Effective Date: March 25, 2025
1. Introduction
Vinyl ("we," "us," "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and share your data in compliance with the General Data Protection Regulation (GDPR), the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), and other applicable data protection laws.
2. Information We Collect
We collect and process the following types of personal data:
- Personal Information: Name, email address, phone number, and account credentials.
- Meeting Data: Audio recordings, transcriptions, summaries, and action items.
- Usage Data: Session duration, features used, and IP address for analytics.
- Payment Information: If applicable, we collect payment details for subscriptions.
- Technical Data: Browser type, device information, and location data.
3. Legal Basis for Data Processing
We process personal data under the following legal bases:
- Performance of a contract: To provide our services to you.
- Legitimate interests: To improve our services and ensure security.
- Consent: Where required, such as for marketing communications.
- Compliance with legal obligations: To meet regulatory requirements.
4. How We Use Your Data
We use your data to:
- Provide and improve Vinyl's transcription and summarization services.
- Customize features and enhance user experience.
- Communicate updates, support, and security notices.
- Prevent fraud and maintain security compliance.
5. Data Storage & Security
Where Your Data is Stored
- Primary storage: AWS servers located in Australia.
- Processing: Meeting transcriptions and summaries are processed using third-party AI providers, which are hosted on servers in the United States.
Security Measures
We employ the following security practices:
- Data encryption at rest and in transit (AES-256 and TLS 1.2+).
- Multi-Factor Authentication (MFA) enforced for data access.
- Penetration testing to identify and resolve security vulnerabilities.
- Access control policies to prevent unauthorized use.
- Cybersecurity insurance and business continuity plans to mitigate risks.
Detailed Security Practices
To provide greater transparency about our security measures:
- Data Encryption: All meeting recordings and transcriptions are encrypted both in transit and at rest using industry-standard AES-256 encryption. API communications use TLS 1.2+ with strong cipher suites.
- Access Controls: We implement role-based access controls (RBAC) within our organization. Only authorized personnel with a legitimate business need can access user data, and all access is logged and regularly audited.
- Authentication Security: We enforce strong password policies, multi-factor authentication, and regular credential rotation for all systems handling customer data.
- Regular Security Assessments: We conduct quarterly vulnerability scans and annual penetration testing by independent security firms.
- Employee Training: All staff undergo regular security awareness training and are bound by confidentiality agreements.
- Incident Response: We maintain a formal incident response plan with designated team members and documented procedures for addressing potential security incidents.
6. International Data Transfers
When transferring personal data outside Australia or the European Economic Area (EEA), we ensure adequate safeguards, including Standard Contractual Clauses (SCCs) where applicable, in compliance with GDPR and the Australian Privacy Act.
7. Data Sharing & Third-Party Providers
We share data with trusted third-party providers strictly for service improvement:
- AI Service Providers (US-based) – Used for transcription and summarization.
- Payment Processors – For handling billing transactions securely.
- Legal Compliance – If required by law or to enforce our policies.
All third-party providers are SOC 2, GDPR, and ISO 27001:2022 certified, ensuring compliance with global privacy laws.
8. Third-Party Integration APIs and AI/ML Training
Google Workspace API Usage
We explicitly affirm that Google Workspace APIs are not used to develop, improve, or train generalized/non-personalized AI and/or ML models. Any data accessed through Google Workspace APIs is used solely for the purpose of providing our service functionality to the specific user or organization that authorized the access.
Microsoft 365 API Usage
Similarly, we explicitly affirm that Microsoft 365 APIs are not used to develop, improve, or train generalized/non-personalized AI and/or ML models. Any data accessed through Microsoft 365 APIs is used solely for the purpose of providing our service functionality to the specific user or organization that authorized the access.
Zoom API Usage
We explicitly affirm that Zoom APIs are not used to develop, improve, or train generalized/non-personalized AI and/or ML models. Any data accessed through Zoom APIs is used solely for the purpose of providing our service functionality to the specific user or organization that authorized the access.
9. Data Retention & User Rights
Retention Policy
We retain your data for as long as your account is active or as needed to provide you with our services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but not longer than legally required or necessary for legitimate business purposes.
Your Data Subject Rights
Under GDPR and similar data protection laws, you have the following rights:
- Right to Access: You can request a copy of your personal data that we hold.
- Right to Rectification: You can request correction of inaccurate or incomplete personal data.
- Right to Erasure: You can request deletion of your personal data in certain circumstances.
- Right to Restrict Processing: You can request restriction of processing in certain circumstances.
- Right to Data Portability: You can request a copy of your data in a structured, machine-readable format and transmit it to another controller.
- Right to Object: You can object to processing based on legitimate interests, direct marketing, or research/statistical purposes.
- Rights Related to Automated Decision-Making: You can request human intervention in automated decision-making that significantly affects you.
To exercise any of these rights, please contact hello@usevinyl.com. We will respond to your request within 30 days.
