Privacy Policy

Last Updated: June 5, 2026

This Privacy Policy explains how Votexia (“we”, “us”, “our”) collects, uses, discloses, and protects your information when you use our compliance automation platform. We are committed to protecting your privacy and handling your data responsibly.

1. Information We Collect

Information you provide directly:

  • Account registration details (name, email address, organization name)
  • Billing and payment information (processed by Paddle, our Merchant of Record — we do not store card numbers)
  • Cloud provider credentials (read-only IAM roles for AWS, GCP)
  • Support inquiries and correspondence

Information collected automatically:

  • IP addresses and geolocation (country level)
  • Browser type, operating system, and device information
  • Pages visited, features used, and session duration
  • Compliance scan results and evidence metadata

Protected Health Information (PHI):

We do not collect, store, or process PHI unless your organization has executed a Business Associate Agreement (BAA) with us. Compliance scan data references cloud resource configurations, not patient data.

2. How We Use Your Information

  • Provide, maintain, and improve the Votexia platform
  • Process subscription payments via our Merchant of Record (Paddle)
  • Send transactional emails (alerts, reports, account notifications)
  • Generate compliance reports and evidence records
  • Respond to support requests and inquiries
  • Detect and prevent fraud, abuse, or security incidents
  • Comply with legal obligations

3. Data Sharing and Disclosure

We do not sell your personal data. We may share information with:

  • Paddle.com Market Ltd — Payment processing (Merchant of Record)
  • Oracle Cloud Infrastructure (OCI) — Infrastructure hosting
  • AI service providers — For AI-driven remediation features (data is scrubbed of PII/PHI before transmission)
  • Law enforcement — When required by valid legal process (subpoena, court order)

All third-party service providers are bound by confidentiality agreements and data processing addenda where applicable.

4. Data Security

We implement enterprise-grade security measures including:

  • AES-256 encryption at rest for all stored data
  • TLS 1.2+ encryption for all data in transit
  • Tamper-proof evidence ledger with cryptographic hash chains (immudb)
  • Role-based access control (RBAC) with principle of least privilege
  • Regular security assessments and penetration testing

No method of transmission or storage is 100% secure. We cannot guarantee absolute security but will promptly notify affected users in the event of a data breach.

5. Data Retention

We retain your data for the duration of your subscription plus 30 days after account closure to facilitate data export. Compliance evidence records are retained per your organization’s configured retention policy (default: 6 years, aligned with HIPAA documentation retention under 45 CFR §164.316). You may request earlier deletion by contacting us.

6. Cookies and Tracking

Votexia uses essential cookies for authentication and session management. We do not use third-party advertising cookies or trackers. Analytics, when enabled, are first-party only.

7. International Data Transfers

Your data may be processed in data centers located in the United States. If you are accessing the Service from outside the US, your data will be transferred to and processed in the US. We rely on standard contractual clauses (SCCs) and appropriate safeguards for GDPR compliance.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Correction — Request correction of inaccurate or incomplete data
  • Deletion — Request deletion of your personal data (“right to be forgotten”)
  • Portability — Request your data in a structured, machine-readable format
  • Restriction — Request restricted processing of your data
  • Objection — Object to processing based on legitimate interests

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Children’s Privacy

Votexia is a B2B enterprise service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

10. CCPA Disclosure (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). We do not sell personal information. Under CCPA, you have the right to:

  • Know what personal information is collected and how it is used
  • Delete personal information held by us (subject to certain exceptions)
  • Opt-out of the sale of personal information (we do not sell data)
  • Non-discrimination for exercising your CCPA rights

To exercise your CCPA rights, contact us at [email protected]with the subject line “CCPA Request.” We will verify your identity and respond within 45 days.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and update the “Last Updated” date. Continued use of the Service after changes constitutes acceptance.

Privacy questions or data requests? Contact us at [email protected]