Privacy Policy
Last updated: 31 May 2026 (consent version 2026-05-31)
This service is operated by Aleksei Krasnoperov, a sole trader (empresario autónomo) established in Spain. Full registration details (NIF and registered address) are being finalised and will be published here before public launch; in the meantime, direct any identity, billing, or data-protection request to support@usertold.ai. UserTold.ai is an information-society service within the meaning of Ley 34/2002 (LSSI-CE). For data-protection matters the data controller is the same person; no Data Protection Officer is appointed, as none is mandatory under GDPR Art. 37. We have not appointed an Art. 27 representative because the controller is established in the EU.
This policy explains how we collect, use, and protect personal data on the UserTold.ai platform at app.usertold.ai.
At a Glance
- You own your interview and project data
- We act as your processor for interview content, and as a controller for your account, billing, and security data — and for improving our own processing on de-identified data (see "Our two roles")
- We do not currently use your data to train general-purpose AI models; if that changes we will notify you and seek consent where required
- We do not sell or share your data with third parties for advertising or profiling
- You can delete interviews or entire projects at any time
- BYOK keys are encrypted and deletable from Project Settings
Our Two Roles
- For your account data, billing, security logs, and product communications, we are the data controller and decide why and how that data is processed.
- For the interview content your participants provide (audio, screen, transcripts, evidence), we act as a processor on your behalf under our Data Processing Agreement (incorporated into the Terms of Service). You, the customer, are the controller of that data.
- Exception: where we use interview-derived data for our own purposes — improving our processing algorithms, scoring, and prompts on a de-identified basis — we act as an independent controller for that processing and rely on the legal basis set out below (legitimate interest). This is required by GDPR Art. 28(10).
What the Widget Captures From Visitors
When a visitor on a customer's website opens the UserTold widget and clicks Allow access, the disclosure shown above the microphone prompt tells them the session is recorded, and the widget captures three streams from that interview:
- Voice — every word spoken during the interview, captured verbatim.
- Screen — the tab the visitor is interviewed on, if the study has screen capture enabled.
- Interactions — clicks, focus changes, and navigation events on the page during the interview.
Our AI turns those streams into a report the customer's team uses to investigate and fix the issues a visitor surfaced. The customer running the study is the controller of this data; UserTold processes it on their behalf. Our pipeline is not designed to extract voiceprints, perform speaker identification, or biometrically identify visitors, and we do not do so today.
Visitors can stop the recording at any time by closing the widget. To request deletion of a recording, contact the study owner (the customer running the project), who controls the workspace and can delete interviews from the dashboard. If the study owner is unreachable, email support@usertold.ai and we will route the request. The disclosure copy is versioned (WIDGET_CONSENT_COPY_VERSION) so we can prove what each visitor saw.
What We Collect
Account Data
When you sign in with Google, we receive your name, email address, and profile picture. We use this to create and manage your account.
Interview Data
When participants complete interviews through the UserTold.ai widget, we collect:
- Audio recordings — voice conversations with the AI interviewer
- Screen recordings — if enabled by the study configuration
- Transcripts — generated from audio recordings
- Chat messages — text-based interview responses
- User interactions — clicks, navigation events during observation
- Intake responses — qualification answers
Billing Data
We process payments through Polar.sh, which acts as our merchant of record. We do not store credit card numbers. We retain billing event records (amounts, dates, status) for accounting purposes.
Usage Data
We collect standard server logs (IP addresses, request paths, timestamps) for security and debugging.
How We Use Your Data, and the Legal Basis
| Purpose | Our role | Legal basis (GDPR) |
|---|---|---|
| Create and manage your account | Controller | Contract — Art. 6(1)(b) |
| Process payments; keep billing records | Controller | Contract + legal obligation — Art. 6(1)(b),(c) |
| Run interviews, extract evidence, generate work | Processor (for you) | Your basis, under the DPA |
| Improve our processing/algorithms/prompts on de-identified data | Independent controller | Legitimate interest — Art. 6(1)(f) (assessment available on request) |
| Security, abuse detection, fraud prevention | Controller | Legitimate interest — Art. 6(1)(f) |
| Product communications to account holders | Controller | Legitimate interest / existing relationship (see below) |
We do not currently use your data to train internal or third-party AI models for other customers or for general-purpose use. We may use aggregated, de-identified service telemetry to refine our interview processing logic, scoring systems, and prompts.
Data Use and AI Model Terms
- Interview and evidence data is used for product operations — running interviews, generating transcripts and pain-point evidence, creating work and integrations, and syncing delivery completion within your workspace.
- We do not currently use Customer Data to train internal or third-party models.
- We do use aggregated, de-identified data to improve proprietary processing algorithms, ranking, and prompts used by the Service.
- If we ever introduce training on Customer Data, we will (a) update this policy, (b) give at least 30 days' advance notice, and (c) obtain opt-in consent before any such training, or offer an opt-out where a recognised legal basis other than consent applies. We will not retroactively train on data collected before that change without consent.
