Privacy Policy

1. Information We Collect

To provide our bio-acoustic intelligence services, we collect and process the following categories of data:

1.1 Voice Recordings

Audio files you upload or record through our platform. These recordings are processed by our 107+ AI analysis engines to extract acoustic features including pitch, cadence, spectral energy, jitter, shimmer, harmonic-to-noise ratio, and other biosignal markers. We do not transcribe or store the semantic content of your speech.

1.2 Account Information

Email address, name, and authentication credentials provided during registration or Google OAuth sign-in. This data is used for account management, report delivery, and service communication.

1.3 Payment Data

All payment transactions are processed securely through Stripe. ORAVYS does not store your full credit card number, CVV, or banking details. We retain only transaction identifiers and purchase history necessary for order fulfillment and refund processing.

1.4 Technical Data

IP address, browser type, device information, operating system, session identifiers, and interaction timestamps collected automatically when you use the platform. This data supports security, performance monitoring, and abuse prevention.

1.5 Usage Data

Pages visited, analysis requests submitted, features used, and interaction patterns. Collected via anonymized Google Analytics (with IP anonymization enabled) for platform improvement.

2. How We Use Your Data

Your information is used exclusively for the following purposes:

• Service Delivery: Processing your voice recordings through our biosignal analysis engines and generating your requested reports.
• Account Management: Authentication, session handling, subscription management, and report access.
• Communication: Sending analysis reports, service notifications, order confirmations, and responding to support requests.
• Platform Improvement: Anonymized, aggregated data may be used to improve model accuracy and platform quality. No individual re-identification is possible from aggregated data.
• Security: Fraud detection, abuse prevention, and maintaining the integrity of our systems.
• Legal Compliance: Meeting our obligations under applicable law.

3. Voice Data Processing

Voice data is uniquely sensitive. ORAVYS implements specific protections for audio recordings:

• Immediate Processing: Audio files are processed by our engine pipeline and acoustic features are extracted. The original audio is deleted within 24 hours (Free/Pro tiers) or per your configured retention policy (Enterprise).
• No Voice Fingerprinting: We do not create persistent voice fingerprints, speaker identification templates, or biometric profiles that could be used to identify you across sessions or platforms.
• No Third-Party Audio Sharing: Your voice recordings are never shared with, sold to, or accessible by any third party. Audio is encrypted in transit (TLS 1.3) and at rest (AES-256).
• No Cross-Session Linking: We do not link audio from different sessions to build persistent voice profiles unless you explicitly enable this feature.
• Consent Verification: ORAVYS may refuse to process audio that appears to have been recorded without proper consent of the speaker(s).

4. No Training on Your Data (by Default)

ORAVYS does not use your voice recordings or analysis results to train, fine-tune, or improve AI/ML models unless you explicitly opt in. This commitment applies to all service tiers:

• Free Tier: No training on your data. Optional opt-in toggle available in privacy settings.
• Pro Tier: No training on your data. No opt-in offered.
• Enterprise Tier: No training. Contractual guarantee via Data Processing Addendum (DPA).

If you provide feedback (such as rating a report), that specific interaction may be used to improve quality, with explicit notice at the time of feedback.

5. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes described in this policy:

• Voice Recordings (Free Tier): Deleted within 24 hours of analysis completion.
• Voice Recordings (Paid Reports): Retained for up to 30 days to enable report regeneration, then permanently deleted.
• Voice Heritage / Capsule Products: Retained for the contractual duration (10, 50, or perpetual years). Storage fees are included in the purchase price.
• Account Data: Retained for the duration of your account, plus 12 months after account closure.
• Analysis Reports: Available for download for 30 days by default. You are responsible for downloading your report upon receipt.
• Technical / Usage Logs: Retained for up to 90 days for security and debugging purposes.

You may request early deletion of your data at any time by contacting contact@oravys.com. Deletion requests are processed within 30 days.

6. Data Storage and Security

ORAVYS employs industry-standard security measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers is protected by TLS 1.3.
• Encryption at Rest: Data stored on our servers is encrypted with AES-256.
• Infrastructure: Hosted on Google Cloud Platform (europe-west1 region, EU). Secured with access controls, network segmentation, and continuous monitoring.
• Access Control: Employee access to user data is restricted on a need-to-know basis and protected by multi-factor authentication.

While we implement commercially reasonable measures to protect your data, no internet transmission or electronic storage method is 100% secure. We cannot guarantee absolute security against unauthorized intrusion.

7. Third-Party Sharing

We may share data only with trusted service providers necessary to operate the platform:

• Google Cloud Platform: Infrastructure hosting and data storage (EU region).
• Stripe: Payment processing. Stripe receives only the payment data necessary to complete your transaction.
• SendGrid: Email delivery for report notifications and service communications.
• Google Analytics: Anonymized usage statistics (IP anonymization enabled).

