What we collect, why, and what you can ask us to do about it.

1. Plain-language summary

• Your content is yours. We never train base models on it. Period.
• EU data residency by default. Frankfurt region. Other regions on Enterprise.
• 30 days to leave with everything. Export your data within 30 days of cancellation; backups purged within 90.
• You can ask us to delete anything, anytime. One email to privacy@voceo.pl.
• Sub-processors are listed in §5 below — and we notify you 30 days before changes.

2. Data controller

Gate-Software sp. z o.o., ul. Kochanowskiego 37/k7, 33-100 Tarnów, Poland, registered with the National Court Register (KRS) under number 0000541667, NIP 9930656426, REGON 360676313, share capital: PLN 50,000. We act as Data Controller for account and billing data, and as Data Processor for personal data you upload into the Service.

3. What we collect

4. Why we collect it

Lawful bases under GDPR Art. 6:

• Contract performance — to deliver the Service you subscribed to (account, brand inputs, generated content, channel tokens).
• Legitimate interest — to keep the Service secure, debug failures, and improve product quality (usage data, error logs).
• Legal obligation — invoicing, accounting and tax records (billing data, retained for the period mandated by Polish law).
• Consent — for marketing emails to non-customers and optional analytics cookies. You can withdraw consent at any time.

5. Who we share with (sub-processors)

We use a limited set of sub-processors. Each is bound by a written DPA and reviewed at least annually.

6. Retention

• Account & brand data: kept while your subscription is active; deleted within 30 days of cancellation.
• Generated content: retained for the duration of the subscription; exportable for 30 days post-cancellation.
• Billing & invoicing: kept for 5 years per Polish accounting law.
• Backups: rolling 90-day window. After cancellation, your data is purged from backups within 90 days.
• Logs: 30 days for application logs, 13 months for security logs.

7. Your rights (GDPR)

As a data subject in the EEA, you can ask us to:

• Access — receive a copy of your personal data we hold.
• Rectify — correct inaccurate data.
• Erase — delete data we no longer need to keep by law.
• Port — receive your data in a structured, machine-readable format.
• Object / restrict — to specific processing activities.
• Withdraw consent — for any processing based on consent.

Send requests to privacy@voceo.pl. We respond within 30 days. You may also lodge a complaint with the Polish data protection authority (UODO) at uodo.gov.pl.

8. Cookies & tracking

The Voceo.ai marketing site uses only essential cookies (session, language preference). The application dashboard uses additional functional cookies for authentication and feature flags. We do not use third-party advertising cookies. Optional analytics (Plausible, privacy-first) is enabled with your consent.

9. International transfers

Where data is transferred outside the EEA (notably to OpenAI, HeyGen, SerpAPI), the transfer is governed by Standard Contractual Clauses (2021/914) and supplementary safeguards reviewed annually. We do not transfer customer content data to non-adequate jurisdictions without explicit consent.

10. Contact

Privacy questions, DPA requests, sub-processor changes, breach notifications: privacy@voceo.pl.

For general legal questions: legal@voceo.pl. For sales: demo@voceo.pl.