Privacy Policy

1. Information We Collect

We collect the following categories of information when you use Vokso:

• Account information — your name and email address, provided via Google authentication through Clerk.
• Google Business Profile data — business locations, customer reviews, and review metadata (author display name, rating, date, language) fetched via the Google Business Profile API on your behalf.
• AI-generated content — draft responses generated by Anthropic's Claude based on your review data and the settings you configure.
• Settings and preferences — brand voice configuration, industry profile, alert preferences, and other settings you enter in the application.
• Usage data — logs of AI API calls (token count, estimated cost) for internal monitoring. No review content or personally identifiable information is included in these logs.

2. How We Use Your Information

• To fetch and display your Google Business Profile reviews within the Service.
• To generate AI-powered draft responses to your reviews using Anthropic's Claude API.
• To send email alerts about negative reviews via Resend.
• To automatically post approved responses back to Google Business Profile on your behalf.
• To maintain, secure, and improve the reliability of the Service.

We do not sell, rent, or share your data with third parties for advertising or marketing purposes.

3. Google User Data & Limited Use

Vokso uses the Google Business Profile API with the following OAuth scope:

This scope is used exclusively to:

• Read the list of business accounts and locations you manage on Google.
• Read customer reviews posted on those locations.
• Post replies to reviews on your behalf — only after your explicit approval (for negative reviews) or after your configured auto-send delay (for positive reviews).

Limited Use compliance. Vokso's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use your Google user data only to provide and improve the user-facing features of Vokso that you have explicitly requested.
• We do not use your Google user data to develop, improve, or train generalized or non-personalized AI/ML models.
• We do not transfer your Google user data to third parties, except as necessary to provide or improve the features you requested, for security purposes, to comply with applicable law, or as part of a merger, acquisition, or sale with notice to you.
• We do not use your Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read your Google user data, except: (a) with your affirmative agreement for specific messages; (b) as necessary for security purposes such as investigating abuse; (c) to comply with applicable law; or (d) for internal operations where the data has been aggregated and anonymized.

Token storage. Your Google OAuth access and refresh tokens are encrypted with AES-256-GCM before being stored in our database. They are used solely to authenticate API calls to Google on your behalf and are never shared with any third party.

4. AI Processing (Anthropic Claude)

To classify review sentiment and generate draft replies, we send the following to Anthropic's Claude API:

• The text and rating of the review.
• Your brand voice settings and industry profile (content you control).
• The reviewer's public display name (if present on the review).
• The name of the location the review belongs to.

We do not send to Anthropic:

• Your Google OAuth tokens or any authentication credentials.
• Email addresses, phone numbers, or other contact details from your Google account.

Per Anthropic's API terms, inputs and outputs submitted via the API are not used to train Anthropic's models. Anthropic retains API data only for limited operational periods for safety, abuse detection, and debugging. See Anthropic's Privacy Policy and Commercial Terms.

5. Third-Party Services (Subprocessors)

We use the following third-party services to operate Vokso:

6. Data Retention

• Review content (text, author name, rating, sentiment): stored for a maximum of 30 calendar days from the moment we fetched it from Google, in line with the Google Business Profile API Policy. After 30 days the raw review record is deleted from our database.
• Aggregated statistics (per location, per day): retained while your account is active. These contain only counts (total reviews, responded count, rating distribution, sentiment distribution) — never the review text, author name, or any individual review identifier. Used solely to power your historical Analytics.
• OAuth tokens: deleted immediately when you disconnect Google from the Service or close your account.
• AI generation logs: retained up to 12 months (token counts and cost estimates only — never the review text or AI output).
• Account and settings: retained until account closure.

7. Revoking Access & Deleting Your Data

You can revoke Vokso's access to your Google Business Profile at any time through either of the following methods:

1. Within Vokso: Go to Settings → Connections → Disconnect Google. This immediately deletes the OAuth tokens stored in our database.
2. Directly with Google: Visit myaccount.google.com/permissions and remove Vokso from your list of connected apps.

To delete your Vokso account and all associated data, email privacy@vokso.io. We will confirm deletion within 30 days.

8. Security

We implement industry-standard security measures including AES-256-GCM encryption for OAuth tokens at rest, TLS in transit, least-privilege access controls, and signed webhook verification (QStash). No method of transmission over the internet or method of electronic storage is 100% secure.

9. International Transfers

Your data may be processed outside the European Economic Area by some of our subprocessors (see section 5). Where this occurs, we rely on the following safeguards:

• Standard Contractual Clauses (SCC) as published by the European Commission (Decision 2021/914).
• Adequacy decisions where applicable (e.g., for transfers to the United States under active frameworks).
• Technical safeguards: data encrypted in transit (TLS 1.2+) and at rest (AES-256).

10. Your Rights (GDPR)

As a company registered in Romania (EU), we comply with the General Data Protection Regulation (GDPR). You have the right to:

• Access the personal data we hold about you (right of access).
• Request correction of inaccurate data (right of rectification).
• Request deletion of your data (right to erasure).
• Request export of your data in a portable format (right to data portability).
• Restrict or object to specific processing activities.
• Withdraw consent at any time by disconnecting your Google account or closing your Vokso account.
• Lodge a complaint with the Romanian data protection authority (ANSPDCP — dataprotection.ro).

11. Cookies

Vokso uses only strictly necessary cookies required for authentication (session management via Clerk) and basic functionality. We do not use third-party analytics cookies, advertising cookies, or tracking pixels.

12. Children's Privacy

Vokso is a B2B service not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by a prominent notice within the Service at least 14 days before they take effect.

14. Data Controller & Contact

The data controller responsible for your personal data is: