LEGAL

Privacy Policy

Effective Date: April 8, 2026 · Last Updated: April 8, 2026

Information we collect
How we use information
How we share information
Data retention
Cookies and similar technologies
Data security
Breach notification
International data transfers
Your privacy rights (CCPA, GDPR)
Changes to this policy
Contact us
CCPA notice at collection

This Privacy Policy describes how RepCoach ("we", "us", or "our") collects, uses, discloses, and protects information when you use our website at https://getrepcoach.com (and any successor URL) and the RepCoach software-as-a-service platform (collectively, the "Service").

This Privacy Policy applies to:

Customers — businesses and individuals who subscribe to or use the Service
Authorized Users — employees, contractors, or agents of Customers who access the Service
Visitors — individuals who visit our website without subscribing
Call Participants — individuals whose voices, statements, or information appear in call recordings or transcripts uploaded to the Service by Customers

If you do not agree with this Privacy Policy, do not use the Service.

1. Information we collect

1.1 Information you provide directly

When you create an account, subscribe to the Service, or contact us, we collect:

Account information: name, email address, company name, password (stored hashed), profile photo (if provided)
Billing information: payment card information (collected and processed by our payment processor Stripe — we do not store full card numbers), billing address, tax ID (if applicable)
Customer Data: call recordings, transcripts, rep names and roles, rubric configurations, scenario configurations, file uploads, and any other content you submit to the Service
Communications: support requests, feedback, survey responses, email correspondence

1.2 Information collected automatically

When you use the Service, we automatically collect:

Device and connection information: IP address, browser type and version, operating system, device identifiers, referring URLs
Usage information: pages visited, features used, actions taken, time spent on pages, click patterns
Cookies and similar technologies: see Section 5 for details

1.3 Information from third parties

We may receive information about you from payment processors (Stripe), authentication providers (when those features are added), and analytics providers (when implemented).

1.4 Information in call recordings — special category

This is the most sensitive category of information RepCoach processes. When a Customer uploads a call recording or transcript, that material may contain:

Voices, names, and statements of Customer's prospects, leads, clients, employees, or other third parties
Personally identifiable information about those third parties, including names, phone numbers, email addresses, and home addresses
Sensitive personal information including financial information, medical information, employment information, family information, and biographical details

RepCoach does not collect this information directly from the individuals on the calls. RepCoach processes this information solely on behalf of the Customer who uploaded the recording. The Customer is the "Business" (CCPA) or "Controller" (GDPR) of this information; RepCoach is the "Service Provider" or "Processor".

If you are an individual whose voice or information appears in a recording uploaded to RepCoach by a Customer, you have the rights described in Section 9 below. You may exercise those rights by contacting us at privacy@repcoach.ai or by contacting the Customer who uploaded the recording directly.

1.5 Information we do NOT knowingly collect

Protected Health Information (PHI) as defined under HIPAA. Customers are prohibited by the Terms of Service from uploading PHI to the Service.
Personal information from children under 13. The Service is not directed to children.
Payment card numbers in full. Card information is collected and tokenized by our payment processor, Stripe. We store only the last 4 digits and the card brand.

2. How we use information

2.1 To provide the Service

Authenticate Customers and Authorized Users
Process call recordings and generate AI-powered scoring reports
Generate transcripts of uploaded recordings
Provide AI-powered voice roleplay
Display the manager dashboard
Process payments and manage subscriptions
Send service-related communications

2.2 To improve the Service

Analyze usage patterns to identify improvements
Debug errors and prevent abuse
Test new features
Train and improve AI models in aggregated, anonymized form only (not on Customer Data identifying specific Customers or individuals)

2.3 To communicate with you

Respond to support requests
Send service updates and security alerts
Send billing notices and renewal reminders (where required by law)
Send marketing communications (only with your express consent and subject to your right to opt out at any time)

2.4 To comply with legal obligations

Respond to lawful requests from law enforcement and regulators; enforce our Terms of Service; protect our rights, property, or safety, or that of our Customers or others; comply with court orders, subpoenas, and legal processes.

2.5 With your consent

For any other purpose with your express consent.

We do NOT use your information for the following purposes:

Selling personal information to third parties
Sharing personal information with advertisers for cross-context behavioral advertising
Training AI models on your specific Customer Data for use by other customers (without your express written consent)
Creating profiles of Call Participants for any purpose other than serving the uploading Customer

3. How we share information

3.1 We do NOT sell personal information

RepCoach does NOT sell personal information as that term is defined under the California Consumer Privacy Act or any similar law.

