Privacy Policy — NeuroPlume

Select data storage region:

Applicable Law

This Personal Data Processing Policy of NeuroPlume (hereinafter — 'Policy', 'Operator') is developed in accordance with Federal Law No. 152-FZ of July 27, 2006 'On Personal Data' (hereinafter — 'Personal Data Law') and pursuant to the requirements of Part 2 of Article 18.1 of the Personal Data Law is published for free access on the Internet at: https://neuroplume.com/privacy.

1. General Provisions

This personal data processing policy is compiled in accordance with applicable data protection legislation requirements and defines the procedure for processing personal data and measures to ensure the security of personal data taken by NeuroPlume (hereinafter referred to as the Operator).

The Operator sets as its most important goal and condition for carrying out its activities the observance of human and civil rights and freedoms when processing personal data, including the protection of rights to privacy, personal and family secrets.

This Operator policy regarding the processing of personal data (hereinafter referred to as the Policy) applies to all information that the Operator may receive about visitors to the website https://neuroplume.com.

2. Data Processing in SpeechMetrics

SpeechMetrics is a call analytics platform. NeuroPlume acts as a data processor on behalf of client organizations (data controllers).

2.1. Roles in Data Processing

Контроллер: Data Controller (your organization) — determines the purposes and means of processing, is responsible for lawful data collection and obtaining consents.

Обработчик: Data Processor (NeuroPlume) — processes data exclusively on behalf of and under instructions from the controller, ensures technical security.

2.2. What Data We Process

As part of SpeechMetrics operations, we process:

Call identifiers (UUID) — for linking data within the system
Call metadata — date, time, duration, direction (inbound/outbound)
Call transcripts — text version of the conversation, which may contain personal data (names, contacts, addresses) mentioned during the call
Analytics results — quality scores, identified scripts, performance metrics

Аудио: Audio recordings: processed temporarily for transcription and deleted immediately after. We do not store audio files.

Personal data in transcripts: transcripts may contain personal data of third parties (your organization's customers). The controller (your organization) is responsible for the lawfulness of recording and processing such data.

2.3. Processing Purposes

Converting audio to text (transcription)
Analyzing service quality and script compliance
Identifying customer communication issues
Generating analytical reports for client organizations
Employee training and quality control

2.4. Legal Basis

Processing is carried out based on a Data Processing Agreement (DPA) with your organization. We process data strictly within the controller's instructions.

Your organization (controller) is responsible for: obtaining consent to record calls, informing data subjects, determining retention periods.

2.5. Data Retention Periods

Retention periods are determined by your organization:

Transcripts and analytics: according to retention settings in your account (default — 12 months)
Metadata: for the duration of the contract
Audio files: deleted immediately after transcription (not stored)

Upon controller request or contract termination, all data is deleted within 30 days.

2.6. Data Localization

Data is processed and stored in the region selected during registration. Available regions: Russia (RU), European Union (EU), UAE. Data does not leave the selected region without explicit consent and legal grounds.

For clients from Russia: data of Russian citizens is stored exclusively on servers in Russia in accordance with FZ-152 requirements.

2.7. Security Measures

The following security measures are applied to protect data:

AES-256 encryption for data at rest
TLS 1.3 encryption for data in transit
Role-Based Access Control (RBAC)
Multi-Factor Authentication (MFA)
Isolation of different organizations' data (multi-tenancy)
Regular security audits and penetration testing

2.8. Data Subject Rights

If your data is processed in SpeechMetrics (e.g., you are a customer of an organization using our platform), you have the right to:

Receive information about the processing of your data
Access your data
Rectification of inaccurate data
Erasure of data (right to be forgotten)
Restriction or cessation of processing
File a complaint with a supervisory authority

To exercise your rights, contact the organization that recorded your call (data controller). The organization will forward the request to us as the processor.

2.9. Regulatory Compliance

FZ-152 'On Personal Data' — for clients from Russia
GDPR — for clients from the European Union
UAE FDPL — for clients from the UAE

3. Key Definitions (Russian Law)

Automated processing of personal data — processing of personal data using computer technology.

Blocking of personal data — temporary cessation of personal data processing.

Website — a collection of graphical and informational materials, as well as software and databases, accessible on the Internet at https://neuroplume.com.

Personal data information system — a collection of personal data contained in databases and information technologies and technical means providing their processing.

Depersonalization of personal data — actions making it impossible to determine without additional information the attribution of personal data to a specific User.

Processing of personal data — any action or set of actions performed with personal data, including collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion, destruction.

Operator — a state or municipal body, legal or natural person that organizes and/or carries out the processing of personal data, as well as determines the purposes of processing personal data.

Personal data — any information relating directly or indirectly to a specific or identifiable User of the website https://neuroplume.com.

User — any visitor to the website https://neuroplume.com.

Provision of personal data — actions aimed at disclosing personal data to a specific person or circle of persons.

Dissemination of personal data — any actions aimed at disclosing personal data to an indefinite circle of persons.

Cross-border transfer of personal data — transfer of personal data to the territory of a foreign state.

