NeuroPlume Logo

Privacy Policy

Personal data processing policy

Select data storage region:

Applicable Law

This Personal Data Processing Policy of NeuroPlume (hereinafter — 'Policy', 'Operator') is developed in accordance with Federal Law No. 152-FZ of July 27, 2006 'On Personal Data' (hereinafter — 'Personal Data Law') and pursuant to the requirements of Part 2 of Article 18.1 of the Personal Data Law is published for free access on the Internet at: https://neuroplume.com/privacy.

1. General Provisions

This personal data processing policy is compiled in accordance with applicable data protection legislation requirements and defines the procedure for processing personal data and measures to ensure the security of personal data taken by NeuroPlume (hereinafter referred to as the Operator).

Operator Details

Personal data operator:
Individual Entrepreneur Markov Nikolai Viktorovich
TIN (Russia):
222411572510
OGRNIP:
324774600087470
Address:
Moscow, Russia
Contact email:
privacy@neuroplume.com

The Operator sets as its most important goal and condition for carrying out its activities the observance of human and civil rights and freedoms when processing personal data, including the protection of rights to privacy, personal and family secrets.

This Operator policy regarding the processing of personal data (hereinafter referred to as the Policy) applies to all information that the Operator may receive about visitors to the website https://neuroplume.com.

2. Data Processing in SpeechMetrics

SpeechMetrics is a call analytics platform. NeuroPlume acts as a data processor on behalf of client organizations (data controllers).

2.1. Roles in Data Processing

Контроллер: Data Controller (your organization) — determines the purposes and means of processing, is responsible for lawful data collection and obtaining consents.

Обработчик: Data Processor (NeuroPlume) — processes data exclusively on behalf of and under instructions from the controller, ensures technical security.

2.2. What Data We Process

As part of SpeechMetrics operations, we process:

  • Call identifiers (UUID) — for linking data within the system
  • Call metadata — date, time, duration, direction (inbound/outbound)
  • Call audio recordings — temporarily, for transcription (contain voice biometrics — unique voice characteristics that may identify an individual)
  • Call transcripts — text version of the conversation, which may contain third-party personal data (full names, phone numbers, email addresses, physical addresses, bank card and account numbers, document numbers, dates of birth, and other information) mentioned during the call
  • Analytics results — service quality scores, conversation sentiment, identified topics and scripts, compliance flags, performance metrics
  • Manager data (client organization employees) — last name, first name, middle name, email address, phone number, department affiliation, call evaluation results
  • Client data (client organization contacts) — last name, first name, middle name, email address, phone number
  • Platform user account data — full name, email address, phone number, organization name
  • Upload history — file name, upload source (UI, API, CRM integration), processing status
  • Access and audit logs — records of user actions in the system (authentication, data access, IP address, device information)

Audio recordings: processed temporarily for transcription and deleted immediately upon processing completion. We do not store audio files. Voice biometrics are not extracted or stored separately.

Anonymization during AI analysis: before passing transcripts to the analysis system, automatic irreversible removal of personal data is performed using specialized masking tools. Full names, phone numbers, email addresses, physical addresses, bank card and account numbers, document numbers (passport, SNILS, TIN), dates of birth, and other identifying information are removed. The anonymization is one-way — recovery of original data is impossible.

Personal data in transcripts: transcripts may contain personal data of third parties (your organization's customers). The controller (your organization) is responsible for the lawfulness of recording and processing such data.

2.3. Processing Purposes

  • Converting audio to text (transcription)
  • Analyzing service quality and script compliance
  • Identifying customer communication issues
  • Generating analytical reports for client organizations
  • Employee training and quality control

2.4. Legal Basis

Processing is carried out based on a Data Processing Agreement (DPA) with your organization. We process data strictly within the controller's instructions.

Your organization (controller) is responsible for: obtaining consent to record calls, informing data subjects, determining retention periods.

2.5. Data Retention Periods

Retention periods are determined by your organization:

  • Transcripts and analytics: according to retention settings in your account (default — 12 months)
  • Manager and client data: for the duration of the contract + 30 days after account deletion
  • Call metadata: for the duration of the contract
  • Audio files: deleted immediately after transcription (not stored)
  • Access and audit logs: 7 years in accordance with security requirements

Upon controller request or contract termination, all data is deleted within 30 days.

2.6. Data Localization

Data is processed and stored in the region selected during registration. Available regions: Russia (RU), European Union (EU), UAE. Data does not leave the selected region without explicit consent and legal grounds.

For clients from Russia: data of Russian citizens is stored exclusively on servers in Russia in accordance with FZ-152 requirements.

2.7. Security Measures

The following security measures are applied to protect data:

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Role-Based Access Control (RBAC)
  • Multi-Factor Authentication (MFA)
  • Isolation of different organizations' data (multi-tenancy)
  • Regular security audits and penetration testing

2.8. Data Subject Rights

If your data is processed in SpeechMetrics (e.g., you are a customer of an organization using our platform), you have the right to:

  • Receive information about the processing of your data
  • Access your data
  • Rectification of inaccurate data
  • Erasure of data (right to be forgotten)
  • Restriction or cessation of processing
  • File a complaint with a supervisory authority

To exercise your rights, contact the organization that recorded your call (data controller). The organization will forward the request to us as the processor.

2.9. Regulatory Compliance

  • FZ-152 'On Personal Data' — for clients from Russia
  • GDPR — for clients from the European Union
  • UAE FDPL — for clients from the UAE

3. Key Definitions (Russian Law)

Automated processing of personal data processing of personal data using computer technology.

Blocking of personal data temporary cessation of personal data processing.

Website a collection of graphical and informational materials, as well as software and databases, accessible on the Internet at https://neuroplume.com.

Personal data information system a collection of personal data contained in databases and information technologies and technical means providing their processing.

Depersonalization of personal data actions making it impossible to determine without additional information the attribution of personal data to a specific User.

Processing of personal data any action or set of actions performed with personal data, including collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion, destruction.

Operator a state or municipal body, legal or natural person that organizes and/or carries out the processing of personal data, as well as determines the purposes of processing personal data.

Personal data any information relating directly or indirectly to a specific or identifiable User of the website https://neuroplume.com.

User any visitor to the website https://neuroplume.com.

Provision of personal data actions aimed at disclosing personal data to a specific person or circle of persons.

Dissemination of personal data any actions aimed at disclosing personal data to an indefinite circle of persons.

Cross-border transfer of personal data transfer of personal data to the territory of a foreign state.

Destruction of personal data any actions resulting in the irreversible destruction of personal data.

4. Rights and Obligations of the Operator

The Operator has the right to:

  • receive reliable information and/or documents containing personal data from the data subject;
  • continue processing personal data without the consent of the data subject if there are grounds specified in the Law on Personal Data;
  • independently determine the composition and list of measures necessary to fulfill the obligations provided by the Law on Personal Data.

The Operator is obliged to:

  • provide the data subject with information regarding the processing of their personal data upon request;
  • organize the processing of personal data in accordance with current Russian legislation;
  • respond to requests from data subjects in accordance with the Law on Personal Data;
  • report necessary information to the authorized body within 10 days of receiving a request;
  • publish or otherwise ensure unlimited access to this Policy;
  • take legal, organizational and technical measures to protect personal data;
  • cease transfer and processing of personal data in cases provided by the Law.

5. Rights and Obligations of Data Subjects

Data subjects have the right to:

  • receive information regarding the processing of their personal data;
  • demand clarification, blocking or destruction of personal data that is incomplete, outdated, inaccurate, or illegally obtained;
  • impose conditions of prior consent for processing personal data for marketing purposes;
  • withdraw consent to the processing of personal data;
  • appeal unlawful actions or inaction of the Operator;
  • exercise other rights provided by Russian legislation.

Data subjects are obliged to:

  • provide accurate data about themselves to the Operator;
  • inform the Operator of any updates to their personal data.

Persons who have provided the Operator with false information about themselves or information about another data subject without their consent shall bear liability in accordance with Russian legislation.

