Our privacy commitments
VouchVid is built on a consent-first privacy model. Customer data is never exploited, never sold, and retained only as long as necessary for the stated purpose.
Personal data is never sold
VouchVid expressly prohibits the sale, transfer, or commercial exploitation of any customer data to third parties under any circumstances. This is a contractual commitment, not just a policy statement.
Maximum 24-month data retention
All personal data and media captured through the platform is retained for a period not exceeding twenty-four (24) months, after which records are permanently and irreversibly deleted.
Data used only for stated purposes
Information collected is used solely for CRM integration, service delivery, quality assurance, and approved marketing — never for unrelated advertising or profiling.
Encryption at rest and in transit
All data is encrypted using AES-256 at rest and TLS 1.2/1.3 in transit. Video assets are delivered exclusively over HTTPS-only signed URLs.
Right to erasure honoured within 30 days
Customers and dealership administrators may request deletion of specific records at any time. Verified requests are processed within 30 days with written confirmation of deletion.
How customer consent works
Every customer interaction with a VouchVid kiosk follows a structured, legally defensible consent flow before a single frame is recorded.
Infrastructure & security controls
VouchVid runs on enterprise-grade cloud infrastructure with layered security controls at every level.
Google Cloud Platform
SOC 2 Type II and ISO 27001 certified. All application infrastructure and databases run on GCP with multi-zone redundancy.
Cloudinary Video Storage
SOC 2 Type II certified. All video files stored with AES-256 encryption at rest, delivered via HTTPS-only signed URLs with expiry.
Role-Based Access Control
Admin, member, and group-owner roles with strict permission scoping. Cross-account data access is architecturally prevented.
Encryption Everywhere
TLS 1.2/1.3 in transit. AES-256 at rest on all databases and storage layers. Authentication via short-lived JWTs.
72-Hour Breach Notification
In the event of a confirmed security incident, affected dealership administrators are notified within 72 hours of discovery.
Dependency Auditing
Security-focused dependency audits are performed prior to all major releases. No third-party ad SDKs or tracking pixels in the kiosk app.
Regulatory framework
VouchVid is designed to comply with major US and international data protection frameworks. Below is a summary of our current compliance posture.
| Regulation | Scope | Status |
|---|---|---|
| CCPA / CPRA | California consumers | Compliant No sale of personal data; consumer rights honoured on request |
| TCPA | US telephone & SMS | Compliant Explicit opt-in required before any CRM communication |
| CAN-SPAM Act | US commercial email | Compliant Unsubscribe mechanism in all outbound communications |
| GDPR | EU/EEA data subjects | Aligned Consent-first design; right to erasure supported; DPA available |
| FTC Act §5 | US consumer protection | Compliant No deceptive data practices; privacy policy publicly posted |
| BIPA & state biometric laws | Illinois & applicable states | Under review VouchVid does not extract biometric identifiers from video |
For a Data Processing Agreement (DPA) or compliance documentation request, contact privacy@vouchvid.com.
What we keep, and for how long
VouchVid applies the principle of data minimisation. Every data category has a defined retention period, after which it is permanently and irreversibly deleted.
| Data category | Retention period | Deletion method |
|---|---|---|
| Customer video recordings | 24 months | Permanent deletion via Cloudinary API; Firestore record purged |
| Customer name & contact details | 24 months | Firestore document hard-deleted; CRM sync records removed |
| Consent acknowledgment records | 36 months | Secure archive deletion after legal audit period |
| Kiosk session logs | 90 days | Automated log rotation |
| Analytics & aggregate data | Indefinite | No personal identifiers retained in aggregate data |
| Account holder (dealership staff) data | Account + 12 months | Deleted on request or automatically after grace period post-termination |
| Privacy policy email requests | 30 days | Purged from email delivery queue after 30 days |
Backups containing personal data are rotated and overwritten within 30 days of primary record deletion. Early deletion requests are processed within 30 days with written confirmation.
Third-party services
VouchVid engages a small number of carefully vetted sub-processors. All vendors are evaluated for security posture and contractual data protection obligations prior to integration. Dealerships receive at least 14 days' notice of any changes.
| Vendor | Service | Data processed | Certifications |
|---|---|---|---|
| Google Firebase / Firestore | Auth & database | User accounts, metadata, consent records | SOC 2 Type IIISO 27001 |
| Google Cloud Platform | Infrastructure & hosting | All application data (infrastructure layer) | SOC 2 Type IIFedRAMP |
| Cloudinary | Video storage & delivery | Customer video recordings, thumbnails | SOC 2 Type IIGDPR DPA |
| EmailJS | Transactional email | Email addresses for lead & privacy policy notifications | GDPR Compliant |
| Google Analytics | Marketing site analytics only | Anonymised page-view data — no kiosk data included | GDPR (anonymised) |
For sub-processor DPAs or security certifications, contact privacy@vouchvid.com.
Documentation library
Download formal PDF documents for legal review, procurement due diligence, or enterprise onboarding.
Security & privacy enquiries
For DPA execution, security questionnaires, compliance documentation, or data subject requests — our team responds within one business day.
Talk to our privacy team
Dealer groups, OEMs, and enterprise procurement teams are welcome to request additional documentation, a security questionnaire response, or a live compliance review call.