Destruction of personal data — any actions resulting in the irreversible destruction of personal data.

4. Rights and Obligations of the Operator

4.1. The Operator has the right to:

receive reliable information and/or documents containing personal data from the data subject;
continue processing personal data without the consent of the data subject if there are grounds specified in the Law on Personal Data;
independently determine the composition and list of measures necessary to fulfill the obligations provided by the Law on Personal Data.

4.2. The Operator is obliged to:

provide the data subject with information regarding the processing of their personal data upon request;
organize the processing of personal data in accordance with current Russian legislation;
respond to requests from data subjects in accordance with the Law on Personal Data;
report necessary information to the authorized body within 10 days of receiving a request;
publish or otherwise ensure unlimited access to this Policy;
take legal, organizational and technical measures to protect personal data;
cease transfer and processing of personal data in cases provided by the Law.

5. Rights and Obligations of Data Subjects

5.1. Data subjects have the right to:

receive information regarding the processing of their personal data;
demand clarification, blocking or destruction of personal data that is incomplete, outdated, inaccurate, or illegally obtained;
impose conditions of prior consent for processing personal data for marketing purposes;
withdraw consent to the processing of personal data;
appeal unlawful actions or inaction of the Operator;
exercise other rights provided by Russian legislation.

5.2. Data subjects are obliged to:

provide accurate data about themselves to the Operator;
inform the Operator of any updates to their personal data.

Persons who have provided the Operator with false information about themselves or information about another data subject without their consent shall bear liability in accordance with Russian legislation.

6. Principles of Personal Data Processing

Processing is carried out on a lawful and fair basis.
Processing is limited to achieving specific, predetermined and lawful purposes.
Combining databases containing personal data processed for incompatible purposes is not allowed.
Only personal data that meets the purposes of their processing shall be processed.
The content and volume of processed personal data correspond to the stated purposes.
Accuracy, sufficiency, and relevance of personal data is ensured.
Personal data is stored in a form allowing identification of data subjects no longer than required by processing purposes.

7. Purposes of Personal Data Processing

We process personal data for the following purposes:

Informing the User by sending emails
Fulfillment of contractual obligations
Providing access to platform services
Improving service quality

8. Conditions for Personal Data Processing

Processing is carried out with the consent of the data subject.
Processing is necessary to achieve goals provided by international treaty or law of the Russian Federation.
Processing is necessary for the administration of justice.
Processing is necessary for the performance of a contract to which the data subject is a party.
Processing is necessary for the legitimate interests of the operator or third parties.
Processing of publicly available personal data is carried out.
Processing of personal data subject to publication is carried out.

9. Procedure for Collection, Storage, Transfer and Other Types of Personal Data Processing

The security of personal data processed by the Operator is ensured through the implementation of legal, organizational and technical measures.

The Operator ensures the security of personal data and takes all possible measures to prevent unauthorized access.
The User's personal data will never be transferred to third parties, except in cases related to the execution of current legislation.
In case of inaccuracies, the User can update their data by sending a notice to the Operator's email [email protected].
The processing period is determined by achieving the purposes for which the personal data was collected.
The User may withdraw consent at any time by sending a notice to [email protected].
The Operator ensures the confidentiality of personal data during processing.
The Operator stores personal data in a form allowing identification of data subjects no longer than required.

10. List of Actions Performed by the Operator with Personal Data

The Operator performs collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion and destruction of personal data.
The Operator performs automated processing of personal data with or without transmission of information over telecommunication networks.

11. Cross-Border Transfer of Personal Data

In accordance with Article 12 of FZ-152 and amendments effective from July 1, 2025:

Primary collection of personal data of Russian citizens is carried out exclusively on servers located in the Russian Federation.
Cross-border transfer of personal data to foreign countries is only permitted with the consent of the data subject.
Before initiating cross-border transfer, the Operator must notify Roskomnadzor of its intention to carry out such transfer.
The Operator must obtain information from foreign recipients: about data protection measures, conditions for termination of processing, and legal regulations in the recipient country.
Cross-border transfer is permitted to countries that are parties to the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as countries from the Roskomnadzor list with adequate protection.
When selecting the 'Russia' data storage region, your personal data does not leave the territory of the Russian Federation and is processed exclusively on Russian servers.

12. Confidentiality of Personal Data

The Operator and other persons who have gained access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the data subject, unless otherwise provided by federal law.

13. Yandex SmartCaptcha Data Processing

NeuroPlume uses Yandex SmartCaptcha service for request verification and bot blocking.

For the Service to work, we have entrusted Yandex.Cloud LLC (Yandex) to collect and process technical data about your device, its activity and digital fingerprint.

Yandex uses your data only for the purposes of operating and maintaining the Service according to our instructions.

Data retention period is 60 days from the date of collection, after which the data will be deleted. Yandex stores data on servers in Russia.

You can learn more about Yandex's data processing conditions in the Yandex Privacy Policy.

14. Extended Rights of Data Subjects

14.1. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used and machine-readable format.

14.2. Right to Restriction of Processing

You have the right to request restriction of processing your personal data in the following cases:

When you contest the accuracy of personal data
When processing is unlawful but you oppose deletion
When we no longer need the data but you need it for legal claims
When you object to processing pending verification

14.3. Right to Rectification

You have the right to request rectification of inaccurate personal data and completion of incomplete data.

14.4. Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

15. Control and Responsibility

Compliance with this Policy is supervised by the person responsible for organizing personal data processing.
Liability for violation of Russian Federation legislation in the field of personal data processing and protection is determined in accordance with Russian Federation legislation.
Notification to Roskomnadzor about the commencement of personal data processing is submitted in accordance with the procedure established by law.

16. Legal Basis for Personal Data Processing

The legal basis for personal data processing is a set of regulatory legal acts in pursuance and in accordance with which the Operator processes personal data:

Constitution of the Russian Federation
Civil Code of the Russian Federation
Tax Code of the Russian Federation
Federal Law No. 152-FZ of July 27, 2006 'On Personal Data'
Federal Law No. 149-FZ of July 27, 2006 'On Information, Information Technologies and Protection of Information'
Government Decree No. 1119 of November 1, 2012 'On Approval of Requirements for Personal Data Protection During Their Processing in Personal Data Information Systems'
Government Decree No. 687 of September 15, 2008 'On Approval of the Regulation on the Specifics of Personal Data Processing Carried Out Without Automation Tools'
Other regulatory legal acts governing relations related to the Operator's activities

The legal basis for personal data processing also includes: contracts concluded with the personal data subject; consent of the personal data subject to the processing of personal data.

17. Data Not Processed

The Operator does not process biometric personal data (information characterizing the physiological and biological characteristics of a person that can be used to establish their identity).
The Operator does not process special categories of personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, or intimate life.

18. Requirements for Personal Data Subject Requests

A personal data subject's request must contain:

Number of the main identity document of the personal data subject or their representative, information about the date of issue of said document and the issuing authority
Information confirming the personal data subject's participation in relations with the Operator (contract number, date of contract conclusion, conditional verbal designation and/or other information), or information otherwise confirming the fact of personal data processing by the Operator
Signature of the personal data subject or their representative

The request may be submitted in electronic form and signed with an electronic signature in accordance with Russian Federation legislation.

The Operator is obliged to inform the personal data subject about the availability of personal data, as well as provide an opportunity to review these data within 10 business days from the receipt of the request.

19. Advertising and Informational Messages

The Operator has the right to send advertising and informational messages to the personal data subject via email, SMS and push notifications only with prior consent to receive advertising in accordance with Part 1 of Article 18 of Federal Law No. 38-FZ of March 13, 2006 'On Advertising'.

Consent to receive advertising messages is provided in written form or in electronic form by checking the corresponding box on the website.

The personal data subject has the right to opt out of receiving advertising messages by following the appropriate link in received emails or by sending a notification to: [email protected].

20. Automatic Data Collection

20.1. Automatically Collected Information

When visiting our website, we automatically collect certain information about your device and website usage, including:

IP address of your device
Browser type and version
Operating system
Pages you visit on our site
Time and date of visit
Source of referral to our site
Information about interaction with site elements

20.2. Use of Cookies

We use various types of cookies to improve site performance and user experience. Detailed information about how we use cookies, their types and management methods is available in our separate Cookie Policy.

21. Security Measures

21.1. Technical Protection Measures

We apply the following technical measures to protect your personal data:

Data encryption during transmission (SSL/TLS)
Data encryption during storage
Regular security system updates
Use of firewalls and intrusion detection systems
Regular data backup
Access monitoring to data

21.2. Organizational Measures

We also apply organizational security measures:

Restricting access to personal data only to authorized employees
Training employees on personal data processing rules
Signing confidentiality agreements
Regular security system audits
Access and password management policies

21.3. Employee Access to Data

Access to personal data is granted only to employees who need it to perform their job duties. All employees sign confidentiality agreements and undergo training on personal data protection.

21.4. Breach Notification

In case of personal data security breach, we undertake to notify the relevant authorities and affected data subjects in accordance with legal requirements.

22. Privacy Policy Updates

22.1. Making Changes

We may periodically update this privacy policy to reflect changes in our practices, legislation, or for other operational, legal, or regulatory reasons.

22.2. Change Notification

When making significant changes to the policy, we will notify you in the following ways:

Posting a notice on the main page of the site
Sending a notification by email (if we have your email)
Posting information in the user's personal account

22.3. Publication of Updates

All policy updates are published on this page with the date of the last change indicated. We recommend periodically reviewing this policy to stay informed about how we protect your data.

22.4. Entry into Force of Changes

Changes take effect 30 days after their publication on the site, unless otherwise specified. Continued use of the site after the changes take effect means your agreement with the updated policy.

23. Final Provisions

The User can receive any clarifications on questions of interest regarding the processing of their personal data by contacting the Operator using email [email protected].

This document will reflect any changes in the Operator's personal data processing policy. The Policy is valid indefinitely until replaced by a new version.

The current version of the Policy is freely available on the Internet at https://neuroplume.com/privacy.