Legal

Privacy Policy

Last updated: May 26, 2026 · Version 3.0

1. Who We Are

Voco ("Voco," "we," "us," or "our") is an AI-powered interview practice platform operated by Ryan Rahamin as a sole proprietorship. Our platform is accessible at vocohq.com.

Privacy contact: hello@vocohq.com

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use Voco. It applies to all users of vocohq.com and any related services.

EU, EEA, or UK residents: Additional rights and disclosures apply under the General Data Protection Regulation (GDPR) and UK GDPR. These are noted throughout this policy.

California residents: Additional rights apply under the CCPA/CPRA. See Section 13.

Illinois residents: Additional disclosures regarding voice data apply under the Illinois Biometric Information Privacy Act (BIPA). See Section 5.3.

3. Data We Collect

3.1 Account and Identity Data

Full name
Email address
Password (stored as a one-way cryptographic hash — we never have access to your plain-text password)
Marketing communication preferences and consent timestamp

3.2 Resume and Career Data

Resume files you upload (PDF or DOCX)
Parsed resume content: name, contact information, work history, education, skills
Job descriptions you upload or paste
Target role and company information

3.3 Interview and Performance Data

Full interview transcripts (complete text records of your conversations with Aria)
Interview scores across five dimensions: relevance, structure, specificity, delivery, and confidence
Model answers generated based on your resume and target role
Smart Feedback pattern analysis across sessions
Interviewer personas you create
Session metadata: difficulty level, mode (voice/text), duration, date, completion status

3.4 Voice and Audio Data

When you use Voice Mode:

Your spoken words are captured via your device microphone
Audio is transmitted in real time to Deepgram for speech-to-text transcription
We do not store raw audio files. Audio is processed in real time and discarded immediately after transcription
We do not create voice profiles, voiceprints, or biometric identifiers from your audio. Deepgram performs transcription only — no speaker identification, voice matching, or biometric analysis is performed
The text transcription is stored as part of your interview transcript

See Section 5.3 for Illinois BIPA disclosures.

3.5 Payment and Billing Data

Subscription tier and status. Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or CVV codes. Stripe's privacy policy governs your payment data: stripe.com/privacy.

3.6 Usage and Technical Data

Pages visited and features used within the application
Browser type and version
Device type
IP address (used for rate limiting and security; not used for behavioral advertising or profiling; not retained in identifiable form beyond 30 days)
Authentication tokens and session identifiers (managed via secure cookies)

3.7 Communications

Messages submitted through our contact form and email correspondence with our team.

4. How We Use Your Data

Purpose	Legal Basis (GDPR)
Creating and maintaining your account	Performance of contract
Running interview sessions and generating questions	Performance of contract
Scoring your answers and generating model answers	Performance of contract
Processing Voice Mode (transcription via Deepgram)	Performance of contract
Processing payments and managing subscriptions	Performance of contract
Sending transactional emails (debrief summaries, account notices)	Performance of contract
Preventing fraud, abuse, and unauthorized access	Legitimate interests
Rate limiting to protect service availability	Legitimate interests
Improving the platform using aggregated, non-identifiable usage data	Legitimate interests
Sending marketing emails	Consent (opt-in at signup only)
Complying with legal obligations	Legal obligation

4.1 What We Do Not Do With Your Data

We do not use your resume, transcripts, or interview data to train AI models
We do not use your data for advertising or behavioral profiling
We do not sell your personal data to any third party
We do not use your interview performance data to make employment decisions about you
We do not share your data with employers, recruiters, or any employment-related third parties

5. Special Categories of Data

5.1 Voice Data and GDPR

Under GDPR, voice recordings may constitute personal data. We process voice audio solely for real-time transcription. We do not process voice data to identify, profile, or track individuals. Audio files are not retained. The legal basis for voice processing is performance of contract (providing the Voice Mode feature you have requested).

5.2 Resume Data

Resumes may contain sensitive personal information including contact details, employment history, and in some cases health or other sensitive data. We process resume data solely to personalize your interview practice sessions. You should avoid uploading government identification numbers, financial account credentials, or detailed medical information beyond what is reasonably included in a standard resume.

5.3 Illinois Biometric Data Disclosure (BIPA)

If you are an Illinois resident, the following disclosures apply under the Illinois Biometric Information Privacy Act:

What we process: When you use Voice Mode, your speech is captured and transmitted to Deepgram for transcription. Deepgram produces text output only and does not create voiceprints or biometric identifiers. We do not collect, store, or use voiceprints or biometric identifiers derived from your voice.

Retention: Audio data is processed in real time and not stored. No biometric identifiers derived from voice are retained at any point.

No sale: We do not sell, lease, trade, or profit from any biometric data or identifiers.

Consent: By enabling Voice Mode, you consent to the real-time audio transcription described in this policy. You may withdraw this consent at any time by switching to Text Mode in your interview settings.

For questions about this disclosure, contact hello@vocohq.com.

