Privacy policy

The data controller for personal data is Innovation Data, SASU with capital of €1,000, SIREN 100895051, RCS Dunkerque.

Contact: contact@vokal.fr

For any question regarding data protection, you can write to this address with « GDPR » in the subject line.

Vokal only collects data necessary for the provision of the service:

• Account data: first name, last name, email address, hashed password, company, role. • Billing data: billing address, VAT number, payment methods (managed by our provider Stripe, never stored on our servers). • Audio recordings: meetings captured via the application or the Plaud Note Pro, encrypted end-to-end. • Generated quotes: content extracted by AI (client, services, amounts) and produced PDF files. • Technical data: IP address, browser, operating system, for security and anonymized audience measurement purposes.

Data is processed for the following purposes:

• Service provision (contract performance): account creation, quote generation, technical support. • Billing and accounting (legal obligation): issuing invoices, retention for 10 years. • Security and fraud prevention (legitimate interest): detection of abnormal usage, access logging. • Continuous service improvement (legitimate interest): aggregated and anonymized analyses on product usage. • Product communication (consent): newsletter, feature announcements — unsubscribe possible at any time.

User data, audio recordings, and generated quotes are hosted in France on GDPR-compliant infrastructure.

For the Vokal Healthcare plan, hosting is HDS certified (Healthcare Data Hosting), in accordance with French ASIP Santé requirements.

Communications between the application and our servers are encrypted via TLS 1.3. Audio recordings and quotes are encrypted at rest with keys managed in France.

Passwords are hashed with the bcrypt algorithm and are never stored in plain text.

Vokal relies on the following subprocessors, governed by GDPR-compliant data processing agreements:

• Vercel Inc. (USA): hosting of the marketing website vokal.fr — standard contractual clauses. • Stripe Payments Europe (Ireland): payment processing — PCI-DSS certified. • Resend / SendGrid: transactional email delivery. • Anthropic (USA): AI engine for quote generation — data encrypted in transit, no long-term storage on Anthropic's side. • French HDS hosting provider (Healthcare plan): name communicated upon request.

The complete list is available upon request at contact@vokal.fr.

The following retention periods apply:

• Account data: for the entire subscription duration, then 30 days after termination to allow reactivation. • Audio recordings: 90 days after the quote is generated, then automatic deletion (unless explicit request for extended retention by the Customer). • Generated quotes: for the entire subscription duration, then 12 months after termination, unless an early deletion request is made. • Invoices: 10 years, in accordance with legal accounting obligations. • Connection data (logs): 12 months, in accordance with French LCEN.

In accordance with the GDPR (articles 15 to 22) and the French Data Protection Act, you have the following rights regarding your personal data:

• Right of access: obtain confirmation that your data is being processed and receive a copy. • Right of rectification: have inaccurate or incomplete data corrected. • Right to erasure: request the deletion of your data in cases provided for by the GDPR. • Right to restriction: temporarily restrict the processing of your data. • Right to portability: receive your data in a structured, commonly used and machine-readable format. • Right to object: object to the processing of your data on legitimate grounds. • Right to define post-mortem directives: organize the fate of your data after death.

To exercise these rights, write to contact@vokal.fr specifying the nature of your request. A response will be provided within a maximum of one month.

The vokal.fr website uses a minimal number of cookies:

• Strictly necessary cookies: user session, security, language preferences. These cookies do not require consent. • Audience measurement cookies: aggregated anonymized statistics (no individual tracking). You can refuse them via your browser settings.

No third-party advertising or profiling cookies are placed.

If you believe your rights are not being respected, you can file a complaint with the French Data Protection Authority (CNIL):

CNIL — 3 Place de Fontenoy — TSA 80715 — 75334 PARIS CEDEX 07 Phone: +33 1 53 73 22 22 Website: cnil.fr

Vokal reserves the right to modify this policy at any time, to adapt to regulatory changes or new services offered.

Any substantial modification will be notified to you by email at least 30 days before its entry into force. The last update date is indicated at the top of this document.