3.2 Service providers and subprocessors

We share information with third-party service providers who help us operate the Service:

Provider	Purpose	Privacy Policy
Anthropic, PBC	AI processing (Claude API)	anthropic.com/legal/privacy
Cloudflare, Inc.	CDN, edge compute, security	cloudflare.com/privacypolicy/
Stripe, Inc.	Payment processing	stripe.com/privacy
Netlify, Inc.	Website hosting	netlify.com/privacy/

These providers are contractually obligated to use information only as necessary to provide their services to RepCoach and not for their own purposes.

3.3 Business transfers

If RepCoach is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, information may be transferred as part of that transaction. We will notify Customers of any such change in ownership or control.

3.4 Legal requirements

We may disclose information when we believe in good faith that disclosure is necessary to comply with a legal obligation, court order, subpoena, or other legal process; protect the rights, property, or safety of RepCoach, our Customers, or others; investigate fraud or security issues; or enforce our Terms of Service.

When we receive a legal request for Customer Data, we will, to the extent permitted by law and the request, notify the affected Customer before disclosure to give the Customer an opportunity to challenge the request.

3.5 With your consent

We may share information with third parties when you have given us explicit consent to do so.

4. Data retention

We retain information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

Data Category	Default Retention
Account information	Duration of account + 90 days after closure
Customer Data (recordings, transcripts)	90 days from upload (Customer-configurable)
Billing records	7 years (for tax and accounting purposes)
Support communications	3 years from resolution
Server logs and security data	90 days
Marketing communications opt-out records	Indefinitely (to honor opt-out)

You may request earlier deletion at any time by emailing privacy@repcoach.ai or by using the deletion controls in your account dashboard. We will process the request within thirty (30) days, except that copies in routine backups will be deleted in the next backup cycle (typically within sixty (60) additional days).

5. Cookies and similar technologies

5.1 What we use

RepCoach uses cookies and similar technologies (such as localStorage, sessionStorage, and pixel tags) for:

Strictly necessary cookies: authentication, session management, security. These cookies are essential to the operation of the Service and cannot be disabled.
Functional cookies: remembering your preferences, account settings, and previously selected industry or rubric configurations.
Analytics cookies: measuring usage patterns to improve the Service. These cookies are loaded only after you have consented via the cookie banner.

5.2 Cookie consent

EU and UK visitors will see a cookie consent banner on first visit allowing them to accept or reject non-necessary cookies. Visitors from other jurisdictions may also opt out of non-necessary cookies via the cookie settings link in the footer.

5.3 Do Not Track

RepCoach does not currently respond to "Do Not Track" browser signals because there is no consensus standard for how to interpret them.

5.4 Global Privacy Control

RepCoach does honor the Global Privacy Control (GPC) signal as a valid request to opt out of "sale" or "sharing" of personal information under the CCPA.

6. Data security

We implement administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. Our security measures include:

Encryption at rest of all Customer Data using AES-256
Encryption in transit using TLS 1.2 or higher
Access controls limiting access to Customer Data to authorized personnel on a need-to-know basis
Authentication including support for strong passwords and (when available) multi-factor authentication
Logging and monitoring of access to Customer Data
Regular security reviews of our systems and practices
Subprocessor security requirements in all vendor contracts

No security measure is perfect. RepCoach cannot guarantee that information will never be accessed without authorization, but we take reasonable steps to minimize the risk and we will notify affected parties promptly in the event of a confirmed breach (see Section 7).

7. Breach notification

In the event of a confirmed unauthorized acquisition, access, use, or disclosure of personal information that compromises the security, confidentiality, or integrity of personal information ("Breach"), RepCoach will:

Notify affected Customers within seventy-two (72) hours of confirming the Breach
Provide details including the nature of the Breach, the categories of information involved, the steps being taken to address the Breach, and recommendations for affected individuals
Notify regulators as required by applicable law (including the California Attorney General if more than 500 California residents are affected, and EU/UK supervisory authorities under GDPR if applicable)
Cooperate with affected Customers in any required notifications to individuals

8. International data transfers

RepCoach is based in the United States. By using the Service, you acknowledge that your information may be transferred to and processed in the United States, which may have data protection laws that differ from your jurisdiction.

For Customers in the European Economic Area, the United Kingdom, or Switzerland: RepCoach relies on the Standard Contractual Clauses approved by the European Commission (EU 2021/914) for transfers of personal data to the United States.

9. Your privacy rights

The rights available to you depend on the laws of your jurisdiction.

