PRIVACY POLICY - REVOICE

1. Data Controller and Contact Information

TechServices IT AB is the Data Controller for the processing operations where the Company determines the purposes and means of the processing.

• Company Name: TechServices IT AB
• Organization Number: 559450-2881
• Address: Köpmannagatan 22, 245 65 Hjärup, Sweden

2. Regulatory Roles under GDPR

• 2.1 The Company as Data Controller The Company acts as an independent Data Controller for processing related to the Service’s infrastructure, administration, and commercial operations. This includes: - Management of user accounts, authentication, and user profiles. - Management of subscriptions, payment flows, and billing. - Operational security, logging, technical troubleshooting, and proactive prevention of misuse. - Direct communication with registered users and operation of the website (including necessary cookies).
• 2.2 The Company as Data Processor When a legal entity or organization (the "Customer") uses the Service to process meeting content (such as recording, transcription, summarization, text analysis, and document management), the Company acts as a Data Processor on the instructions of the Customer. In these cases, the Customer is the Data Controller and is responsible for ensuring that: - A valid legal basis exists under Article 6 of the GDPR for the processing of meeting data. - All meeting participants have received adequate information (Articles 13 and 14 of the GDPR). - Recording and transcription are permitted. The Company’s obligations as a Data Processor are regulated in a separate Data Processing Agreement ("DPA").

3. Categories of Personal Data Processed

The Company processes the following categories of personal data:

• Administrative and Account Data: Name, e-mail address, password (stored in hashed form), profile settings, language preferences, workspace affiliation, and role.
• Technical and Security Data: IP address, device information, browser type, session data, login history, error reports, and security logs.
• Meeting Metadata: Meeting titles, timestamps, meeting links, platform information (e.g., Zoom, Microsoft Teams, Google Meet), and participant lists.
• Audio, Video, and Text Data: Audio and video recordings, screen sharing data, real-time transcriptions, final transcripts, speaker labels, and edited text versions.
• AI-generated Data: Summaries, action items, decision history, conversation analysis, sentiment analysis, data from AI chat (Live Assistant/Live Coach), and structured relationship data (knowledge graphs).
• Documentation (Company Knowledge): Uploaded files, extracted text, metadata, and associated vector representations (embeddings).
• Integration Data (Third-party): Calendar events, CRM/ERP metadata, and encrypted OAuth tokens (access/refresh tokens) upon user activation.
• Financial Data: Subscription status, customer ID at payment provider, and billing documentation. Credit card details are processed directly by a PCI-DSS-certified payment provider and are not stored by the Company.

4. Purposes and Legal Basis for Processing

5. Transparent Information for Meeting Participants

When ReVoice joins a virtual meeting as a digital bot or assistant, participants shall be notified. The Service is configured to provide an automatic message in the chat or corresponding interface:

• Swedish: "Hej, jag är Matilda från ReVoice. Jag deltar som AI-mötesassistent för att spela in/transkribera mötet och skapa AI-stödda anteckningar. Information om personuppgiftsbehandling finns på https://re-voice.io/privacy"
• English: "Hi, I’m Matilda from ReVoice. I’m joining as an AI meeting assistant to record/transcribe this meeting and create AI-assisted notes. Privacy information is available at https://re-voice.io/privacy"

This notification constitutes an information measure and does not replace the Customer's obligation to ensure that there is a legal basis for the recording itself.

6. Profiling and Automated Decision-Making

The Service applies advanced algorithms and AI for transcription, sentiment analysis, and summarization. These processes do not constitute automated decision-making that produces legal effects or similarly significantly affects the data subject within the meaning of Article 22 of the GDPR. AI-generated content should be considered decision support and should be verified manually by the User.

7. Recipients of Personal Data and Sub-processors

To provide the Service, the Company engages suppliers and sub-processors ("Sub-processors"). These act under strict written data processing agreements and include suppliers in areas such as server operations and cloud hosting, database management, specialized API suppliers for text-to-speech, speech-to-text, LLM models, and payment intermediaries. A complete and updated list of authorized Sub-processors is provided to corporate customers upon request in accordance with the applicable DPA.

8. Third-Country Transfers (Outside EU/EEA)

In the event that personal data is transferred to, or made accessible from, a country outside the EU/EEA (e.g., the USA), the Company ensures that the transfer relies on a legal basis and that an adequate level of protection is maintained. This is achieved through:

• Adequacy decisions issued by the European Commission (Article 45 GDPR), or;
• Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46 GDPR), supplemented by encryption in transit and at rest, access restrictions, and other relevant security measures.

9. Storage and Retention (Retention Period)

Personal data is stored only for the period required to fulfill the purposes for which it was collected, or as long as required by law or applicable customer agreements.

• Account Data: Stored during the contract period (active account) and deleted or anonymized upon termination of the agreement, subject to statutory limitation periods.
• Meeting Data (Recordings, transcripts, AI data): Governed by the Customer's selected subscription plan and deletion settings. Licenses on the free tier may be subject to an automatic retention period of thirty (30) days.
• Accounting Records: Stored for seven (7) years in accordance with the Swedish Accounting Act (1999:1078).
• Backups: Deleted data may remain in encrypted backups for a limited cycle before permanent overwriting occurs.

10. Specific Terms for Third-Party Platforms

• 10.1 Google API Services When activating Google integrations, the Company processes strictly necessary data to synchronize the meeting structure. The Company’s use of information received via Google API occurs in strict compliance with the Google API Services User Data Policy, including its applicable Limited Use requirements. Data from the Google Workspace API is under no circumstances used to train or optimize general AI or machine learning models.
• 10.2 Microsoft Services When integrating Microsoft services (e.g., Outlook or Teams), profile data and calendar information are processed exclusively to identify, schedule, and connect the Service to relevant meeting instances upon the user's request.

11. Special Categories of Personal Data (Sensitive Data)

The Service is, in a structural sense, not intended for the processing of sensitive personal data (as referred to in Article 9 of the GDPR). Since meeting conversations may naturally contain unspecified information, it is the Customer's responsibility (as the Data Controller) to ensure that necessary security measures and a legal basis are in place before applying the Service to sensitive meeting contexts.

12. Children’s Privacy

The Service is not directed to, and is not intended for, persons under the age of eighteen (18). The Company does not knowingly collect personal data from minors. If it comes to our attention that personal data regarding a minor has been collected without proper parental consent, the Company will promptly take steps to permanently delete it.

13. Rights of the Data Subject

You as a data subject have the right to request access, rectification, erasure, restriction, data portability, and to object to processing or withdraw consent regarding the Company (when the Company acts as Data Controller). Contact privacy@re-voice.io to exercise your rights. You also have the right to lodge a complaint with the competent supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

14. Technical and Organizational Security Measures

The Company implements and maintains appropriate technical and organizational security measures to ensure a level of security proportionate to the risk (Article 32 GDPR). These include:

• Transport encryption (TLS/SSL) and encryption of sensitive tokens at rest.
• Strict authorization controls, Role-Based Access Control (RBAC), and network isolation of production environments.
• Systematic logging, vulnerability analyses, rate-limiting, and proactive protection mechanisms against automated incidents.
• Established routines for the handling and reporting of personal data breaches.

15. Changes to this Policy

The Company reserves the right to unilaterally revise this Policy. In the event of material changes that affect the rights or obligations of data subjects, the Company will notify this in advance. The updated Policy applies from the date specified in the Policy. If a change requires consent or other action, the Company will obtain this where necessary.