Privacy policy
How we collect, use and protect your information.
Last updated · May 13, 2026
TL;DR — The 4 things that matter most
- We record sessions only while CauceOS is active, with your consent and the other participant's (the bot announces its presence when it joins). You control those recordings.
- We never sell your data. Ever. We share it only with the technical providers that make the service work, all under confidentiality agreements.
- You have full control: you can access, correct, export, and delete your data from
/app/settings/dataor by emailingprivacy@cauceos.com. We respond within 30 days. - Transcripts are automatically deleted after 90 days unless you configure a different retention period. Reports are kept for 1 year by default.
Table of Contents
- Who we are
- Information we collect
- How we use that information
- Sharing information with third parties
- Legal bases for processing
- Your rights
- Data retention
- Security
- International transfers
- Children's privacy
- Cookies and similar technologies
- Changes to this policy
- How to contact us
1. Who we are {#who-we-are}
CauceOS LLC (Florida, USA, in the process of formal incorporation) operates the service available at cauceos.com. CauceOS is an AI assistant designed for mental health and HR professionals who conduct 1-on-1 virtual sessions.
The data controller for your personal data is CauceOS LLC. During the period prior to formal LLC incorporation, the individual controller is Felix Gonzalez.
Contact information:
- Privacy and data rights:
privacy@cauceos.com - Data Protection Officer (DPO):
dpo@cauceos.com - Legal notices:
legal@cauceos.com - General:
hello@cauceos.com - Legal address: CauceOS LLC, Florida, USA
2. Information we collect {#information-we-collect}
2.1 Account information
When you register and configure your account, we collect:
- Professional identity: full name, email address, organization or clinic, professional role (psychologist, therapist, coach, HR professional, etc.) and specialty.
- Product preferences: interface language, market locale, active templates, alert configuration.
- Payment information: processed directly by our certified payment provider. We only store the last four digits of the payment instrument, plan type, next billing date, and transaction references.
2.2 Session information
CauceOS processes information during and after each session:
- Real-time audio: captured by the bot when joining your virtual session. Audio is not stored as a full audio file — it is streamed for processing and discarded after transcription, unless you enable the recording option in your settings.
- Transcript: text generated from the audio, with timestamps and speaker labels (e.g., "Professional", "Participant").
- Triggered alerts: alert type, timestamp, context snippet that triggered it.
- Generated suggestions: questions or notes suggested by the system during the session.
- Post-session reports: documents generated (SOAP, DAP, candidate assessment, etc.) from the transcript.
2.3 Technical information
To operate and improve the service, we collect:
- IP address, user agent (browser and operating system), browser language.
- Access timestamps, errors, and technical events.
- Anonymized usage events: pages visited, features used, session duration (no conversation content).
2.4 Information we do not collect
- We do not collect biometric data from session participants.
- We do not create profiles of the patients or employees who appear in sessions — participants are anonymous to CauceOS.
- We do not access your camera or any video content from the session.
3. How we use that information {#how-we-use-information}
We use your information exclusively to:
- Provide the service: process audio, generate transcripts, trigger alerts, produce suggestions, and generate post-session reports according to your configuration.
- Manage your account and subscription: billing, support, transactional communications (payment confirmations, renewal notices, security alerts).
- Improve the product in aggregate: we analyze anonymized usage metrics (without session content or identifying data) to understand which features are most useful and to improve them. We never use your session content to train AI models.
- Meet legal obligations: retention of tax records, responding to legitimate authority requests, and protecting legal rights.
- Platform security: detecting unauthorized access, preventing fraud, and protecting service availability.
4. Sharing information with third parties {#sharing-with-third-parties}
We do not sell or rent your data to anyone.
We work with service providers that process data on our behalf, to the minimum extent necessary to operate the service. All of them have confidentiality and data processing agreements equivalent to or stricter than ours. The complete, up-to-date list is available at /sub-processors.
Current sub-processor categories:
- Cloud hosting provider (frontend and APIs): hosts the web application and public APIs.
- Worker infrastructure provider: runs audio processing, rules engine, and real-time suggestion generation.