9.1 California residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

Right to know. You may request that we disclose: the categories of personal information we collected about you; the categories of sources from which we collected the information; the business or commercial purpose for collecting or sharing the information; the categories of third parties with whom we share the information; and the specific pieces of personal information we collected about you.

Right to delete. You may request that we delete personal information we collected from you, subject to certain exceptions.

Right to correct. You may request that we correct inaccurate personal information we maintain about you.

Right to opt out of sale or sharing. RepCoach does NOT sell personal information and does not share personal information for cross-context behavioral advertising. You can confirm or reinforce this opt-out using the "Your Privacy Choices" link in our website footer or by sending a Global Privacy Control signal from your browser.

Right to limit use of sensitive personal information. You may request that we limit the use of sensitive personal information to purposes specified in CCPA §1798.121. RepCoach uses sensitive personal information only as necessary to provide the Service.

Right to non-discrimination. We will not discriminate against you for exercising any of these rights.

How to exercise your rights: Submit a request by emailing privacy@repcoach.ai. We will respond within forty-five (45) days. We may extend this period by an additional forty-five (45) days when reasonably necessary, with notice.

Authorized agents: You may designate an authorized agent to make a request on your behalf. The agent must provide signed written permission, and we may verify the agent's authority and your identity.

Verification: To protect your privacy, we will verify your identity before fulfilling a request.

9.2 EEA, UK, and Swiss residents (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under GDPR:

Right of access to your personal data
Right to rectification of inaccurate personal data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing based on legitimate interests
Right to withdraw consent where processing is based on consent
Right to lodge a complaint with a supervisory authority

Legal basis for processing. We process personal data based on: performance of a contract — providing the Service to Customers; legitimate interests — improving the Service, preventing fraud, marketing to existing Customers; consent — non-essential cookies, marketing communications to prospects; and legal obligation — tax, accounting, regulatory compliance.

To exercise your GDPR rights: Email privacy@repcoach.ai or contact our Data Protection Officer (when one is appointed) at dpo@repcoach.ai.

9.3 Other jurisdictions

Residents of other states and countries may have similar rights under local laws (e.g., Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Brazil LGPD, Canada PIPEDA, Australia Privacy Act). Contact us at privacy@repcoach.ai to exercise any rights you may have.

9.4 Call Participants — special note

If your voice, name, or information appears in a call recording or transcript that was uploaded to RepCoach by a Customer, the Customer is the controller of that information for purposes of CCPA, GDPR, and similar laws. You may:

Contact the Customer directly to exercise your rights
Contact us at privacy@repcoach.ai and we will forward your request to the Customer (and act on it ourselves to the extent we are required to do so as a processor)
Request that we delete any recording or transcript that includes you, and we will do so within 30 days unless legally prohibited

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this policy indicates when it was last revised.

For material changes, we will notify affected users by: posting the updated policy on the Service with a new "Last Updated" date; sending an email to the address associated with the account; and posting a banner notice on the website for at least 30 days after the change.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

11. Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General privacy questions: privacy@repcoach.ai
Data subject requests: privacy@repcoach.ai
Data Protection Officer (when appointed): dpo@repcoach.ai
Security incident reports: security@repcoach.ai

RepCoach, San Diego, California, United States

12. CCPA/CPRA notice at collection

This section satisfies the "notice at collection" requirement under California Civil Code §1798.100(b).

Categories of personal information collected:

Category	Collected?	Sources	Purpose
Identifiers (name, email, IP)	Yes	Direct from user, automatic	Provide Service, security
Customer records (billing)	Yes	Direct from user	Provide Service, billing
Commercial information	Yes	Direct from user, Stripe	Subscription management
Internet activity (browsing)	Yes	Automatic	Service operation, analytics
Geolocation (general)	Yes	Automatic (IP-based)	State-specific compliance
Audio data (call recordings)	Yes	Customer uploads	Service operation
Professional/employment data	Yes	Customer uploads	Service operation
Inferences drawn from above	Yes	AI processing	Coaching report generation
Sensitive personal information	Sometimes (in recordings)	Customer uploads	Service operation only

Categories NOT collected: Biometric information for identification purposes; genetic data; precise geolocation (within 1,850 feet); religious or philosophical beliefs; sexual orientation (knowingly); union membership; Protected Health Information (HIPAA PHI).

Sale or sharing: RepCoach does NOT sell or share personal information.

DISCLAIMER: This is AI-generated legal guidance for informational purposes only. It does not constitute legal advice and does not create an attorney-client relationship. For binding legal advice consult a licensed attorney in your jurisdiction.