Privacy Policy

At MB Digisensus, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered call transcription and scoring platform. We are committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller Information

The data controller responsible for your personal data is:

• Company Name: MB Digisensus
• Location: Vilnius, Lithuania
• Email: [email protected]
• Data Protection Contact: [email protected]

As an EU-based company, we are subject to the GDPR and committed to upholding its principles in all our data processing activities.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when using our Service:

• Account Information: Name, email address, company name, job title, and password when you create an account
• Audio Content: Audio recordings you upload for transcription and analysis
• Configuration Data: Scoring rules, custom instructions, and preferences you set up
• Communication Data: Messages you send through our support channels
• Payment Information: Billing details and payment method information (processed by secure payment providers)

2.2 Information Collected Automatically

When you access our Service, we may automatically collect:

• Log Data: IP address, browser type, operating system, referring URLs, pages viewed, and timestamps
• Device Information: Device type, unique device identifiers, and general location (country/city level)
• Usage Data: Features used, actions taken, and time spent on the platform
• Cookies and Similar Technologies: Essential cookies for functionality and optional analytics cookies (see Section 9)

2.3 Information from Third Parties

We may receive information from:

• Authentication Providers: If you sign in using third-party services
• Business Partners: Information from companies you authorize to share data with us
• Public Sources: Publicly available business information

3. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

3.1 Contract Performance (Article 6(1)(b) GDPR)

Processing necessary to provide you with our Service:

• Creating and managing your account
• Processing your audio files for transcription
• Generating scores and analytics
• Providing customer support

3.2 Legitimate Interests (Article 6(1)(f) GDPR)

Processing necessary for our legitimate business interests:

• Improving and optimizing our Service
• Ensuring security and preventing fraud
• Analyzing usage patterns to enhance user experience
• Marketing our services to existing customers

3.3 Legal Obligation (Article 6(1)(c) GDPR)

Processing required to comply with legal obligations:

• Tax and accounting requirements
• Responding to legal requests from authorities
• Complying with applicable regulations

3.4 Consent (Article 6(1)(a) GDPR)

Where required, we obtain your consent for:

• Marketing communications
• Non-essential cookies and analytics
• Processing special categories of data

4. How We Use Your Information

4.1 Service Delivery

• Transcribing audio recordings using AI technology
• Analyzing conversations and generating quality scores
• Detecting and labeling speakers in recordings
• Providing dashboards, reports, and analytics
• Storing and organizing your transcriptions

4.2 Account Management

• Creating and authenticating your account
• Managing user permissions and access
• Processing payments and billing
• Sending service-related notifications

4.3 Service Improvement

• Analyzing usage patterns to improve features
• Developing new capabilities
• Fixing bugs and technical issues
• Training and improving our AI models (only with anonymized data or explicit consent)

4.4 Communication

• Responding to your inquiries and support requests
• Sending important service updates
• Providing onboarding assistance
• Marketing communications (with your consent)

4.5 Security and Compliance

• Protecting against unauthorized access and fraud
• Monitoring for security threats
• Complying with legal obligations
• Enforcing our Terms of Service

5. Data Processing and Storage

5.1 EU-Based Processing

As an EU company committed to data protection, we prioritize EU-based data processing:

• Primary Infrastructure: Our core services run on EU-hosted servers in Lithuania and other EU locations
• Digisensus AI: Our proprietary AI processing infrastructure is located within the European Union
• Data Residency: Your audio files and transcriptions are stored within the EU by default

5.2 Third-Party Service Providers

We work with carefully selected third-party service providers who may process your data:

• Cloud Infrastructure: EU-based cloud providers for hosting and storage
• AI/ML Services: AI providers for transcription (we prioritize EU-based and GDPR-compliant providers)
• Payment Processors: Secure payment handling services
• Email Services: Transactional email delivery
• Analytics: Privacy-focused analytics tools

5.3 International Data Transfers

When data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards:

• Adequacy Decisions: Transfers to countries with adequate data protection
• Standard Contractual Clauses: EU-approved contractual protections
• Additional Safeguards: Technical and organizational measures as required

You may request information about specific transfer mechanisms by contacting us.