6. Principles of Personal Data Processing

  • Processing is carried out on a lawful and fair basis.
  • Processing is limited to achieving specific, predetermined and lawful purposes.
  • Combining databases containing personal data processed for incompatible purposes is not allowed.
  • Only personal data that meets the purposes of their processing shall be processed.
  • The content and volume of processed personal data correspond to the stated purposes.
  • Accuracy, sufficiency, and relevance of personal data is ensured.
  • Personal data is stored in a form allowing identification of data subjects no longer than required by processing purposes.

7. Purposes of Personal Data Processing

We process personal data for the following purposes:

  • User registration on the SpeechMetrics platform and providing access to the personal account (name, email, phone, organization name). Retention period: for the duration of the account + 30 days after deletion.
  • Fulfillment of contractual obligations for call analytics services (client organization data, contact persons). Retention period: for the duration of the contract + 3 years.
  • Transcription of call audio recordings and AI-powered service quality analysis (audio recordings containing voice biometrics; transcripts; anonymized data for analysis using automatic personal data masking). Audio recordings are deleted immediately after transcription.
  • Processing feedback and inquiries from the website (name, email, phone, number of managers, inquiry page, source URL). Retention period: 1 year from the date of inquiry.
  • Website traffic analytics via Yandex.Metrica (cookies, IP address, behavioral data). Retention period: determined by cookie consent settings, maximum 12 months.
  • Informing the User by sending emails and newsletters (email). Retention period: until withdrawal of newsletter consent.
  • Ensuring security and fraud prevention (IP address, CAPTCHA data). Retention period: 60 days.
  • Compliance with Russian Federation legislation requirements (accounting and tax documents). Retention period: in accordance with the Tax Code of the Russian Federation (5 years).

8. Conditions for Personal Data Processing

  • Processing is carried out with the consent of the data subject.
  • Processing is necessary to achieve goals provided by international treaty or law of the Russian Federation.
  • Processing is necessary for the administration of justice.
  • Processing is necessary for the performance of a contract to which the data subject is a party.
  • Processing is necessary for the legitimate interests of the operator or third parties.
  • Processing of publicly available personal data is carried out.
  • Processing of personal data subject to publication is carried out.

9. Procedure for Collection, Storage, Transfer and Other Types of Personal Data Processing

The security of personal data processed by the Operator is ensured through the implementation of legal, organizational and technical measures.

  • The Operator ensures the security of personal data and takes all possible measures to prevent unauthorized access.
  • The User's personal data will never be transferred to third parties, except in cases related to the execution of current legislation.
  • In case of inaccuracies, the User can update their data by sending a notice to the Operator's email {email}.
  • The processing period is determined by achieving the purposes for which the personal data was collected.
  • The User may withdraw consent at any time by sending a notice to {email}.
  • The Operator ensures the confidentiality of personal data during processing.
  • The Operator stores personal data in a form allowing identification of data subjects no longer than required.

10. List of Actions Performed by the Operator with Personal Data

  • The Operator performs collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion and destruction of personal data.
  • The Operator performs automated processing of personal data with or without transmission of information over telecommunication networks.

11. Cross-Border Transfer of Personal Data

In accordance with Article 12 of FZ-152 and amendments effective from July 1, 2025:

  • Primary collection of personal data of Russian citizens is carried out exclusively on servers located in the Russian Federation.
  • Cross-border transfer of personal data to foreign countries is only permitted with the consent of the data subject.
  • Before initiating cross-border transfer, the Operator must notify Roskomnadzor of its intention to carry out such transfer.
  • The Operator must obtain information from foreign recipients: about data protection measures, conditions for termination of processing, and legal regulations in the recipient country.
  • Cross-border transfer is permitted to countries that are parties to the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as countries from the Roskomnadzor list with adequate protection.
  • When selecting the 'Russia' data storage region, your personal data does not leave the territory of the Russian Federation and is processed exclusively on Russian servers.

Cross-Border Data Transfer

The Operator does not carry out cross-border transfer of personal data. All personal data is stored and processed within the territory of the Russian Federation using Yandex.Cloud infrastructure (Yandex.Cloud LLC, INN 7704458262).

Personal Data Processing Procedures for Data Subjects Located in the Russian Federation

In accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter — FZ-152) and Federal Law No. 242-FZ dated July 21, 2014, the Operator ensures the localization of recording, systematization, accumulation, storage, clarification (updating, modification) and extraction of personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation (Part 5, Article 18 of FZ-152).

