Trust center
Privacy policy
Audexe treats every dataset as mission critical. This policy details the safeguards, governance, and controls that keep your information protected throughout the lifecycle of our AI automation platform.
1. Scope and overview
This Privacy Policy explains how Audexe PBC (Audexe, we, our) collects, uses, discloses, and protects personal information across our AI automation platform, professional services, marketing properties, and support operations.
- Who this covers: Customers, workspace members, prospects, applicants, site visitors, and any person who interacts with Audexe-managed applications or communications.
- Controller information: Audexe PBC, 200 Townsend Street, Suite 120, San Francisco, CA 94107, acts as data controller for direct customers and as data processor for customer-controlled content.
- Regulatory alignment: Our practices are designed to satisfy GDPR, CCPA/CPRA, LGPD, HIPAA, SOC 2, ISO 27001 controls, and other regional privacy requirements applicable to voice and workflow automation workloads.
2. Information we collect
We limit collection to the information needed to operate the service, fulfil contracts, provide support, and meet legal obligations. Customer content remains yours at all times.
- Account and billing information: Names, work emails, phone numbers, job titles, organization profiles, billing contacts, payment instruments, tax details, and contract metadata supplied when creating or managing a workspace.
- Workspace configuration and telemetry: Login timestamps, IP addresses, device fingerprints, workflow identifiers, API usage, latency metrics, job success rates, model selections, and feature flags necessary to monitor reliability.
- Customer content and integrations: Conversation transcripts, call recordings, uploaded documents, CRM records, calendars, and knowledge-base files that you route into Audexe through APIs or connectors.
- Support and trust interactions: Help-desk tickets, chat transcripts, troubleshooting media, incident reports, surveys, and verification data required to resolve issues or manage compliance reviews.
- Marketing and website data: Cookie identifiers, referral data, product interest tags, webinar registrations, and communication preferences that help us tailor content when you opt in.
3. How we use information
Each dataset is bound to a documented purpose. We never sell personal data, and we do not train public foundation models using customer content.
- Provide and maintain services: Authenticate users, configure agents, execute workflows, deliver notifications, provide customer support, process transactions, and enforce workspace policies.
- Improve reliability and quality: Aggregate telemetry to diagnose issues, benchmark performance, design new safeguards, and enhance accuracy. Individual records are accessed only when authorized by the customer or required by law.
- Security and fraud prevention: Detect abusive behavior, investigate incidents, perform audits, protect our infrastructure, and comply with safety and regulatory commitments.
- Communications: Send onboarding materials, contractual notices, incident advisories, feature updates, surveys, and marketing messages where permitted.
4. Legal bases and choices
When the GDPR, UK GDPR, or other privacy laws apply, we rely on specific legal bases for each processing activity and offer controls aligned to those frameworks.
- Performance of a contract: Processing necessary to deliver the Audexe services you request, including provisioning, billing, support, and technical operations.
- Legitimate interests: Securing our platform, preventing abuse, innovating responsibly, and understanding adoption while balancing these interests against individual rights.
- Consent: Optional telemetry, marketing emails, beta research programs, cookies, and any processing not strictly required to provide the service. Consent can be withdrawn at any time.
- Legal obligations: Retention of tax records, responding to lawful requests, meeting telecom regulations, and fulfilling industry certifications and audits.
5. Sharing and disclosures
We disclose information only to entities that help us run the service or when you direct us to do so.
- Subprocessors and vendors: Hosting providers, telephony carriers, analytics platforms, email delivery partners, and professional advisers that are bound by DPAs, confidentiality, and security requirements equivalent to our own.
- Customer-directed integrations: CRMs, ticketing systems, collaboration tools, and data warehouses you connect through APIs or connectors. We transmit only the data necessary to fulfill the integration.
- Corporate transactions: If Audexe undergoes a merger, acquisition, financing, or corporate reorganization, data may transfer under binding commitments that preserve existing privacy promises.
- Regulators and lawful requests: We respond to subpoenas, court orders, or government requests only where legally required and, when permitted, we notify affected customers before disclosing information.
6. Retention and deletion
Retention schedules are transparent and configurable so you can align Audexe usage with your own governance requirements.
- Default retention windows: Conversation transcripts and audio remain for 90 days, system logs for 30 days, diagnostic traces for 7 days, and billing artifacts for the period mandated by applicable law.
- Custom schedules: Workspace admins can shorten retention, switch to metadata-only storage, turn on automatic redaction of sensitive attributes, or request extended retention pursuant to contractual requirements.
