Privacy Policy

Effective Date: April 6, 2026 Version: 1.1.0

---

1. Data Controller Identity

HearQA is operated by HC DESENVOLVIMENTO DE SOFTWARES LTDA, a company incorporated under the laws of the Federative Republic of Brazil. We are the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR), the Brazilian General Data Protection Law (LGPD, Lei no 13.709/2018), and the California Consumer Privacy Act (CCPA).

For payment processing, we use Paddle.com as our Merchant of Record. Paddle handles all card transactions, tax collection, and refund operations, and appears as the seller on your card statement. See §6 for the third-party processor list.

• Privacy Contact: legal@hearqa.com

• Security Reports: security@hearqa.com

• Registered Address: Rua Guaicui, 715, CEP 30.380-342, Bairro Luxemburgo, Belo Horizonte, MG, Brazil

---

2. What Data We Collect

HearQA collects and processes the following categories of data:

2.1 Audio

Your device microphone captures audio through the browser Microphone API. Audio is streamed directly to the Groq Whisper API for real-time transcription. Audio is never stored, uploaded to HearQA servers, or retained. It is discarded immediately after transcription by the third-party processor.

2.2 Transcription Text

Text output produced by Groq from your audio stream. This text is sent to AI services (AWS Bedrock Claude 3.5 Haiku, or Google Vertex AI Gemini as a fallback) to generate coaching responses. Transcription text is retained only during an active session in our database. It is not permanently stored after the session ends, unless you choose to keep a session summary.

2.3 Photos and Images

Images uploaded via your device camera or file picker. These are processed for OCR (optical character recognition) text extraction. Images are stored temporarily in AWS S3 during an active session and are deleted automatically when the session ends.

2.4 Screen Captures

On desktop devices, screen content can be captured via the browser's getDisplayMedia API. Screen captures are processed in-session for OCR text extraction. Screen captures are not persisted or stored.

2.5 Video Recordings

Short video clips (up to 20 seconds) recorded via your device camera, screen recording, webcam, or uploaded from your device. Videos are uploaded to AWS S3 (us-east-1) and the video file itself is transmitted to Google Vertex AI (Gemini 2.5 Flash) for text extraction; Google processes the file in the moment and does not retain it. The extracted text is then processed by AWS Bedrock (Claude) for AI coaching responses. Video files are automatically deleted from S3 within 24 hours via bucket lifecycle policy. Only the extracted text is retained during the active session.

2.6 Account Information

Your email address and name, provided through Google Sign-In or email/password registration. This data is stored in AWS Cognito (for authentication) and AWS DynamoDB (for your user profile).

2.7 Session Metadata

Information about your sessions, including session type, template used, duration, AI response count, and timestamps. Stored in DynamoDB until you delete your account.

2.8 Session Summaries

AI-generated performance reviews created at the end of a session. Stored in DynamoDB. You can delete individual summaries at any time, or all summaries are deleted when you delete your account.

2.9 Documents

Files you upload (PDFs, text files) for use as AI context through retrieval-augmented generation (RAG). Stored in a dedicated AWS S3 bucket. You can delete any document at any time through your account settings.

2.10 Payment Information

All payment processing is handled entirely by Paddle, our Merchant of Record. HearQA never sees, stores, or processes your payment card details. We receive only your customer email and transaction confirmation from Paddle to manage your subscription.

---

2.11 No Use for AI Model Training

Your data is not used to train AI models. Your transcripts, photos, videos, documents, and session content are NOT used to train any AI model — neither HearQA's, Groq's, AWS Bedrock's (Anthropic Claude), nor Google Vertex AI's (Gemini). The Bedrock and Vertex APIs we use are configured with the providers' opt-out flags for model training (AWS Bedrock: account-level training opt-out enabled; Google Vertex AI: customer data is not used to train Google's models per the Vertex AI Data Governance terms). If a third-party provider changes its policy, we will update this Policy and notify users via email at least 30 days in advance.