6. Who We Share Your Data With

We share data only with the following trusted service providers ("sub-processors") and only to the extent necessary to provide the service:

Provider	Purpose	Data Shared	Privacy Policy
Anthropic	AI interview engine — generates questions, responses, scoring, model answers	Interview transcripts, resume data, job description content	anthropic.com/privacy
OpenAI	Text-to-speech synthesis (Aria's voice in Voice Mode)	Text of Aria's responses only	openai.com/privacy
Deepgram	Real-time speech-to-text transcription in Voice Mode	Audio stream (not retained by Deepgram beyond transcription)	deepgram.com/privacy
Supabase	Database, authentication, and resume file storage	All app data	supabase.com/privacy
Stripe	Payment processing	Billing information	stripe.com/privacy
Vercel	Application hosting and deployment	Request logs, IP addresses	vercel.com/legal/privacy-policy
Resend	Transactional email delivery	Email address, name	resend.com/legal/privacy-policy
Upstash	Rate limiting (Redis)	User ID, request counts	upstash.com/privacy

We may disclose personal data when required by law, court order, or governmental authority, or to protect the rights, property, or safety of Voco, our users, or the public. We will notify you of such disclosures where legally permitted.

7. Data Retention

Data Type	Retention Period
Account and profile data	Until account deletion
Resume files and parsed data	Until account deletion or manual deletion
Interview sessions and transcripts	Until account deletion
Smart Feedback analysis	Until account deletion
Voice audio	Not retained — discarded after real-time transcription
Payment transaction records	7 years (legal and tax requirement)
Contact form submissions	2 years
Server and application logs	30 days (Vercel platform default)
IP addresses in logs	Not retained in identifiable form beyond 30 days

When you delete your account, we permanently delete your profile, all sessions, all transcripts, all resumes, all personas, and all associated data. Payment records are retained only as required by applicable law.

8. Cookies and Tracking

We use Supabase authentication cookies that are strictly necessary for the service to function. We may also use Vercel Analytics to collect privacy-focused, aggregate usage metrics not intended to directly identify individual users. We do not use advertising cookies, retargeting pixels, behavioral tracking tools, or social media tracking scripts. For full details, see our Cookie Policy.

9. Data Security

We implement the following measures to protect your data:

All data in transit is encrypted using TLS/HTTPS
Passwords are cryptographically hashed; plain-text passwords are never accessible to us
Resume files are stored in a private storage bucket with row-level security — not publicly accessible
Your data is isolated to your account via row-level security at the database level
API rate limiting protects against unauthorized automated access
We do not log personally identifiable information such as names or email addresses in server logs

No system is completely secure. Despite our measures, we cannot guarantee absolute security. If you discover a security vulnerability in Voco, please report it responsibly to hello@vocohq.com.

9.1 Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where required by applicable law (including GDPR Article 33), notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

10. Your Rights

10.1 All Users

Access: View all your data within the Voco app at any time
Deletion: Permanently delete your account and all data via Settings → Billing → Delete Account
Correction: Update your name and account information in Settings → Account
Data export: Contact hello@vocohq.com to request a copy of your data in a structured format

10.2 EU/EEA/UK Users — GDPR Rights

In addition to the above:

Object to processing based on legitimate interests
Restrict processing in certain circumstances
Withdraw consent at any time for consent-based processing — use the unsubscribe link in any marketing email or contact us
Data portability in a structured, machine-readable format
Lodge a complaint with your national Data Protection Authority

To exercise any GDPR right, contact hello@vocohq.com. We will respond within 30 days.

10.3 International Data Transfers

Voco and its sub-processors are primarily based in the United States. If you are in the EU/EEA/UK, your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for such transfers where required. Our sub-processors maintain their own transfer mechanisms as described in their respective privacy policies.

11. AI and Automated Processing

11.1 How AI Is Used

Voco uses AI systems (provided by Anthropic) to conduct mock interviews, evaluate your responses, generate scores, and produce model answers. This automated processing produces feedback about your practice interview performance.

11.2 Practice Only — Not Employment Decisions

Voco's AI evaluations are for personal practice and self-improvement only. They are not used to make decisions about your employment, career prospects, professional qualifications, or fitness for any role. They are not shared with employers, recruiters, or any employment-related parties.

11.3 EU AI Act Notice

AI systems used for employment decision-making are classified as high-risk under the EU AI Act (Annex III, Section 4). Voco is a personal practice tool and is not deployed as an employment screening or candidate evaluation system. We do not provide our platform or its outputs to employers or recruiters for use in hiring processes. Users are expressly prohibited from using Voco outputs in employment decision-making (see our Acceptable Use Policy).

11.4 No AI Training on Your Data

We do not use your resume, job descriptions, interview transcripts, performance scores, or any other personal data to train, fine-tune, or improve any AI model operated by Voco or any third party.

12. Children's Privacy

Voco is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a minor under 16, contact us immediately at hello@vocohq.com and we will delete it promptly.

13. California Residents — CCPA/CPRA Rights

California residents have the following rights:

Right to Know — request disclosure of categories and specific pieces of personal information collected
Right to Delete — request deletion via the in-app account deletion feature or by contacting us
Right to Correct — request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing — we do not sell or share personal information for cross-context behavioral advertising
Right to Limit Use of Sensitive Personal Information — contact us to limit use of sensitive personal information beyond providing the service
Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights

Categories of personal information collected: Identifiers (name, email), professional/employment information (resume data), internet and electronic network activity (usage data), audio data (voice, processed in real time and not retained), and inferences drawn from the above (interview performance scores).

Do Not Sell or Share My Personal Information: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

To exercise California rights, contact hello@vocohq.com with subject line "California Privacy Request." We will respond within 45 days.

14. Changes to This Policy

We may update this Privacy Policy. When we make material changes, we will notify you by email and update the "Last updated" date. Continued use after the effective date constitutes acceptance of the updated policy.

15. Contact

Email: hello@vocohq.com

Website: vocohq.com

We aim to respond to all privacy inquiries within 5 business days and to fulfill data subject requests within 30 days (45 days for California residents).