Legal

Privacy Policy

Last updated: May 11, 2026

1. Information We Collect

When you use TrulyVocal, we may collect the following types of information:

  • Feedback Submissions: Text content submitted through campaign feedback forms
  • Campaign Data: Campaign titles, descriptions, categories, and configuration settings created by organizers
  • Email Addresses: When provided by organizers for stakeholder communication via CSV upload
  • Usage Data: Anonymous analytics about how the platform is used, including page visits and feature interactions

2. How We Process Feedback

Feedback submitted through the platform is processed through a multi-stage AI pipeline. This process includes sentiment analysis, language sanitization (converting hostile or emotional language into constructive, actionable tasks), categorization, and report generation. Raw feedback is never shown to campaign organizers. Only AI-processed, sanitized summaries are presented.

3. Data Encryption & The Legal Vault

All raw feedback submissions are encrypted using AES-256 encryption before being stored in our Legal Vault (powered by Supabase with pgcrypto). This encryption ensures that raw feedback text cannot be read in the database without proper decryption credentials. Only users with the super_admin audit token can access decrypted vault entries through a dedicated, secured API endpoint.

4. Data Sharing & Third Parties

We do not sell your data. Information may be shared with the following third-party services solely for the purpose of operating the platform:

  • Google AI (Gemini / Gemma): For AI-powered sentiment analysis and feedback sanitization
  • Supabase: For secure data storage, authentication, and database operations
  • Resend: For transactional email delivery to campaign stakeholders

5. AI Observability & Logging

All AI model invocations are logged for observability, debugging, and audit purposes. These logs include model names, input/output token counts, latency metrics, and cost tracking. They do not contain raw feedback text — only metadata about the AI processing pipeline.

6. Data Retention

Encrypted vault entries are retained for the duration required by the campaign organizer and applicable legal requirements. Sanitized feedback data is retained as long as the associated campaign is active. Organizers may request deletion of campaign data at any time by contacting us.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict certain processing activities
  • Receive your data in a portable format

To exercise any of these rights, please contact us through our contact page.

8. Security

We take the security of your data seriously. In addition to AES-256 encryption of raw feedback, we implement role-based access controls, secure API endpoints with token-based authentication, Edge Middleware for subdomain isolation, and comprehensive audit logging. However, no method of electronic storage is 100% secure, and we cannot guarantee absolute security.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

10. Contact Us

If you have questions about this Privacy Policy, please reach out via our contact page or email us at privacy@trulyvocal.com.