- Deletion tooling and APIs: Self-serve controls and API endpoints allow you to delete individuals, channels, datasets, or entire workspaces. Backup systems reflect deletions within 30 days and we can provide deletion attestations on request.
- Account closure: When a contract ends, we disable workspace access within 30 days and delete customer content unless law requires retention or you instruct us otherwise.
7. Security safeguards
Audexe protects infrastructure with layered technical, organizational, and administrative controls.
- Encryption everywhere: TLS 1.3 secures data in transit, AES-256 encrypts data at rest, keys rotate on a defined schedule, and customer-managed keys are available for eligible plans.
- Access management: Production systems reside within isolated VPCs, engineers authenticate with SSO plus MFA, approvals follow least-privilege principles, and every privileged action is logged and reviewed.
- Secure development lifecycle: Code review, dependency scanning, container hardening, supply-chain monitoring, and independent penetration tests are conducted at least twice per year.
- Incident response: 24/7 monitoring, automated alerting, documented runbooks, and defined customer notification timelines allow us to contain and communicate about events quickly.
8. International transfers and subprocessors
Audexe operates globally while giving customers control over where their data lives and how it is transferred across borders.
- Regional hosting options: You can select US or EU data residency. When a region is chosen, we store conversation content, telemetry, and backups in that geography unless you explicitly enable cross-region redundancy.
- Transfer safeguards: Standard Contractual Clauses, the UK IDTA, and supplementary encryption controls cover transfers from the EEA, UK, and Switzerland. Data protection impact assessments are completed for new transfer scenarios.
- Subprocessor registry: A live registry is published inside the admin console and trust center. We provide at least 30 days notice before onboarding a new vendor to give you time to object.
- Onward transfer accountability: Vendors must flow down equivalent privacy obligations, support audits, and promptly inform us of any incident affecting customer information.
9. Your rights and controls
Audexe helps you fulfill data subject rights requests and offers granular controls so administrators can manage privacy preferences.
- Access and portability: Export transcripts, metadata, audit logs, configuration snapshots, and billing records in machine-readable formats via the console or API.
- Correction and restriction: Update inaccurate profile fields, restrict processing for contested records, pause analytics on specific datasets, or disable marketing communications without affecting core services.
- Deletion and revocation: Request deletion of individuals or entire workspaces, revoke API tokens, disable integrations, or withdraw consent for optional processing at any time.
- Authorized agent requests: We honor verified requests submitted by authorized agents on behalf of California, Virginia, Colorado, Quebec, and EU/UK residents through documented workflows.
10. Cookies and similar technologies
Our marketing site and product dashboard rely on a limited set of cookies and local storage items to deliver functionality and understand engagement.
- Essential cookies: Session security, localization, fraud prevention, and load balancing cookies are required to operate the service and expire automatically.
- Analytics and performance: We use first-party analytics to understand feature adoption and improve usability. IP addresses are truncated and results are aggregated before review.
- Advertising: Audexe does not run third-party behavioral advertising cookies by default. Where we pilot campaigns, we request opt-in consent and provide a clear ability to decline.
- Managing preferences: You can adjust cookie choices through our banner, modify browser settings, or email privacy@audexe.com to have a preference recorded across sessions.
11. Children and sensitive data
Our services target business users and are not intended for children or for inherently sensitive personal data.
- Children: Audexe does not knowingly collect information from anyone under 16. If we learn that such data was provided, we delete it and notify the customer.
- Sensitive categories: Customers should avoid uploading government identifiers, health records, or biometric templates unless our contract specifically covers that processing. When enabled, we apply additional encryption and access controls.
- Voice recording notices: Call participants can be informed via customizable prompts and visual notices. Customers are responsible for obtaining consent where required by local law.
12. Contact and updates
We review this Privacy Policy at least quarterly and whenever we add substantial new functionality or data flows.
- Contact our privacy team: Email privacy@audexe.com or write to Audexe PBC, Attn: Privacy, 200 Townsend Street, Suite 120, San Francisco, CA 94107 USA. For urgent incidents you can also reach security@audexe.com.
- Data protection officer: Our DPO can be contacted at dpo@audexe.com and responds to verified requests within 30 days, or sooner when local law requires.
- Policy updates: Material changes are announced through in-product banners, admin emails, and the status page at least 15 days before the new terms take effect.
- Effective date: This Privacy Policy took effect on 17 November 2025 and remains in force until replaced with a newer version.
Need something not covered here? Email privacy@audexe.com and our trust team will respond within one business day. For urgent security matters contact security@audexe.com or reach our incident line published in the customer admin console.