All third-party providers are bound by confidentiality and data processing agreements. We do not share data with third parties for their independent marketing purposes.

8. GDPR / RGPD Compliance

If you are located in the European Economic Area (EEA), the United Kingdom, or any jurisdiction with equivalent data protection laws, the following provisions apply:

8.1 Legal Basis for Processing

• Consent (Art. 6(1)(a) GDPR): We process your voice data based on your explicit consent, which you provide before initiating any recording or analysis. You may withdraw consent at any time.
• Contract Performance (Art. 6(1)(b)): Processing necessary to deliver the analysis report you requested and manage your account.
• Legitimate Interest (Art. 6(1)(f)): Anonymized, aggregated data used to improve model accuracy and maintain platform security. No individual re-identification is possible.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws and regulations.

8.2 Special Category Data (Art. 9)

Voice recordings may constitute biometric data under GDPR Article 9. We process this data exclusively under explicit consent obtained via the recording consent mechanism before analysis. Data minimization and purpose limitation principles are strictly applied: voice data is used solely for generating your analysis report and is never used for speaker identification or surveillance.

8.3 Your Rights Under GDPR

You have the right to:

• Access (Art. 15): Request a copy of all personal data we hold about you, including voice recordings, analysis results, and account information.
• Rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). Requests are processed within 30 days.
• Restriction (Art. 18): Request restriction of processing while a complaint is resolved.
• Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Object (Art. 21): Object to processing based on legitimate interest.
• Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact our Data Protection Officer at privacy@oravys.com. We will respond within 30 days as required by law.

8.4 International Data Transfers

Your data is processed on Google Cloud servers located in the European Union (europe-west1). In cases where data may be transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and implement appropriate technical safeguards.

8.5 Data Protection Officer

For all GDPR-related inquiries, you may contact our Data Protection Officer at privacy@oravys.com. If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in your country of residence (GDPR Art. 77).

9. Privacy Settings and Consent Controls

ORAVYS provides a Privacy Settings dashboard with granular, reversible controls. Each setting can be changed at any time:

• "Use my data to improve ORAVYS models" -- Default: OFF. Only anonymized acoustic features would be used; raw audio is never used for training.
• "Share my anonymized results for academic research" -- Default: OFF. Fully anonymized, no re-identification possible.
• "Receive product updates and marketing" -- Default: OFF.

All privacy settings default to OFF (opt-in required), providing stronger protection than the industry standard of opt-out.

10. Zero Data Retention (ZDR) Mode

Enterprise and Pro users can activate Zero Data Retention mode:

• Audio is analyzed via real-time streaming; no copy is stored on ORAVYS servers.
• Only the generated report is delivered to you.
• No logs, metadata, or derived features are retained beyond the active session.
• Abuse detection occurs during processing only.

ZDR mode is designed for legal, healthcare, and government use cases. Contact enterprise@oravys.com to activate.

11. Cookies and Tracking

ORAVYS uses only essential cookies required for the platform to function:

• Session Cookies: Authentication tokens and session identifiers. Expire when you close your browser or after the session timeout period.
• Security Cookies: CSRF protection tokens to prevent cross-site request forgery.
• Preference Cookies: Language selection and display settings.

We do not use advertising cookies, cross-site tracking pixels, or third-party trackers that share data with advertisers. Google Analytics (with IP anonymization) is used for basic usage statistics. You can opt out via your browser settings, an ad blocker, or the Global Privacy Control (GPC) signal.

12. Global Privacy Control (GPC)

ORAVYS automatically detects and honors the Global Privacy Control (GPC) signal from your browser. When GPC is enabled:

• All optional analytics, tracking cookies, and performance metrics are disabled.
• Privacy settings default to their most restrictive configuration.
• No manual action is required from you.

13. Children's Privacy

ORAVYS does not knowingly collect data from children under 16 years of age. We do not permit analysis of voice recordings of minors under 16. If we become aware that we have processed a minor's data, we will immediately delete it and notify the parent or guardian if contact information is available.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33).
• If the breach is likely to result in a high risk to you, we will notify you directly without undue delay (GDPR Art. 34).
• Notification will include the nature of the breach, likely consequences, and measures taken to address it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or a prominent notice on the platform at least 30 days before they take effect. The "Last Updated" date at the top reflects the most recent revision. Your continued use of the platform after changes take effect constitutes acceptance of the revised policy.

16. Contact Us

For privacy inquiries, data access requests, or concerns:

General: contact@oravys.com
Data Protection Officer: privacy@oravys.com
Enterprise / ZDR: enterprise@oravys.com

ORAVYS Ltd.
Jerusalem, Israel