- Speech-to-text transcription provider: converts session audio to text. Does not store audio or transcripts, and does not use your content to train models.
- Language model provider (live suggestions): generates contextual questions during the session. Has a non-training agreement for your data.
- Language model provider (post-session reports): generates reports. Has a non-training agreement for your data.
- Virtual video bot provider: joins Google Meet, Microsoft Teams, and Zoom sessions as a participant to capture audio.
- File storage provider: stores archived transcripts and PDF reports, encrypted with AES-256.
- Primary payment provider: processes subscriptions and recurring charges. PCI DSS Level 1 certified.
- Secondary payment provider: alternative payment processor. PCI DSS Level 1 certified.
- Transactional email provider: sends confirmation emails, invoices, and notifications. Implements SPF/DKIM/DMARC.
- Authentication and identity provider: manages sign-in, MFA, and user sessions.
- Product analytics provider: measures product usage with anonymized data (no session content). GDPR-compliant and privacy-by-design.
- Error monitoring provider: logs technical errors. Personal data is filtered before ingestion.
We may disclose information if required by law, court order, or competent authority, or to protect the rights, property, or safety of CauceOS, our users, or the public. In those cases, we notify you when permitted by law.
5. Legal bases for processing {#legal-bases}
Depending on your jurisdiction, the processing of your data relies on the following legal bases:
For users in the European Union and the United Kingdom (GDPR / UK GDPR)
| Type of processing | Legal basis |
|---|---|
| Account registration and management | Performance of a contract (Art. 6.1.b) |
| Session recording and transcription | Explicit consent (Art. 6.1.a) |
| Alert generation and reports | Performance of a contract (Art. 6.1.b) |
| Anonymized product analytics | Legitimate interest (Art. 6.1.f) |
| Security and fraud prevention | Legitimate interest (Art. 6.1.f) |
| Retention of tax records | Legal obligation (Art. 6.1.c) |
| Transactional communications | Performance of a contract (Art. 6.1.b) |
For special category data (health information implicit in psychology sessions), processing is based on your explicit consent (Art. 9.2.a GDPR).
You have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
For users in California (CCPA / CPRA)
We do not sell or share your personal data as defined by law. We do not use your data for cross-context behavioral advertising. You have the right to:
- Know what personal data we hold about you.
- Access that data.
- Request its deletion.
- Opt out of any "sale" or "sharing" of data (not applicable to our business model, but the right exists).
- Not be discriminated against for exercising your rights.
For users in Brazil (LGPD)
Processing is based on contract performance, consent for sensitive data processing (Art. 11), and legitimate interest for security and aggregated analytics.
For users in other jurisdictions
We apply the data protection principles set out in the applicable regulations for each jurisdiction: explicit consent, declared purpose, proportionality, security, and the right to access and erasure. If you have questions about your specific jurisdiction, write to us at privacy@cauceos.com.
6. Your rights {#your-rights}
You have the following rights over your personal data, exercisable at any time:
| Right | What it means | How to exercise it |
|---|---|---|
| Access | Know what data we hold about you and receive a copy | /app/settings/data panel or email privacy@cauceos.com |
| Rectification | Correct inaccurate or incomplete data | /app/settings/profile panel or email |
| Erasure | Request deletion of your data ("right to be forgotten") | /app/settings/data panel → "Delete my account and data" |
| Objection | Object to processing based on legitimate interest | Email privacy@cauceos.com |
| Portability | Receive your data in a structured, machine-readable format (JSON / CSV) | /app/settings/data panel → "Export my data" |
| Restriction | Request that we limit processing while a dispute is being resolved | Email privacy@cauceos.com |
| No automated decisions | Object to decisions based solely on automated processing | Email privacy@cauceos.com (applies under GDPR Art. 22) |
| Withdraw consent | Revoke consent given at any time | /app/settings/data panel or email |
Response time: maximum 30 days. If the request is complex, we may extend the deadline by another 30 days with prior notice explaining the reason.
Complaints: if you believe we have not properly handled your request, you have the right to file a complaint with the data protection authority in your jurisdiction (e.g., ICO in the UK, CNIL in France, AEPD in Spain, ANPD in Brazil).
