Legal documents are available in English only.

Privacy Policy

Last updated: April 21, 2026

1. Introduction

Vionter ("we", "our", or "us") provides an AI-assisted interview practice platform. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data. It applies to the landing site at vionter.ai and the application at app.vionter.ai.

2. Information We Collect

2.1 Information you provide

  • Account information: email address, display name, authentication credentials managed by Firebase Authentication.
  • Resume and profile content: work history, education, skills, and any text you paste or upload when building your profile.
  • Job descriptions and practice inputs: the job descriptions, prompts, and answers you submit during practice sessions.
  • Payment information: billing details are collected and stored by Stripe. We receive a customer identifier, subscription status, and last-four card digits; we do not store full payment card numbers.
  • Support correspondence: anything you send to [email protected] or other support channels.

By submitting information to us, you represent that you have the right to do so and that the information does not infringe the rights of any third party. Please do not submit another person's resume, contact details, or personal information without their authorization.

2.2 Voice and multimodal content

Practice sessions are multimodal — you may interact with the platform through text, voice, and images, and may in the future interact through video. Voice recordings are processed by Google Cloud for transcription and stored together with the generated transcript. Images you submit are stored in Google Cloud. Voice and any video content are treated as sensitive personal-data categories. You can request deletion of stored recordings and uploaded content at any time (see Section 8 and Section 10).

2.3 Automatically collected information

  • Device and browser information (user agent, operating system, language).
  • Usage data (pages visited, features used, session timestamps, error events).
  • IP address and approximate city-level location derived from it.
  • Cookies and similar technologies (see Section 11).

3. How We Use Your Information

  • Operate and improve the platform, including generating feedback on your answers and personalizing your skill graph.
  • Run practice sessions, including transcribing audio, generating spoken interview questions, and streaming real-time coach responses.
  • Authenticate you and keep your account secure.
  • Process payments and manage subscriptions.
  • Send transactional email (account verification, billing receipts, password resets).
  • Communicate with you about product updates, new features, and promotional content, where permitted by law and subject to your marketing preferences.
  • Research, develop, and evaluate new features and services, including through the use of aggregated and de-identified data.
  • Detect and prevent abuse, fraud, and security incidents.
  • Comply with legal obligations, including tax recordkeeping.

4. Sub-processors

We use the following sub-processors to deliver the service. Each is bound by a Data Processing Agreement or equivalent terms.

  • Google Cloud — hosting, authentication, database, backend runtime, file and audio storage, and audio transcription and voice synthesis.
  • Google's Gemini family of AI models (via Google Cloud) — AI analysis of resumes, job descriptions, and practice-session answers.
  • Stripe — payment processing, billing, and subscription management.
  • Resend — transactional email delivery.

We may update this list from time to time. Material changes will be notified as described in Section 14.

5. Data Residency and International Transfers

Customer data is currently stored and processed primarily in Google Cloud's us-central1 region (United States). We may use other Google Cloud regions for operational purposes such as redundancy, disaster recovery, regional latency, or global availability. If you use the service from outside the current processing region, your data is transferred to and processed in that region.

For users in the European Economic Area, United Kingdom, and Switzerland, cross-border transfers are made under Google Cloud's Standard Contractual Clauses (SCCs) and any supplementary safeguards required by applicable law. For users in Singapore, transfers are made in reliance on Section 26 of the PDPA and the Personal Data Protection Regulations, which require the recipient to be bound by legally enforceable obligations providing a comparable standard of protection. For users in Canada, Australia, New Zealand, Mexico, Brazil, India, and the ASEAN region, transfers are carried out under the contractual safeguards in our agreements with Google Cloud, Stripe, and Resend.

6. AI Processing

We use Google's Gemini family of AI models (accessed through Google Cloud's enterprise offering) to process your content. Under Google's service terms, customer data is not used to train Google's foundation models. We do not sell or license your content to third-party model providers. We may use aggregated and de-identified data (data that cannot reasonably identify you) to evaluate, improve, and develop our service.

AI-generated outputs (feedback, coaching responses, suggested improvements, skill assessments, and similar content) are provided to help you practice and may contain inaccuracies or errors. They are not a substitute for, and should not be relied upon as, authoritative career, employment, legal, financial, or professional advice.

