Privacy Policy
Last updated: April 2026
1. Data Controller
Nyxone OÜ (registry code 16172329, VAT ID EE16172329), Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia, operating as "Vernix" ("we", "us", "our"), is the data controller for the personal data processed through this service. For any data-protection enquiries, contact us at hello@vernix.app.
2. Personal Data We Collect
We collect and process the following categories of personal data:
- Account data — name, email address, and hashed password, collected at registration.
- Meeting content — audio streams, video recordings, transcripts, AI-generated summaries, and extracted action items produced when a meeting bot joins a call.
- Uploaded documents — files you upload to the knowledge base (PDF, DOCX, TXT, MD).
- Usage and diagnostic data — IP address, browser type, pages visited, feature interactions, error reports, and performance metrics.
- API access data — API key usage logs, request metadata (timestamps, endpoints, IP addresses), and rate limit counters. API keys are stored as bcrypt hashes; only a non-reversible prefix is retained for identification.
3. Legal Bases for Processing (GDPR Art. 6)
- Performance of a contract (Art. 6(1)(b)) — processing account data, meeting content, and uploaded documents is necessary to provide the Service you have signed up for.
- Legitimate interest (Art. 6(1)(f)) — error monitoring via Sentry, infrastructure logging, and security measures, where our interest does not override your fundamental rights.
- Consent (Art. 6(1)(a)) — analytics cookies (Google Analytics) are only activated after you grant explicit consent via our cookie banner. You may withdraw consent at any time.
4. How We Use Your Data
We use your data to operate, maintain, and improve the Service — including real-time transcription, AI-powered summarisation, semantic search, and the voice agent. We do not sell your personal data or meeting content to third parties, nor do we use it for advertising purposes.
5. Sub-Processors and Third-Party Services
We share personal data with the following sub-processors, each acting under a Data Processing Agreement (DPA) or equivalent contractual safeguards:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Recall.ai (Hyperdoc Inc.) | Meeting bot and call capture | Audio streams, video metadata, transcript segments | United States |
| OpenAI | Transcription, embeddings, summarisation, voice agent | Transcript text, document chunks, user queries | United States |
| Railway | Application hosting and managed PostgreSQL database | All account, meeting, and application data | United States |
| Sentry | Error monitoring and performance diagnostics | IP address, browser metadata, error stack traces | United States |
| Google Analytics | Website analytics (consent-based only) | Pseudonymised usage data, device info, page views | United States / EU |
| Contentsquare | UX analytics, heatmaps, session replays (consent-based only) | Click/scroll behaviour, page interactions, anonymised session data | EU / United States |
We maintain DPAs with each sub-processor and conduct periodic reviews to verify compliance. An up-to-date sub-processor list is available upon request.
If you connect optional third-party integrations (including OAuth-based or API key-based MCP integrations), we process and exchange data with those providers at your direction to provide the integration functionality. These connected integrations are distinct from our core sub-processors above: they are selected by you, may have their own independent data practices, and are governed by the terms and privacy policies of the relevant provider. You can revoke access by disconnecting the integration or revoking credentials with the provider.
6. Data Retention
- Account data — retained for the lifetime of your account, plus 30 days after deletion to allow recovery.
- Meeting content — transcripts, summaries, and action items are retained until you delete the meeting or your account. Video recordings are stored for a default retention period of 90 days after the meeting ends, after which they are automatically deleted. You may disable recording storage for individual meetings before they start.
- Uploaded documents — retained until you delete them or your account.
- Recall.ai — we delete bot data from Recall.ai after processing is complete. Recall.ai may retain residual data in accordance with their own retention policy.
- OpenAI (API) — API inputs and outputs may be retained by OpenAI for up to 30 days for abuse and safety monitoring, after which they are deleted. OpenAI does not use API data to train models.
- Sentry — error and performance data is retained for up to 90 days.
- Google Analytics — data retention is configured to 14 months; IP anonymisation is enabled.
7. International Data Transfers
Your data is processed primarily in the United States. Where personal data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on (a) European Commission Standard Contractual Clauses (SCCs), (b) the UK International Data Transfer Addendum, or (c) an adequacy decision, as applicable. Copies of the relevant transfer mechanisms are available upon request.
8. Data Storage and Security
Personal data is stored in an encrypted PostgreSQL database hosted on Railway. Meeting transcripts are additionally indexed in a vector database (Qdrant) for search functionality, scoped to your account. Uploaded documents are held in encrypted S3-compatible object storage. All connections use TLS encryption in transit. Passwords are hashed with bcrypt. Access to production systems is restricted to authorised personnel.
9. Your Rights (GDPR / UK GDPR)
Depending on your jurisdiction, you have the following rights with respect to your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure— request deletion of your personal data ("right to be forgotten"). See Section 10 below.
- Restriction — request that we restrict processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format (JSON or Markdown export is available through the Service).
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent (e.g. analytics cookies), you may withdraw at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email hello@vernix.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data-protection supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
10. Personal Data Removal Requests
Upon receiving a verified erasure request, we will: (a) delete your account and all associated data from our database within 30 days; (b) remove your meeting transcripts and document embeddings from the vector database; (c) delete uploaded files from object storage; and (d) instruct our sub-processors (Recall.ai, OpenAI, Railway, Sentry) to delete any personal data they hold on your behalf, to the extent technically feasible. Some data may persist in encrypted backups for up to 90 days before being overwritten.
11. Cookies
We use essential cookies for authentication and session management. We also use essential monitoring technologies from Sentry to detect errors and maintain service reliability. Optional Google Analytics cookies are only activated after you provide explicit consent via our cookie banner. For full details, see our Cookie Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on the Service and updating the "Last updated" date above. Where required by law, we will seek your renewed consent.
13. Contact
For privacy-related questions or to exercise your data rights, contact us at hello@vernix.app.