---

3. Legal Basis for Processing

We process your personal data under the following legal bases, as required by the GDPR (Article 6) and the LGPD (Article 7):

| Data Type | Legal Basis | Justification | |-----------|-------------|---------------| | Account information | Contract performance | Necessary to create and maintain your account and deliver the service you subscribed to. | | Audio stream | Contract performance | Necessary to provide real-time transcription, a core feature of the service. | | Transcription text | Contract performance | Necessary to generate AI coaching responses during your session. | | Photos and images | Contract performance | Necessary to provide OCR and document-grounded AI features you initiate. | | Screen captures | Contract performance | Necessary to provide screen-based OCR features you initiate. | | Video recordings | Contract performance | Necessary to provide video-based text extraction and AI coaching you initiate. | | Session metadata | Contract performance; Legitimate interest | Necessary to enforce plan limits and improve service reliability. | | Session summaries | Contract performance | Generated at your request to provide session performance reviews. | | Documents | Contract performance | Uploaded by you for use as AI context in your sessions. | | Payment data (via Paddle) | Contract performance | Necessary to process your subscription payments. | | Transactional emails | Contract performance; Legitimate interest | Necessary to communicate account-related information (e.g., payment receipts, plan changes). | | Error tracking (Sentry) | Legitimate interest | Non-PII data used to maintain service stability and diagnose issues. |

Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time by contacting legal@hearqa.com.

---

4. How We Use Your Data

We use your data for the following purposes:

• Service delivery — Providing real-time transcription, AI coaching, OCR, and document-grounded responses during your sessions.
• AI coaching — Sending transcription text and document context to AI models (AWS Bedrock, Google Vertex AI) to generate relevant, contextual assistance.
• Account management — Authenticating your identity, managing your profile, and maintaining your session history and documents.
• Usage tracking and plan enforcement — Monitoring session counts, durations, and AI response volumes to enforce the limits of your subscription plan (Free, Pro, Session Pack, or Annual).
• Transactional emails — Sending payment confirmations, plan change notifications, and essential account communications via AWS SES.
• Service improvement — Analyzing non-personally-identifiable error data (via Sentry) and aggregate usage patterns to improve reliability and performance.

We do not use your data for advertising, profiling, automated decision-making with legal effects, or sale to third parties.

---

5. Data Sharing and Third-Party Processors

We share your data only with the third-party processors necessary to deliver the service. We do not sell, rent, or trade your personal data.

| Service | Purpose | Data Received | Processing Region | |---------|---------|---------------|-------------------| | Groq (Whisper API) | Audio transcription | Audio stream (discarded immediately after transcription) | Groq infrastructure | | AWS Bedrock (Claude 3.5 Haiku) | AI coaching responses | Text transcript, document context | us-east-1 (N. Virginia, USA) | | Google Vertex AI (Gemini) | AI coaching (fallback) + video text extraction | Text transcript, document context, video frames | us-central1 (Iowa, USA) | | Paddle | Payment processing | Customer email, payment intent | Paddle infrastructure | | AWS Cognito | User authentication | Email, name, OAuth tokens | us-east-1 (N. Virginia, USA) | | AWS DynamoDB | Data storage | Account data, session metadata, summaries | us-east-1 (N. Virginia, USA) | | AWS S3 | Document and upload storage | User documents, session uploads | us-east-1 (N. Virginia, USA) | | AWS SES | Transactional email | Recipient email, message content | us-east-1 (N. Virginia, USA) | | Sentry (optional) | Error tracking | Non-PII error data, stack traces | Sentry infrastructure |

Each processor is bound by data processing agreements that require them to process data only as instructed, implement appropriate security measures, and not use data for their own purposes.

Paddle's specific role. Paddle acts as a separate data controller for payment-card data under GDPR Article 4 and the Paddle Merchant of Record Agreement — meaning Paddle determines the purposes and means of processing card data within its own PCI DSS scope, and HearQA has no access to full card numbers, CVV, or billing-address data. For the limited identifiers we share with Paddle (your account email and a transaction reference) Paddle acts as our processor strictly to enable checkout and subscription billing on our behalf.

---

6. International Data Transfers

HearQA is operated from Brazil, but the majority of data processing occurs in the United States (AWS us-east-1, N. Virginia). If you are located in Brazil, the European Economic Area (EEA), or other jurisdictions with data transfer restrictions, your data will be transferred to the United States.