Data Storage Localization

Personal data of data subjects located in the Russian Federation is stored and processed on servers physically located within the territory of the Russian Federation: relational databases are hosted in a Russian data center, object storage — in Yandex Object Storage (ru-central1 region, Yandex.Cloud LLC, TIN 7704458262). Primary collection of personal data is carried out exclusively within the territory of the Russian Federation.

Audio Data Processing (Speech Recognition)

Audio transcription for data subjects located in the Russian Federation is carried out exclusively using the Yandex SpeechKit service (Yandex.Cloud LLC). Audio data is processed and stored within the territory of the Russian Federation. No transfer of audio data outside the territory of the Russian Federation is performed. Audio data processing is carried out on the basis of a data processing agreement concluded with Yandex.Cloud LLC in accordance with Part 3, Article 6 of FZ-152.

Data Anonymization for AI Analysis

Quality analysis using artificial intelligence technologies (large language models) is performed exclusively on anonymized data in accordance with Articles 3 and 7 of Roskomnadzor Order No. 996 dated September 5, 2013. Prior to data transfer to the analysis system, automatic removal of personal data (PII masking) is performed, including full name, contact details and other information that could identify a data subject. The results of anonymization do not allow identification of personal data belonging to a specific data subject without the use of additional information.

Operator Guarantees

The Operator guarantees that personal data of data subjects located in the Russian Federation is not transferred or processed outside the territory of the Russian Federation, except in cases of cross-border transfer expressly specified in this Policy and subject to compliance with the requirements of Article 12 of FZ-152.

12. Confidentiality of Personal Data

In accordance with Article 7 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data", the Operator and other persons who have gained access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the data subject, unless otherwise provided by federal law.

13. Yandex SmartCaptcha Data Processing

NeuroPlume uses Yandex SmartCaptcha service for request verification and bot blocking.

For the Service to work, we have entrusted Yandex.Cloud LLC (Yandex) to collect and process technical data about your device, its activity and digital fingerprint.

Yandex uses your data only for the purposes of operating and maintaining the Service according to our instructions.

Data retention period is 60 days from the date of collection, after which the data will be deleted. Yandex stores data on servers in Russia.

You can learn more about Yandex's data processing conditions in the Yandex Privacy Policy.

14. Extended Rights of Data Subjects

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used and machine-readable format.

Right to Restriction of Processing

You have the right to request restriction of processing your personal data in the following cases:

  • When you contest the accuracy of personal data
  • When processing is unlawful but you oppose deletion
  • When we no longer need the data but you need it for legal claims
  • When you object to processing pending verification

Right to Rectification

You have the right to request rectification of inaccurate personal data and completion of incomplete data.

Exercising Your Rights

To exercise any of these rights, please contact us at {email}. In accordance with FZ-152, we will respond to your request within 10 business days of receipt.

15. Control and Responsibility

  • Compliance with this Policy is supervised by the person responsible for organizing personal data processing.
  • Liability for violation of Russian Federation legislation in the field of personal data processing and protection is determined in accordance with Russian Federation legislation.
  • Notification to Roskomnadzor about the commencement of personal data processing is submitted in accordance with the procedure established by law.

16. Legal Basis for Personal Data Processing

The legal basis for personal data processing is a set of regulatory legal acts in pursuance and in accordance with which the Operator processes personal data:

  • Constitution of the Russian Federation
  • Civil Code of the Russian Federation
  • Tax Code of the Russian Federation
  • Federal Law No. 152-FZ of July 27, 2006 'On Personal Data'
  • Federal Law No. 149-FZ of July 27, 2006 'On Information, Information Technologies and Protection of Information'
  • Government Decree No. 1119 of November 1, 2012 'On Approval of Requirements for Personal Data Protection During Their Processing in Personal Data Information Systems'
  • Government Decree No. 687 of September 15, 2008 'On Approval of the Regulation on the Specifics of Personal Data Processing Carried Out Without Automation Tools'
  • Other regulatory legal acts governing relations related to the Operator's activities

The legal basis for personal data processing also includes: contracts concluded with the personal data subject; consent of the personal data subject to the processing of personal data.