- For enterprise model-training terms or custom data-retention terms, contact support@usertold.ai.
Special-Category Data
Free-form interviews may incidentally surface special-category data under GDPR Art. 9 (for example health, beliefs, or political opinions volunteered by a participant). We do not solicit it and do not use it to infer protected characteristics. Customers who design interviews that predictably elicit such data are responsible for obtaining explicit consent under Art. 9(2)(a) through the intake consent mechanism.
International Transfers
Some sub-processors (for example Cloudflare and OpenAI) may process data outside the EEA, including in the United States. Where they do, transfers are governed by the EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework, with a transfer-impact assessment where required by Schrems II. You may request a copy of the relevant transfer mechanism and our assessment at support@usertold.ai.
BYOK (Bring Your Own Key)
UserTold.ai uses a Bring Your Own Key model for AI inference. Your API keys (OpenAI) are:
- Encrypted at rest
- Used only to make API calls on your behalf
- Never shared with third parties
- Deletable at any time from Project Settings
Inference calls are made directly to OpenAI using your key. We do not retain a separate copy of the raw request/response stream for our own purposes. We do store the outputs you rely on — transcripts, recordings, and extracted evidence — as described in "What We Collect" and "Data Retention."
Sub-Processors and Third-Party Services
We engage the sub-processors below to deliver the Service. By using the Service you provide general authorisation for these sub-processors; we will give notice of any intended addition or replacement so you can object.
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Google OAuth | Authentication | Email, name, profile picture | Global incl. US |
| OpenAI | Interview AI, evidence extraction, transcription, realtime conversation | Interview transcripts and audio (via your API key) | US |
| Polar.sh | Payment processing (merchant of record) | Email, billing amounts | EU/US |
| Cloudflare | Infrastructure, CDN, storage | Request metadata, stored data | Global incl. US |
| GitHub | Evidence export to issues (only if you enable the integration) | Evidence derived from interviews | US |
Data Ownership
You own your data — all interviews, evidence, work, recordings, and transcripts. For the interview data your participants provide, we act as your processor and handle it on your behalf (subject to the de-identified improvement use described in "Our two roles").
Data Retention
- Account data — retained while your account is active
- Interview data — retained until you delete it. You can delete individual interviews or entire projects.
- Billing records — retained for 7 years for accounting compliance
- Server logs — retained for 30 days
Data Deletion
You can delete your data at any time:
- Interviews — delete from the Interviews page or via API
- Projects — delete from Project Settings (removes associated data from active systems)
- Account — contact support@usertold.ai to request full account deletion
When you delete data, we remove it from active systems promptly. Residual copies may persist in encrypted backups until rotation, and we may retain limited records where required by law (for example billing records for 7 years) or to resolve disputes. We instruct sub-processors to delete corresponding data; propagation may take up to 30 days.
California Privacy (CCPA/CPRA)
For consumers in California:
- Categories collected — identifiers (name, email), audio/voice recordings (treated as sensitive personal information), commercial/usage data, and internet activity. Sources: you and your participants. Purposes: to provide and secure the Service.
- We do not sell or share personal information for cross-context behavioural advertising, and we do not use sensitive personal information to infer characteristics. We honour Global Privacy Control (GPC) opt-out signals where applicable.
- Your rights — to know, delete, and correct personal information, and to limit use of sensitive personal information. We do not discriminate against you for exercising these rights. To exercise them, email support@usertold.ai.
Product Communications
We rely on our existing business relationship to send service-related and product messages to account holders. Invitations to research calls are sent only to account holders, and you can opt out at any time; we do not cold-email. The legal basis is legitimate interest (EU/UK) and the existing business relationship exemption (US CAN-SPAM).
You can opt out of product communications at any time using the unsubscribe link in any email we send. Opting out does not affect transactional messages (billing receipts, security alerts, material changes to these policies).
Your GDPR Rights
For users in the European Economic Area, you have the right to:
- Access your personal data and obtain a copy
- Rectify inaccurate data
- Erase your data ("right to be forgotten"), subject to legal-retention exceptions
- Restrict or object to processing, including processing based on legitimate interest
- Data portability — request an export of your data
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal
- Lodge a complaint with your supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD), www.aepd.es
We do not make decisions producing legal or similarly significant effects about you solely by automated means. To exercise any right, contact support@usertold.ai; we respond within one month.
Cookies
We use strictly-necessary cookies to operate the Service (for example to keep you signed in) and standard server logs for security. These do not require consent under ePrivacy/Art. 22 LSSI-CE. If we introduce non-essential cookies or analytics, we will publish a cookie policy and request consent first.
Security
See our Security page for details on how we protect your data.
Changes
We may update this policy. Material changes will be communicated via email to account holders, and where a change requires your consent we will ask you to re-accept before it applies to you.
Contact
Questions about privacy or custom terms? Email us at support@usertold.ai.