Gumzo AI – Speech‑to‑Text & Translation in Kenya

1. Definitions

“Personal Data”: Any information relating to an identified or identifiable natural person (Data Subject), as defined by Article 4(1) GDPR, including but not limited to names, email addresses, IP addresses, unique identifiers, and any other data that can directly or indirectly identify you.
“Processing”: Any operation performed upon Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction (Article 4(2) GDPR).
“Controller”: The entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data (Article 4(7) GDPR). For the purposes of this Policy, Gumzo AI is the Controller.
“Processor”: A natural or legal person which processes Personal Data on behalf of the Controller (Article 4(8) GDPR).
“PII”: Personally Identifiable Information, including but not limited to name, postal address, email address, telephone number, login credentials, location data, and online identifiers.
“EEA”: European Economic Area, comprising the European Union member states plus Iceland, Liechtenstein, and Norway.
“Sensitive Personal Data”: Special categories of data as defined under Article 9 GDPR, including racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, sex life or sexual orientation.

2. Scope & Global Compliance

This Privacy Policy applies to all users of the Gumzo AI platform—web, mobile, and on‑premise—worldwide. It governs the collection, use, disclosure, and protection of your Personal Data whenever you interact with our services.

2.1 Jurisdictional Commitments

We comply with data protection laws applicable to you, including:

EU General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA) & CPRA
UK Data Protection Act 2018
Kenya Data Protection Act, 2019
Brazil’s Lei Geral de Proteção de Dados (LGPD)
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
Australia’s Privacy Act 1988
Other local privacy laws where we operate

Where local law imposes additional or more stringent requirements, those will prevail over this Policy to the extent of the conflict.

3. Information We Collect

3.1 Personal Data You Provide

Account registration details: name, email address, username, password
Billing information: payment card number, billing address, tax identifiers
Profile information: job title, organization, preferences
Communications: records of your communications with our support or sales teams

3.2 Audio, Text, & Media Content

Audio recordings you upload or record
Transcripts generated by our speech‑to‑text engine
Text you submit for translation or analysis
Uploaded media (images, attachments) related to your content
Metadata: file type, size, duration, language, timestamps

3.3 Usage & Technical Data

Device identifiers (UUIDs, device fingerprinting)
IP addresses, browser type/version, operating system
Analytics: feature usage, time spent, session duration, error rates
Performance logs, crash reports, telemetry

3.4 Cookies & Similar Technologies

We and our third‑party partners use cookies, web beacons, local storage, and similar technologies to collect information about your interaction with our services. See Section 9 for details.

4. How We Use Information

We Process Personal Data for one or more of the following purposes:

Provision of Services: to provide, maintain, update, and improve our speech‑to‑text, translation, and analysis features.
Account & Payment Management: to authenticate users, manage subscriptions, and process payments securely.
Legal Compliance & Enforcement: to comply with applicable laws, respond to lawful requests by public authorities, and enforce our Terms of Service.
Personalization: to tailor content, recommendations, and user interface preferences.
Security & Fraud Prevention: to detect, prevent, and mitigate fraud, abuse, security incidents, and unauthorized access.
Research & Development: to analyze aggregated or anonymized usage data for product development and innovation.
Marketing & Communications: to send you updates, newsletters, promotional offers (subject to your consent where required).

We will not engage in profiling or automated decision‑making (beyond essential AI inference to serve you) without your explicit consent. See Section 6 for details on automated decisions.

5. Legal Basis & Consent

For EEA, UK, and other similar regimes, we rely on the following under GDPR Articles 6–9:

Article 6(1)(b): Processing necessary for performance of a contract to which you are a party.
Article 6(1)(c): Processing to comply with a legal obligation (e.g., financial recordkeeping).
Article 6(1)(f): Legitimate interests in platform security, fraud prevention, and service improvement, provided your rights do not override.
Article 6(1)(a): Your consent for optional processing such as marketing or AI model training beyond core service delivery.

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To withdraw, update your preferences in Account Settings or contact our DPO.

6. Automated Decision‑Making & Profiling

We do not use fully automated decision‑making that produces legal or similarly significant effects concerning you, except as necessary to fulfill our services (e.g., live transcription). You have the right to request human review of any automated process that adversely affects you.

Any profiling we conduct is limited to internal analytics on anonymized data to improve feature usage and product design.

7. AI Data Processing

We process audio and text data in-memory for real-time service delivery. Persistent storage occurs only to complete your requests or as required by law.

7.1 Anonymized AI Training

PII Removal: All names, emails, phone numbers, and direct identifiers are stripped through tokenization, masking, pseudonymization, and suppression.
Differential Privacy: Controlled noise may be injected to prevent re‑identification attacks.
Aggregation: Data is aggregated at scale to derive insights without tracing back to individuals.
No Mapping Retained: We never store the link between original and anonymized records.
Opt-In Mechanism: Model training on your anonymized data occurs only if you explicitly consent via Account Settings or DPO request.

These steps ensure compliance with GDPR, CCPA, and international privacy standards while enabling continuous improvement of our AI capabilities.

8. Data Security

We employ comprehensive security measures, including but not limited to:

Encryption in transit using TLS 1.2+ and at rest using AES‑256.
Role-based access control (RBAC) and principle of least privilege.
Multi-factor authentication (MFA) for administrative access.
Regular vulnerability assessments, penetration testing, and third‑party audits.
Secure coding practices, code reviews, and dependency scanning.
Incident response plan with containment, investigation, and remediation.

9. Cookies & Tracking Technologies

We use cookies, web beacons, local storage, and similar technologies for:

Essential site functionality (session cookies)
Performance & analytics (Google Analytics, Mixpanel)
Marketing & advertising (Facebook Pixel, Google Ads)
Preference storage (language, theme)

You can manage or disable non-essential cookies via your browser settings or our cookie consent banner. Disabling may affect certain features of our services.

10. Data Retention

We retain Personal Data only as long as necessary to fulfill the purposes outlined or as required by law:

Account Data: until account deletion plus 90 days for backup and recovery.
Audio & Transcripts: default 30 days, extendable upon request.
Usage Logs & Analytics: 180 days, then aggregated and anonymized indefinitely.
Billing & Tax Records: 7 years to satisfy statutory obligations.

Upon expiry of each retention period, we securely delete or anonymize data as appropriate.

11. Third‑Party Services & Transfers

We engage third‑party Processors under GDPR‑compliant Data Processing Agreements (DPAs). Key partners include:

AWS (infrastructure)
Azure Cognitive Services (AI inference)
Stripe (payments)
SendGrid (email delivery)
Google Analytics & Mixpanel (analytics)

International transfers of Personal Data are safeguarded by Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules where applicable.

12. Your Rights

Subject to local law, you have the right to:

Access and receive a copy of your Personal Data.
Correct or update inaccurate or incomplete data.
Erase (“right to be forgotten”) where permissible.
Restrict or object to Processing.
Request data portability in a machine-readable format.
Withdraw consent for any consent‑based processing.
Lodge a complaint with your local supervisory authority.

To exercise these rights, contact our DPO at dpo@gumzoai.com.

13. Breach Notification

In the event of a Personal Data breach, we will:

Contain and mitigate the breach;
Notify relevant supervisory authorities within 72 hours, per GDPR Art. 33;
Inform affected individuals without undue delay if there is a high risk to their rights and freedoms;
Provide a post‑incident report outlining root cause and remediation measures.

We maintain an incident response plan and regularly conduct drills to ensure preparedness.

14. Data Protection & Accountability

We uphold accountability through:

Maintaining Records of Processing Activities (RoPA) as per GDPR Art. 30;
Conducting Data Protection Impact Assessments (DPIAs) for high‑risk Processing;
Implementing Privacy by Design and Default;
Undergoing regular external audits and certification;
Providing ongoing staff training on data protection.

15. Governing Law & Jurisdiction

Primary Choice of Law: Governed by the laws of the Republic of Kenya. You may bring claims in Kenyan courts or, at your election, in the courts of your place of residence.

For EEA, UK, Californian, Brazilian, Canadian, Australian, and other local regimes, we will interpret and enforce your rights under this Policy in accordance with those jurisdictions’ data protection laws.

16. Amendments

We may update this Privacy Policy at any time. Material changes will be communicated via email, or by posting a notice on our website at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

17. Limitation of Liability

To the fullest extent permitted by law, Gumzo AI’s liability for any damages arising out of or related to this Privacy Policy or the Processing of your Personal Data is limited to the amount you paid us in the six months preceding the claim. We disclaim all other liability, whether in contract, tort, or otherwise.

18. Severability

If any provision of this Privacy Policy is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions will remain in full force and effect.

19. Contact & Complaints

Data Protection Officer:dpo@gumzoai.com

If you have questions or wish to lodge a complaint, you may also contact your local supervisory authority, including but not limited to:

Kenya Data Protection Commissioner
UK Information Commissioner’s Office
Irish Data Protection Commission
California Attorney General
France CNIL
German BfDI
Australia OAIC

20. Children’s Privacy

Our services are not intended for children under the age of 16. We do not knowingly collect Personal Data from minors. If you become aware that your child has provided us with Personal Data, please contact our DPO and we will take steps to delete such information.

Gumzo AI Privacy Policy