17. Data Not Processed

  • The Operator does not process biometric personal data (information characterizing the physiological and biological characteristics of a person that can be used to establish their identity) for identification purposes. Call audio recordings containing voice characteristics are processed solely for the purpose of transcription (speech-to-text conversion) and are deleted immediately after processing. Biometric templates are not extracted or stored from audio recordings.
  • The Operator does not process special categories of personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, or intimate life.

18. Requirements for Personal Data Subject Requests

A personal data subject's request must contain:

  • Number of the main identity document of the personal data subject or their representative, information about the date of issue of said document and the issuing authority
  • Information confirming the personal data subject's participation in relations with the Operator (contract number, date of contract conclusion, conditional verbal designation and/or other information), or information otherwise confirming the fact of personal data processing by the Operator
  • Signature of the personal data subject or their representative

The request may be submitted in electronic form and signed with an electronic signature in accordance with Russian Federation legislation.

The Operator is obliged to inform the personal data subject about the availability of personal data, as well as provide an opportunity to review these data within 10 business days from the receipt of the request.

19. Advertising and Informational Messages

The Operator has the right to send advertising and informational messages to the personal data subject via email, SMS and push notifications only with prior consent to receive advertising in accordance with Part 1 of Article 18 of Federal Law No. 38-FZ of March 13, 2006 'On Advertising'.

Consent to receive advertising messages is provided in written form or in electronic form by checking the corresponding box on the website.

The personal data subject has the right to opt out of receiving advertising messages by following the appropriate link in received emails or by sending a notification to: {email}.

20. Automatic Data Collection

20.1. Automatically Collected Information

When visiting our website, we automatically collect certain information about your device and website usage, including:

  • IP address of your device
  • Browser type and version
  • Operating system
  • Pages you visit on our site
  • Time and date of visit
  • Source of referral to our site
  • Information about interaction with site elements

20.2. Use of Cookies

We use various types of cookies to improve site performance and user experience. Detailed information about how we use cookies, their types and management methods is available in our separate Cookie Policy.

21. Security Measures

In accordance with Article 19 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data", the Operator is obliged to take necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions with respect to personal data.

21.1. Technical Protection Measures

We apply the following technical measures to protect your personal data:

  • Data encryption during transmission (SSL/TLS)
  • Data encryption during storage
  • Regular security system updates
  • Use of firewalls and intrusion detection systems
  • Regular data backup
  • Access monitoring to data

21.2. Organizational Measures

We also apply organizational security measures:

  • Restricting access to personal data only to authorized employees
  • Training employees on personal data processing rules
  • Signing confidentiality agreements
  • Regular security system audits
  • Access and password management policies

21.3. Employee Access to Data

Access to personal data is granted only to employees who need it to perform their job duties. All employees sign confidentiality agreements and undergo training on personal data protection.

21.4. Breach Notification

In case of personal data security breach, we undertake to notify the relevant authorities and affected data subjects in accordance with legal requirements.

22. Privacy Policy Updates

22.1. Making Changes

We may periodically update this privacy policy to reflect changes in our practices, legislation, or for other operational, legal, or regulatory reasons.

22.2. Change Notification

When making significant changes to the policy, we will notify you in the following ways:

  • Posting a notice on the main page of the site
  • Sending a notification by email (if we have your email)
  • Posting information in the user's personal account

22.3. Publication of Updates

All policy updates are published on this page with the date of the last change indicated. We recommend periodically reviewing this policy to stay informed about how we protect your data.

22.4. Entry into Force of Changes

Changes take effect 30 days after their publication on the site, unless otherwise specified. Continued use of the site after the changes take effect means your agreement with the updated policy.

23. Final Provisions

The User can receive any clarifications on questions of interest regarding the processing of their personal data by contacting the Operator using email privacy@neuroplume.com.

This document will reflect any changes in the Operator's personal data processing policy. The Policy is valid indefinitely until replaced by a new version.

The current version of the Policy is freely available on the Internet at https://neuroplume.com/privacy.

Last updated: February 20, 2026