7. Data Sharing

We do not sell your personal information, and we do not share it for cross-context behavioral advertising in the sense defined by the California Consumer Privacy Act. We share data only with:

  • The sub-processors listed in Section 4, solely to provide the service.
  • Advertising and analytics partners via pixel/tag technologies on our marketing site, where you have given consent (see Section 11).
  • Government, regulatory, or law-enforcement bodies when required by law, court order, or to protect our rights, users, or the public.
  • An acquirer or successor entity in the event of a merger, acquisition, or sale of assets; you will be notified before your data becomes subject to a different privacy policy.

Our service may contain links to or integrations with third-party websites and services (for example, payment providers, authentication providers, and advertising platforms). This Privacy Policy does not cover those third parties. Their collection and use of your information is governed by their own privacy policies, and we are not responsible for their practices.

8. Data Retention

To delete your account, use Profile > Privacy > Delete My Account or email [email protected]. After a 30-day grace period (during which you can cancel by signing in from the app), we erase your content data (resumes, transcripts, knowledge items, audio recordings). Financial records and point-ledger entries are retained under legal obligation as described below; they are not accessible through the product after your account is deleted.

  • Content data (resumes, interview transcripts and answers, knowledge cards, stored audio) — erased within 30 days of a confirmed deletion request. No legal basis to retain beyond.
  • Financial records (transaction amounts and dates, plan IDs, subscription history, references to your Stripe customer record) — retained up to 7 years after account deletion for Singapore IRAS tax compliance, Stripe chargeback defence (up to 540 days), AML/KYC obligations, and legal-claims defence. We do not hold a local copy of your name, email, or billing address; those fields live on your Stripe customer record under Stripe's retention policy. Legal basis: GDPR Art 17(3)(b) (compliance with legal obligation) and 17(3)(e) (establishment/defence of legal claims).
  • Point-ledger records (balance, purchases, grants, consumption, expiries — including which feature each consumption was charged to, e.g. a practice session) — retained up to 7 years for refund-dispute defence on unused balances. Legal basis: GDPR Art 17(3)(e).
  • Account deletion tombstone (UID, deletion timestamps, HMAC of email for re-registration fraud detection — no plaintext PII) — retained indefinitely as proof a deletion occurred.
  • Dormant accounts — not automatically purged in the current version.
  • Activity log (action type and timestamp for account lifecycle events such as sign-in, deletion request) — retained for the lifetime of your account; deleted on account deletion.
  • Stripe customer records — retained per Stripe's retention policy; we do not delete records held by Stripe.
  • Email logs (sent, bounced, unsubscribed) — retained for up to 12 months.
  • Backups — operational backups are retained for a limited period. Deletion requests are honored in backups via a documented restore-then-re-purge procedure.

What survives account deletion

After your content data is erased, three categories remain in our records: financial records (transaction amounts, dates, plan IDs, references to your Stripe customer ID — no name, email, or billing address held locally), point-ledger entries (your balance, purchases, grants, consumption, and which feature each consumption was charged to), and a minimal account-deletion tombstone (UID and deletion timestamps, plus a one-way HMAC of your email for re-registration fraud detection). These are kept up to 7 years (or indefinitely for the tombstone) under GDPR Art 17(3)(b) (legal-obligation compliance — Singapore IRAS tax retention, AML/KYC) and Art 17(3)(e) (defence of legal claims — chargebacks, refund disputes). They are not accessible through the product and are not used for marketing.

We may retain data beyond these periods where necessary to comply with legal obligations, enforce our terms, detect or prevent fraud or abuse, defend legal claims, or resolve disputes. Retained data is protected by the same security measures described in Section 9.

9. Security

We implement reasonable security measures appropriate to the sensitivity of the data, including encryption in transit (HTTPS/TLS), access controls, and the security provided by our underlying cloud infrastructure. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account. Please notify us at [email protected] promptly if you believe your account has been accessed without authorization.

In the event of a data breach that is likely to result in a risk to your rights, we will notify affected users and relevant regulators as and to the extent required by applicable law.

10. Your Rights

Depending on where you live, you have specific rights over your personal data. You can exercise any of the rights below by emailing [email protected]. We will respond within the timeframe required by the applicable law (typically 30 days). We will not discriminate against you for exercising these rights.

To protect your data and prevent unauthorized access, we may require reasonable verification of your identity before responding to a rights request. We may also decline to act on, or charge a reasonable fee for, requests that are manifestly unfounded, excessive, or repetitive, to the extent permitted by applicable law.

10.1 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

You have the rights of access, rectification, erasure, restriction, objection, data portability, and withdrawal of consent. You also have the right to lodge a complaint with your local supervisory authority.

10.2 California (CCPA / CPRA)

California residents have the right to know, delete, correct, opt out of sale or sharing, limit the use of sensitive personal information, and not be discriminated against for exercising these rights. We do not sell or share your personal information.

10.3 Canada (PIPEDA and Quebec Law 25)

You have the right to access and correct your data and to withdraw consent. Quebec residents additionally have the right to data portability and information about automated decision-making. You may lodge a complaint with your local privacy commissioner.

10.4 Australia (Privacy Act 1988 / APPs)

You have the right to access and correct the personal information we hold about you, and to lodge a complaint with Australia's data protection authority.

10.5 New Zealand (Privacy Act 2020)

You have the right to access and correct your personal information, and to lodge a complaint with New Zealand's data protection authority.

10.6 Mexico (LFPDPPP)

You have the ARCO rights (Access, Rectification, Cancellation, Opposition), the right to revoke consent, and the right to lodge a complaint with Mexico's data protection authority.

10.7 Brazil (LGPD)

You have the rights of confirmation, access, correction, anonymization or deletion of unnecessary data, portability, information about data sharing, and withdrawal of consent. Our Data Protection Officer (Encarregado) can be reached at [email protected]. You may also lodge a complaint with Brazil's data protection authority.

10.8 Singapore (PDPA)

You have the right to access and correct your personal data and to withdraw consent. Our Data Protection Officer can be reached at [email protected]. You may lodge a complaint with Singapore's data protection authority.

10.9 Malaysia (PDPA 2010)

You have the right to access and correct your data, withdraw consent, and limit direct-marketing processing. You may lodge a complaint with Malaysia's data protection authority.

10.10 Indonesia (UU PDP 2022)

You have the rights of access, correction, erasure, portability, and withdrawal of consent, and to object to automated decision-making. You may lodge a complaint with Indonesia's data protection authority.

10.11 Thailand (PDPA 2019)

You have the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You may lodge a complaint with Thailand's data protection authority.

10.12 Philippines (Data Privacy Act 2012)

You have the rights to be informed, access, object, rectify, erase or block, and data portability. You may lodge a complaint with the Philippines' data protection authority.

10.13 India (DPDPA 2023)

You have the rights to access, correct, and erase your personal data, to nominate another individual to exercise these rights, and to grievance redressal. Our Grievance Officer can be reached at [email protected]. You may also lodge a complaint with India's data protection authority. Note: under the DPDPA, the platform is not intended for users under 18 years of age; processing of a child's data requires verifiable parental consent, which we do not currently support.

11. Cookies

We use a small number of essential cookies required for the service to function: vionter_auth (a presence signal that keeps you signed in between the landing site and the application — it stores no tracking data, no session token, and no user ID), vionter_consent (stores your cookie preferences for 12 months so we don't ask again), and a short-lived locale preference cookie. Essential cookies do not track you across sites.

With your consent, we also use analytics and marketing cookies — including tag pixels from Meta, Google, LinkedIn, and X — to measure the effectiveness of our marketing and to show relevant ads on those platforms. A consent banner is presented on your first visit so you can accept, reject, or customize these categories. You can change your choice at any time via the Cookie Preferences link in the footer.

12. Children's Privacy

Our platform is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it.

13. Data Protection Officer

We have designated a Data Protection Officer to oversee our privacy practices and act as the contact point for data subject requests, regulators, and breach notifications. You can reach the DPO at:

Data Protection Officer
Email: [email protected]

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the platform, and we will update the "Last updated" date at the top of this page. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

This Privacy Policy is provided for informational purposes and does not create contractual obligations beyond those required by applicable law. Where this policy and the Terms of Service differ, the Terms of Service govern the commercial relationship.

15. Contact

If you have questions about this Privacy Policy, want to exercise any of your rights, or believe we have mishandled your data, please contact us:

Controller: Vionter
Email: [email protected]