Legal

Privacy Policy

Last updated: Nov 8, 2025

Policies

Privacy Policy

Terms of Use

Introduction

Purpose of the Policy

This Privacy Policy explains how Askiva ("Askiva," "we," "us," or "our") collects, uses, discloses, and protects personal data when you use our website, web application, and related services (the "Services"). By using the Services, you agree to the practices described here. If you do not agree, please do not use the Services

Plain‑language summary: Askiva is a subscription‑based research platform. We currently do not store raw audio or video. We generate real‑time transcripts and store those transcripts and derived summaries for your research.


Who we are and scope

Askiva operates the Services made available at askiva.io. This Policy applies to:

  • Website and account data collected from visitors and registered users (Askiva acts as Controller for this data), and

  • Research data about Participants processed on behalf of our customers (Askiva acts as Processor; your organization is the Controller). For EEA/UK processing, our DPA governs Controller–Processor roles.


Personal data we collect

We collect the following categories of data depending on your interactions with the Services.

Account & Profile Data

Name, email, password (stored as a hash), organization, role, plan, timezone, preferences.

Billing & Payments

Subscription plan, invoices, payment status, and limited payment metadata processed by our payment processor (we do not store full card numbers).

Product Usage & Logs

Feature usage, timestamps, IP address, device/browser data, app telemetry, error logs.

Scheduling & Communications

Availability, meeting metadata (time, duration, invitees), in‑app notices, and emails we send/receive.

Research Records

Participant lists you upload; interview metadata; real‑time text transcripts and derived summaries/highlights/exports. (We do not store raw audio/video—see Section 6.)

Support Content.

Messages you send to support, attachments, and diagnostic data you choose to share.


How we use personal data (purposes & legal bases)

We process personal data for the following purposes and legal bases under GDPR (EEA/UK):

  • Provide and operate the Services (perform our contract with you): account creation, authentication, subscriptions, scheduling, transcript generation, exports.

  • Secure, maintain, and improve the Services (legitimate interests): monitoring, troubleshooting, preventing abuse, developing new features, quality metrics.

  • Communicate with you (contract/legitimate interests/consent): essential transactional emails and in‑app messages; optional product updates or marketing with opt‑out.

  • Billing and compliance (legal obligation/contract): invoicing, tax records, fraud prevention.

  • Analytics (legitimate interests): aggregated and anonymized usage trends to improve reliability and user experience.


    We obtain consent where required by law (e.g., certain cookies or marketing in specific jurisdictions).

Customer Content, ownership, and model training

You (or your organization) retain ownership of Customer Content, including transcripts, summaries, and exports. You grant us a limited license to process Customer Content only to provide, secure, troubleshoot, and improve the Services. We do not use Customer Content to train machine‑learning models without your express opt‑in. We may use Aggregated and Anonymized information for analytics.


Participant transparency and consent

Customers are responsible for providing clear notices to Participants and obtaining all required consents (e.g., transcription consent, privacy disclosures, recording laws). We support customer compliance by offering notice templates and consent prompts, but customers control their content and Participant relationships.


Recordings and transcripts

Askiva currently does not store raw audio or video. Where technically feasible, the AI agent processes audio ephemerally to generate real‑time text transcripts. Those transcripts and derived outputs are saved as part of the research record. If audio/video capture is introduced later, we will update this Policy and obtain appropriate consents.


Cookies and similar technologies

We use cookies and similar technologies to remember preferences, secure sessions, and measure engagement. Categories include: (i) strictly necessary, (ii) functional, and (iii) analytics. Marketing cookies are minimal or not used by default. You can manage cookies through your browser settings. Where required by law, we obtain consent for non‑essential cookies and provide an in‑product settings panel.


How we share personal data

We share personal data only as described:

  • Service Providers / Subprocessors. We use reputable vendors for hosting, email, scheduling, payments, and speech‑to‑text/text‑to‑speech, among others (collectively, "Subprocessors"). We maintain a current list at askiva.io/legal/subprocessors and remain responsible for their performance.

  • Payment Processing. Subscriptions are handled by Dodo Payments. Card data is processed by the payment processor; we do not store full card numbers.

  • Scheduling. We integrate with SimplyMeet to facilitate meeting availability and bookings.

  • Legal and compliance. We may disclose data if required by law, lawful request, or to protect rights, safety, and the integrity of the Services.
    We do not sell personal data and do not share it for cross‑context behavioral advertising as defined by applicable privacy laws.


International transfers and data residency

By default, Customer Content is hosted in DigitalOcean FRA1 (Frankfurt, Germany). Where cross‑border transfers occur, we use appropriate transfer tools such as the EU Standard Contractual Clauses and the UK IDTA/appendix, as applicable. We will update our DPA and this Policy if our transfer mechanisms materially change.


Data retention

Customer‑controlled data. When you delete a research project or specific Records, we delete the corresponding Customer Content from active systems promptly, and purge from backups within 45 days.

  • Account data. Retained for the life of the account and up to 12 months after closure (or longer if required by law) to resolve disputes, maintain security records, or comply with obligations.

  • Billing records. Retained for the period required by tax and accounting laws.

  • Logs and telemetry. Generally retained up to 12 months, unless extended for security investigations.

  • Support tickets. Retained up to 24 months to improve support quality and track recurring issues.
    We honor legal holds and statutory retention duties where applicable.


Security

We implement appropriate technical and organizational measures, including: encryption in transit (TLS) and at rest, password hashing (e.g., bcrypt), environment‑based secret management, role‑based access controls, endpoint protection, audit logging, and change management. Authentication may include JWT sessions and Google OAuth2. No system can be 100% secure; we continuously improve our safeguards.


Roles under data protection law (EEA/UK)

For EEA/UK personal data:

  • Website/account data: Askiva acts as Controller.

  • Research/Participant data: Your organization acts as Controller; Askiva acts as Processor under a Data Processing Addendum (DPA) available on request. We will notify you of a personal data breach without undue delay and within 72 hours of awareness.


Your rights

Depending on where you live, you may have rights to access, rectify, erase, restrict, object, or port your personal data, and to withdraw consent where processing is based on consent.

  • EEA/UK. You can exercise GDPR rights by contacting hello@askiva.io. You also have the right to lodge a complaint with your local supervisory authority or the UK ICO.

  • US (e.g., CA/VA/CO/CT/UT). You may have rights to know/access, correct, delete, and opt‑out of sale or sharing (we do not sell or share as defined). Non‑discrimination for exercising rights.
    We may ask you to verify your identity. If we process data on behalf of a customer (Processor role), we will forward your request to the relevant Controller.


Marketing communications

We may send product updates or newsletters with your consent or as permitted by law. You can opt out at any time via the email footer or in‑app settings. Transactional or service notices are not marketing and you may continue to receive them.


Children

The Services are not directed to children under 18 and we do not knowingly collect personal data from them. Do not involve minors as Participants unless we agree in writing and all legal requirements are met.


Changes to this Policy

We may update this Policy from time to time. For material changes, we will provide reasonable notice (e.g., email or in‑app). Your continued use after the effective date means you accept the updated Policy.


Contact

Questions, requests, or complaints about privacy can be sent to hello@askiva.io. We will respond within a reasonable timeframe, and where required by law, within statutory deadlines.