7. Data retention {#data-retention}
We retain your data for the minimum time necessary to fulfill the purpose for which it was collected:
| Data type | Default retention | Configurable |
|---|---|---|
| Session transcripts | 90 days | Yes — from /app/settings/data |
| Post-session reports | 1 year | Yes — from /app/settings/data |
| Audio (if recording option enabled) | 30 days | Yes |
| Encrypted backups (cold storage) | 30 days after active deletion | No |
| Internal audit logs | 2 years | No (compliance) |
| Billing records | 7 years | No (tax obligation) |
| Inactive account | Notification at 12 months → deletion at 13 months | No |
When you request account deletion, we begin the process within a maximum of 30 days. Billing data and security audit logs are retained for the minimum legally required period.
8. Security {#security}
We implement robust technical and organizational measures to protect your information:
- Encryption in transit: TLS 1.3 for all communications between your device, our servers, and sub-processors.
- Encryption at rest: AES-256 for archived transcripts, reports, and backups.
- Access control: principle of least privilege. Only strictly necessary personnel access production data, with mandatory multi-factor authentication (MFA).
- Audit logging: all access to sensitive data is logged and auditable.
- Incident response: documented response plan. In the event of a breach affecting your data, we notify you within a maximum of 72 hours of detection.
- Security reviews: periodic audits of code, dependencies, and infrastructure configuration.
For more technical details, visit our Security page.
9. International transfers {#international-transfers}
CauceOS is incorporated in the United States and may process data on servers located in the US, the European Union (via some sub-processors' edge nodes), and other regions where our sub-processors operate.
For transfers of data from the European Economic Area (EEA) or the United Kingdom to countries without an adequacy decision, we apply Standard Contractual Clauses (SCCs) approved by the European Commission, along with additional technical measures (end-to-end encryption, data minimization).
For more information about the safeguards applied to international transfers, write to privacy@cauceos.com.
10. Children's privacy {#childrens-privacy}
CauceOS is intended exclusively for adult professionals. We do not provide the service to people under 18 years of age.
If a session involves a minor as a participant (for example, family therapy or child therapy supervised by the professional), responsibility for parental or guardian consent falls entirely on you as the professional, in accordance with the laws and ethical codes of your jurisdiction.
If we have reason to believe a user has created an account while being a minor, we delete that account and its data within 30 days.
11. Cookies and similar technologies {#cookies}
We use only strictly necessary cookies for the operation of the service. We do not use third-party tracking cookies or behavioral advertising.
| Cookie | Purpose | Retention |
|---|---|---|
session_token | Maintain your authenticated session | Session duration / 30 days if "Remember me" is checked |
locale_preference | Remember your language preference | 1 year |
csrf_token | Protection against CSRF attacks | Session duration |
We do not use Google Analytics, Meta Pixel, or any advertising tracking technology. The product analytics we use is a privacy-by-design solution that does not set third-party cookies and anonymizes IPs before storing them.
12. Changes to this policy {#changes}
This policy is versioned. The current version is 1.0 (May 13, 2026).
If we make material changes (for example, new categories of data, new sub-processors, changes to your rights), we will notify you by email and from within the app with at least 30 days' notice before the changes take effect.
For non-material changes (typographical corrections, wording clarifications), we update the "Last updated" date without prior notice.
You can view the complete history of changes to this policy at legal@cauceos.com.
13. How to contact us {#contact}
| Channel | Use |
|---|---|
privacy@cauceos.com | Exercise your rights, privacy inquiries |
dpo@cauceos.com | Data Protection Officer (GDPR/LGPD inquiries) |
legal@cauceos.com | Formal legal notices |
hello@cauceos.com | General support |
/app/settings/data | Access, export, and delete data from the dashboard |
Legal address: CauceOS LLC, Florida, USA (full address available at legal@cauceos.com).
For complaints to supervisory authorities: if you are a user in the European Union or the United Kingdom, you have the right to lodge a complaint with the data protection authority of your country (ICO, CNIL, AEPD, etc.) without prejudice to any other administrative or judicial remedy.