Legal
Privacy Policy
Last updated: October 2025
Serge (“we,” “our,” “us”) is committed to protecting your privacy. This policy describes how we collect, use, and safeguard information when you use our voice-based coaching software and related services (the “Service”).
0. Definitions
- Personal Information – information that identifies or can reasonably be linked to an individual.
- Sensitive Personal Information – includes health-related data, voice data, biometric identifiers, and emotional or behavioral indicators.
- Processing – any operation performed on Personal Information, whether automated or not.
- Consumer – a California resident as defined by the CCPA/CPRA.
1. Scope
This policy applies to all users of the Serge app, website, and APIs. We comply with the California Consumer Privacy Act (CCPA/CPRA), HIPAA technical safeguards, and other applicable U.S. privacy laws.
2. Information We Collect
We collect the minimum data required to operate the Service:
- Account Information – email and hashed password (bcrypt).
- Session Data – conversation transcripts, audio recordings, AI summaries.
- Usage Metadata – timestamps, duration, device type, feature usage.
- Optional Inputs – questionnaire or assessment responses you choose to provide.
We do not collect advertising identifiers, precise location, or unnecessary personal details.
2A. Sensitive Data
Serge processes limited sensitive personal information—specifically voice recordings and emotional analysis—solely to deliver coaching experiences. This data is not used for profiling or automated decision-making beyond generating real-time conversational responses.
3. How We Use Information
Your information is used only for:
- Delivering and improving the Service.
- Maintaining session continuity and personalization.
- Ensuring security and preventing abuse.
- Fulfilling legal or safety obligations (e.g., crisis intervention).
We never sell, rent, or trade your data.
3A. Automated Decision-Making
AI responses are generated contextually and are not used to make legally or medically binding decisions. No employment, credit, or insurance determinations are made using your data.
4. Data Protection
- In Transit: Encrypted via TLS 1.2+ / HTTPS.
- At Rest: Encrypted within Supabase PostgreSQL.
- Voice Streams: End-to-end encrypted through ElevenLabs.
- Access Controls: Row-Level Security (RLS) and role-based permissions.
- Audit Logs: Administrative actions recorded for review.
4A. Security Incidents
If unauthorized access, disclosure, or loss of data occurs, we will notify affected users and regulators consistent with California Civil Code §§ 1798.29 & 1798.82.
4B. Cookies & Local Storage
Serge uses no advertising cookies or third-party trackers. Local storage is limited to session state and preferences, and we honor Global Privacy Control (GPC) signals.
5. User Rights (California + Global)
You may:
- Access and obtain a copy of your data.
- Delete your account and related records.
- Correct inaccuracies.
- Opt out of any data sharing (none currently occurs).
- Request disclosure of categories collected in the past 12 months.
Submit requests to privacy@serge.ai. Identity verification is required.
6. Data Retention
| Data Type | Retention | Notes |
|---|---|---|
| Audio recordings | 90 days | Auto-deleted thereafter |
| Transcripts & summaries | Retained for coaching continuity | User-controlled deletion |
| Backups | Rotating, encrypted | Auto-purged |
7. Third-Party Processors / Subprocessors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | U.S. |
| ElevenLabs | Voice synthesis & encryption | U.S./EU |
A current list is maintained at https://serge.ai/legal/subprocessors. All subprocessors are required to maintain equivalent security controls.
8. Children’s Privacy
The Service is for users 18 and older. We do not knowingly collect data from children under 13.
9. International Use
Data is stored and processed in the United States. Users outside the U.S. consent to transfer and processing under U.S. standards.
10. Legal Basis for Processing
We process data based on:
- Consent (recordings, storage, analytics).
- Contract necessity (to provide the Service).
- Legal obligation (safety or compliance).
11. HIPAA & Health Privacy
Serge is not a HIPAA “covered entity” or “business associate” unless separately contracted. All technical safeguards meet or exceed HIPAA Security Rule requirements.
12. Do Not Track
Serge does not track users across third-party sites and respects browser Do Not Track and Global Privacy Control (GPC) signals.
13. Updates
We may update this policy from time to time. Material changes will be announced in-app before taking effect.
14. Contact
Email: privacy@serge.ai
Address: Serge AI LLC, P.O. Box 000, Los Angeles, CA 90001