Privacy Policy
1. Introduction
This Privacy Policy explains how Auspex Streamline S.L. ("Auspex", "we", "us") processes personal data in connection with AICA — AI Communication Analyzer ("Service", "Platform").
AICA is a B2B SaaS platform that provides AI-powered call analysis for businesses. We act as a data processor — our customers ("Customers", "Controllers") record calls and decide how the data is used. We process the data on their behalf, according to their instructions.
This policy covers two types of data processing:
- Section A: Data we process on behalf of Customers (call recordings, transcripts, analyses) — we act as Processor
- Section B: Data we process for our own purposes (platform accounts, website visitors) — we act as Controller
Section A: Processing on Behalf of Customers (Processor)
A.1 Our Role
When Customers use AICA to analyze calls, the Customer is the Controller and we are the Processor. This means:
| Responsibility | Who |
|---|---|
| Deciding to record calls | Customer (Controller) |
| Obtaining consent from call participants | Customer (Controller) |
| Informing call participants about recording and AI analysis | Customer (Controller) |
| Determining retention periods | Customer (Controller), within platform limits |
| Responding to data subject rights requests | Customer (Controller), using our API |
| Securely processing and storing data | Auspex (Processor) |
| Providing tools for compliance (DSR API, retention, deletion) | Auspex (Processor) |
| Ensuring sub-processor compliance | Auspex (Processor) |
A.2 Data We Process on Behalf of Customers
| Data Category | Description | Retention |
|---|---|---|
| Audio recordings | Call recordings uploaded by Customer or received via webhook | Configurable: 30–365 days (default: 90) |
| Transcripts | Text transcriptions generated from audio by ASR providers | Configurable: 90 days–unlimited (default: 365) |
| AI analyses | Quality scores, sentiment analysis, key points, sales indicators | Follows transcript retention |
| Communication metadata | Phone numbers, call duration, timestamps, caller IDs | Follows transcript retention |
| Alert data | Notifications triggered by analysis thresholds | Follows transcript retention |
A.3 How We Process This Data
- Customer uploads/sends audio
- AICA validates and stores audio (encrypted, Cloudflare R2 with AES-256-GCM server-side encryption)
- Audio sent to ASR provider (Deepgram or ElevenLabs) for transcription
- Transcript stored (Neon PostgreSQL)
- PII redaction applied to transcript (phone numbers, emails, card numbers)
- Transcript (with PII redaction applied) sent to LLM (via OpenRouter) for analysis
- Analysis results stored and delivered to Customer's CRM
- Data retained per Customer's settings, then automatically deleted
A.4 Sub-Processors
We use third-party sub-processors to provide the Service. The complete list is maintained at our Sub-Processor List.
| Provider | Purpose | Location |
|---|---|---|
| Deepgram / ElevenLabs | Speech-to-text transcription | US |
| OpenRouter (→ OpenAI / Anthropic) | AI analysis of transcripts | US |
| Neon | Database storage | US |
| Cloudflare | Infrastructure, audio storage | Global |
| Clerk | Platform authentication | US |
Customers are notified at least 30 days before any new sub-processor is added.
A.5 International Data Transfers
Auspex Streamline S.L. is established in Spain (EU). Some sub-processors are located in the United States.
For transfers of personal data outside the EU/EEA, we rely on:
- EU-US Data Privacy Framework (DPF) — where the sub-processor is DPF-certified
- Standard Contractual Clauses (SCCs) — the 2021 version approved by the European Commission
- Transfer Impact Assessments (TIAs) — conducted for each transfer
A.6 Security Measures
| Category | Measures |
|---|---|
| Encryption | TLS 1.2+ in transit; AES-256-GCM server-side encryption at rest (R2 SSE active by default); database encryption (Neon native) |
| Access control | Role-based access (RBAC); organization-level tenant isolation |
| Data minimization | PII redaction applied before LLM processing (phone, email, card numbers); configurable retention |
| Integrity | HMAC-SHA256 webhook verification; Zod input validation; SQL injection prevention (ORM) |
| Availability | Cloudflare edge network; database replication; idempotent processing |
| Monitoring | Audit logging for data access and modifications |
| Authentication | Multi-factor authentication via Clerk |
A.7 Data Subject Rights
Call participants (Data Subjects) should contact the Customer (Controller) to exercise their rights. The Customer is responsible for verifying the identity of the Data Subject, using the AICA API to fulfill the request, and responding within the legally required timeframe.
| Right | GDPR Article | AICA API |
|---|---|---|
| Right of access | Art. 15 | Data export API (JSON + audio) |
| Right to erasure | Art. 17 | Cascade deletion API |
| Right to rectification | Art. 16 | Data correction API |
| Right to data portability | Art. 20 | Machine-readable export (JSON + ZIP) |
| Right to object | Art. 21 | Opt-out from AI analysis per caller |
| Right to restrict processing | Art. 18 | Processing pause per record |
| Withdraw consent | Art. 7(3) | Consent withdrawal API (triggers deletion) |
A.8 Recording and Interception of Communications (ePrivacy)
The recording and interception of electronic communications is regulated by the ePrivacy Directive (2002/58/EC, Article 5(1)) and its national implementations. The Customer (Controller) is solely responsible for complying with applicable ePrivacy/telecommunications laws when recording calls, obtaining any required consent for recording under national law, and providing required pre-recording announcements or notifications.
AICA provides consent management tools (consent gate, jurisdiction configuration, consent audit trail) to assist Controllers in demonstrating compliance. However, AICA does not record calls — the Customer's telephony system performs the recording and transmits audio to AICA for processing.
A.9 AI Processing
AICA uses artificial intelligence to analyze call transcripts. Important limitations:
- Employee emotion recognition in the workplace is prohibited under the EU AI Act (Art. 5(1)(f)) from August 2, 2026. AICA disables agent emotion scoring for EU-configured tenants.
- AI analysis results are not used for automated decision-making with legal or significant effects without human review (GDPR Art. 22).
- Customers must inform call participants that AI is used to analyze calls (AI Act Art. 50 transparency obligation).
A.10 Data Breach Notification
In the event of a personal data breach affecting Customer data:
- We notify the Customer within 48 hours of becoming aware
- We provide: nature of breach, categories and approximate number of records affected, likely consequences, measures taken
- The Customer is responsible for notifying the supervisory authority (within 72 hours for GDPR) and affected Data Subjects
Section B: Processing for Our Own Purposes (Controller)
B.1 Platform User Accounts
| Element | Description |
|---|---|
| Data subjects | Customer employees who access the AICA platform |
| Data collected | Name, email address, role, organization, login history |
| Purpose | Platform authentication, authorization, usage analytics |
| Legal basis | Performance of contract (Art. 6(1)(b)) |
| Retention | Duration of service + 30 days post-termination |
| Third parties | Clerk (authentication), Cloudflare (infrastructure) |
B.2 Website Visitors
| Element | Description |
|---|---|
| Data subjects | Visitors to our website and documentation |
| Data collected | IP address, browser information, pages visited |
| Purpose | Website functionality, analytics, security |
| Legal basis | Legitimate interest (Art. 6(1)(f)) |
| Retention | 90 days |
| Third parties | Cloudflare (CDN, security) |
B.3 Your Rights (Section B Data)
For data we process as Controller (Section B), you can exercise the following rights by contacting us at privacy@auspex.company:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate data
- Erasure — Request deletion of your data
- Restriction — Limit how we process your data
- Portability — Receive your data in a portable format
- Object — Object to processing based on legitimate interest
- Withdraw consent — For marketing communications
We will respond within 30 days (GDPR) or 45 days (CCPA). You also have the right to lodge a complaint with your local supervisory authority. For Spain: Agencia Española de Protección de Datos (AEPD), www.aepd.es.
4. Children's Data
AICA is a B2B service not directed at children. We do not knowingly process personal data of children under 16.
5. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to Customers via email at least 30 days before they take effect.
6. Contact
Data Processor / Controller:
Auspex Streamline S.L.
C.I.F.: B56341829
Calle Velarde 13, 4B
35010 Las Palmas de Gran Canaria
Canarias, Spain
Privacy inquiries: privacy@auspex.company
For call participants: Please contact the company that recorded your call. They are the Controller of your data and responsible for responding to your requests.
Document ID: PP-AICA-2026-001 · Version: 1.1