Detailed Opt-Out Procedures
To opt out of specific data processing activities:
- Log in to your Vinyl account and navigate to "Privacy Settings"
- Toggle off the specific data processing activities you wish to opt out of
- For AI-powered features, select "Disable AI Processing"
- For marketing communications, select "Unsubscribe from all marketing"
- For analytics tracking, select "Disable usage analytics"
For assistance with these settings, contact hello@usevinyl.com
Data Portability
Users can request export of their data in machine-readable formats by:
- Users can email a data portability request to hello@usevinyl.com, and we will process the export within 30 days.
10. Cookies & Tracking Technologies
Vinyl may use cookies, tracking pixels, and similar technologies to improve user experience, track service usage, and analyze traffic. Third-party analytics services may also collect anonymized usage data for performance monitoring.
Types of Cookies We Use
- Essential Cookies: Necessary for the platform to function properly (e.g., authentication, security). These cannot be disabled.
- Functional Cookies: Enable enhanced functionality and personalization (e.g., language preferences, remembering user settings).
- Analytics Cookies: Help us understand how visitors interact with our platform by collecting anonymous information.
- Performance Cookies: Collect information about how users interact with our platform to help improve its functionality.
Users can manage cookie preferences through:
- Our cookie banner upon first visit
- Browser settings
- Our preference center accessible via the footer of our website
For a more comprehensive description of our cookie practices, please refer to our separate Cookie Policy, available at [website URL]/cookie-policy.
11. Children's Privacy
Vinyl's services are not intended for children under the age of 16. We do not knowingly collect or process personal data from minors. If we discover that we have collected personal data from a minor, we will delete it immediately. Parents or guardians who believe their child has provided us with personal data should contact hello@usevinyl.com.
12. Data Breach Notification
In the event of a data breach that may result in a high risk to your rights and freedoms, we will notify affected users and relevant authorities as required by GDPR and the Australian Notifiable Data Breaches (NDB) scheme.
Data Breach Response Plan
In case of a confirmed or suspected data breach, we will:
- Containment and Preliminary Assessment: Immediately initiate steps to contain the breach and conduct a preliminary assessment to determine its nature, scope, and potential impact.
- Notification Timeline:
- Notify applicable regulatory authorities within 72 hours of becoming aware of the breach, where required by law.
- Notify affected users without undue delay, typically within 7 days of breach confirmation, unless a longer period is justified by the complexity of the investigation.
- Notification Content: Our notifications will include:
- Description of the breach and when it occurred
- Types of personal data involved
- Potential consequences for affected users
- Measures taken or planned to address the breach
- Contact information for our Data Protection Officer or privacy team
- Recommendations for users to protect themselves
- Remediation: Implement appropriate technical and organizational measures to address the breach and prevent similar incidents in the future.
- Documentation: Maintain detailed records of all data breaches, including facts, effects, and remedial actions taken.
13. AI Processing & User Consent
By using Vinyl's AI-powered transcription services, you acknowledge and consent to:
- Meeting data being processed by third-party AI providers in the United States.
- AI-powered content generation that may not always be error-free.
- The ability to disable AI-driven features in account settings.
14. Governing Law & Dispute Resolution
This Privacy Policy is governed by the laws of New South Wales, Australia. Any disputes arising from this policy will be resolved through arbitration in New South Wales, unless otherwise required by law.
Arbitration Procedure
- Arbitration will be conducted by the Australian Disputes Centre in Sydney, New South Wales
- The arbitration will be conducted by a single arbitrator
- The arbitration will be conducted in English
- Each party will bear its own costs of arbitration, and the arbitrator's fees will be shared equally
- The arbitrator's decision will be final and binding
- Neither party may participate in a class action lawsuit or class-wide arbitration
Before initiating arbitration, users agree to attempt to resolve disputes informally by contacting hello@usevinyl.com.
15. Updates to this Policy
We may update this Privacy Policy from time to time. Material changes will be posted on our website at least 30 days before they take effect, and where appropriate, we will notify you via email. Continued use of Vinyl after the effective date constitutes acceptance of the updated policy.
16. Assignment
Vinyl may assign or transfer its rights and obligations under this Privacy Policy without restriction, particularly in connection with a merger, acquisition, or sale of assets. Users will be notified of any such transfer via email and website announcement.
17. Severability
If any provision of this Privacy Policy is found to be unenforceable or invalid under any applicable law, such unenforceability or invalidity shall not render this Policy unenforceable or invalid as a whole. Any such provision shall be deleted without affecting the remaining provisions.
18. Entire Agreement
This Privacy Policy, together with the Terms of Service and any additional terms to which you agree when using specific elements of the Services, constitute the entire agreement between you and Vinyl regarding privacy practices and data processing.
19. Contact Us
For questions, concerns, or data requests, please contact hello@usevinyl.com.
By continuing to use Vinyl, you agree to this Privacy Policy.