6. Data Retention

6.1 Retention Periods

We retain your data only as long as necessary:

• Account Data: Duration of your account plus 30 days after deletion
• Audio Files: As configured in your account settings (default: 90 days after processing)
• Transcriptions: Duration of your account (you can delete individual transcriptions)
• Analytics Data: Aggregated for 2 years; individual logs for 12 months
• Billing Records: 7 years (legal requirement)
• Support Communications: 3 years after resolution

6.2 Data Deletion

When data is no longer needed:

• Personal data is securely deleted or anonymized
• Backups are purged within 30 days of deletion request
• Aggregated, anonymized data may be retained for analytics

7. Your Rights Under GDPR

As an EU-based service, we fully support your data protection rights:

7.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this within 30 days.

7.2 Right to Rectification (Article 16)

You can correct inaccurate personal data or complete incomplete data through your account settings or by contacting us.

7.3 Right to Erasure (Article 17)

You can request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed

7.4 Right to Restriction (Article 18)

You can request we restrict processing of your data in certain circumstances.

7.5 Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format and transfer it to another provider.

7.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

7.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. Our AI-powered scoring is provided as a tool to assist human decision-making, not replace it.

7.8 Exercising Your Rights

To exercise any of these rights:

• Email us at [email protected]
• Use the data management features in your account settings
• We will respond within 30 days (extendable to 60 days for complex requests)
• We may verify your identity before processing requests

7.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. For Lithuania, this is:

• State Data Protection Inspectorate
• Address: L. Sapiegos str. 17, 10312 Vilnius, Lithuania
• Website: www.ada.lt

8. Data Security

8.1 Technical Measures

We implement robust security measures to protect your data:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access, multi-factor authentication options
• Infrastructure Security: Firewalls, intrusion detection, and regular security audits
• Secure Development: Security-focused development practices and code reviews

8.2 Organizational Measures

• Employee Training: Regular data protection and security training
• Access Limitation: Data access on a need-to-know basis
• Vendor Assessment: Security review of all third-party providers
• Incident Response: Documented procedures for security incidents

8.3 Data Breach Notification

In the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours where required
• We will notify affected individuals without undue delay if the breach poses high risk
• We maintain detailed records of all breaches and our response actions

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

Essential Cookies (Always Active):

• Authentication and session management
• Security features (CSRF protection)
• Basic functionality and preferences

Analytics Cookies (With Consent):

• Usage analytics to improve our Service
• Performance monitoring
• Error tracking and debugging

9.2 Managing Cookies

You can manage your cookie preferences:

• Through our cookie consent banner when you first visit
• Via your browser settings to block or delete cookies
• By contacting us to update your preferences

Note: Blocking essential cookies may affect Service functionality.

10. Special Categories of Data

Audio recordings may contain sensitive information revealed in conversations. We advise:

• Avoid uploading recordings containing sensitive health, religious, or political information unless necessary
• Ensure you have explicit consent from data subjects when processing sensitive data
• Consider redacting sensitive information before upload when possible

We process such data only as necessary to provide transcription services and do not use it for any other purpose.

11. Children's Privacy

Our Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately for deletion.

12. Third-Party Links and Services

Our Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

13. Business Customers and Data Processing

13.1 Controller vs. Processor

When you use our Service:

• You (the Customer) are the data controller for the audio content and personal data within recordings
• We (Digisensus) act as a data processor, processing data on your behalf according to your instructions
• For your account data, we act as the data controller

13.2 Data Processing Agreement

Business customers may require a Data Processing Agreement (DPA). Our standard DPA:

• Complies with GDPR Article 28 requirements
• Includes Standard Contractual Clauses for international transfers
• Specifies technical and organizational security measures
• Is available upon request at [email protected]

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. When we make changes:

• We will update the "Last updated" date at the top
• For material changes, we will notify you via email or in-app notification
• We encourage you to review this policy regularly

Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

For privacy-related questions, requests, or concerns:

• General Inquiries: [email protected]
• Privacy/Data Protection: [email protected]
• Data Subject Requests: [email protected]

Company Address:

MB Digisensus
Vilnius, Lithuania

We aim to respond to all inquiries within 5 business days and to formal data subject requests within 30 days.