues, descriptions
• Subscription and billing records (payment details are held by Stripe — we store only subscription status)
• Voice session transcripts and extracted memory facts from your conversations with Alex

Guest data (collected on behalf of organizers):

• Name and email address
• RSVP response, guest count, dietary restrictions
• Check-in records (timestamp, method)
• Voice session transcripts from RSVP conversations

Technical data:

• IP addresses and browser information in server logs (retained 30 days)
• Session cookies for authentication (expires on sign-out or browser close)

2. How We Use Data

• To provide the Service: Authentication, RSVP coordination, voice agent personalization, check-in management
• Semantic memory: Transcripts are analyzed by AI to extract facts (dietary preferences, special requests, etc.) that make future conversations more helpful. These facts are stored as searchable memories associated with your account and events.
• Billing: Processing payments and managing subscriptions via Stripe
• Communications: Sending magic links, RSVP confirmations, reminders, and support responses
• Security and debugging: Diagnosing errors and preventing abuse

3. AI Disclosure and Processing

Vocatron's voice assistant ("Alex") is an artificial intelligence, not a human. All voice interactions are with an AI system. Audio is processed momentarily for transcription and is never stored — only the resulting text transcript is retained.

Voice calls are processed by OpenAI's API (speech-to-text, language model, text-to-speech). Transcripts and extracted facts are sent to OpenAI for processing. OpenAI's data usage policy applies to this processing. We use OpenAI models in API mode — your data is not used to train OpenAI's models under their enterprise API terms.

Embeddings (numeric representations of text) are stored in our Supabase database to enable semantic search across your event history.

4. Data Sharing

We do not sell your data. We share data only with:

• OpenAI — for voice processing (STT, LLM, TTS, embeddings)
• Supabase — our database provider (hosted in the US)
• Stripe — for payment processing
• LiveKit — for WebRTC voice transport (audio stream only, not stored by LiveKit)

We may disclose data if required by law or to protect the rights and safety of our users.

5. Data Retention

• Active account data: retained while your account is active
• Suspended or cancelled accounts: retained for 12 months, then deleted
• Voice transcripts and memories (account holders): retained for the life of the account
• Discovery conversation context (visitors without an account): retained for 30 days after your most recent session, then deleted. Context migrates to your account and is retained indefinitely upon payment.
• Server logs: 30 days

You can request deletion of your data at any time by contacting us. We will respond within 30 days.

6. Your Rights

Depending on your location, you may have rights to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Object to certain processing activities
• Data portability (receive your data in a machine-readable format)

To exercise these rights, submit a support request. We will respond within 30 days.

7. Guest Data and Organizer Responsibility

Event organizers are the data controllers for their guests' personal information. Organizers are responsible for obtaining appropriate consent from guests and complying with applicable privacy laws (GDPR, CCPA, etc.) when collecting and using guest data through Vocatron.

8. Cookies

We use a single HTTP-only session cookie for authentication. We do not use tracking cookies, analytics cookies, or advertising cookies. No third-party tracking is present on our pages.

9. Security

Data is encrypted in transit (TLS) and at rest. We use Supabase Row Level Security to enforce data isolation between organizer accounts. API keys are never exposed to browsers — we use a token proxy pattern for all external service calls.

10. Changes to This Policy

We will notify active users by email of material changes to this policy. The "last updated" date above indicates when the policy was last revised.

11. Contact

Privacy questions or requests: Contact Support