We ensure lawful transfers through the following safeguards:

• Brazil (LGPD): International transfers are conducted in compliance with Article 33 of Lei no 13.709/2018 and ANPD Resolution CD/ANPD no 19/2024, relying on Standard Contractual Clauses and the adequacy of data protection measures implemented by our processors.
• EU/EEA (GDPR): Transfers to processors outside the EEA are governed by the European Commission's Standard Contractual Clauses (SCCs) pursuant to GDPR Chapter V, ensuring an adequate level of data protection.
• General: All data in transit is encrypted using TLS. All data at rest is encrypted using AWS-managed encryption. Our processors (AWS, Paddle, Groq, Sentry) maintain their own compliance certifications (SOC 2, ISO 27001, or equivalent).

---

7. Data Retention

We retain your data only as long as necessary for the purposes described in this policy. Retention periods vary by data type:

| Data Type | Retention Period | |-----------|-----------------| | Audio | Never stored. Discarded immediately after real-time transcription by Groq. | | Transcription text | Active session only. Deleted when the session ends, unless the user retains a session summary. | | Photos and images | Active session only. Deleted from S3 when the session ends. | | Screen captures | Never stored. Processed in-session only. | | Video recordings | Automatically deleted within 24 hours. Only extracted text is retained during the active session. | | Account information | Until you delete your account. | | Session metadata | Until you delete your account. | | Session summaries | Until you delete the summary or delete your account. | | Documents | Until you delete the document or delete your account. | | Payment records | Retained by Paddle per their retention policy. HearQA retains only subscription status and plan type. | | Error logs (Sentry) | Per Sentry's retention policy (typically 90 days). Contains no personally identifiable information. |

When you delete your account, your User Content remains available for export for 30 days following the deletion request, as described in Section 17 of our Terms of Service. After that 30-day window, all your data is permanently purged from DynamoDB and S3. This purge is irreversible.

You may also request immediate, non-revocable purge (skipping the 30-day export window) by emailing legal@hearqa.com. We will confirm the request before executing it.

---

8. Your Rights

Regardless of where you are located, we provide the following rights to all HearQA users:

• Right of Access — You can view your profile and account data at any time through your account settings, or by requesting a copy via legal@hearqa.com.
• Right to Data Portability — You can export all your personal data in JSON format through the Data Export feature in Settings.
• Right to Rectification — You can update your profile information at any time through your account settings.
• Right to Deletion (Erasure) — You can delete your account entirely through Settings. This permanently removes all your data from our systems (DynamoDB, S3, Cognito). You can also delete individual session summaries or documents without deleting your entire account.
• Right to Restrict Processing — You can request that we limit how we process your data by contacting legal@hearqa.com.
• Right to Object — You can object to processing based on legitimate interest by contacting legal@hearqa.com.
• Right to Withdraw Consent — Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at legal@hearqa.com. We will respond within 15 days for LGPD requests, 30 days for GDPR requests, and 45 days for CCPA requests, as required by applicable law.

---

9. For Users in Brazil (LGPD)

If you are located in Brazil, this section provides additional information required by the Lei Geral de Proteção de Dados (Lei no 13.709/2018).

• Data Controller: HC DESENVOLVIMENTO DE SOFTWARES LTDA, Rua Guaicui, 715, CEP 30.380-342, Bairro Luxemburgo, Belo Horizonte, MG, Brazil.
• Data Protection Officer (Encarregado): Reachable at legal@hearqa.com. The Encarregado is responsible for receiving communications from data subjects and the ANPD.
• Legal Bases: Processing is based on Article 7 of the LGPD, specifically: performance of contract (inciso V), legitimate interest (inciso IX), and consent where applicable (inciso I).
• Supervisory Authority: The Autoridade Nacional de Proteção de Dados (ANPD) is the competent authority for LGPD matters. You have the right to petition the ANPD if you believe your data protection rights have been violated.
  • ANPD website: https://www.gov.br/anpd
• International Transfers: Your data is transferred to the United States in accordance with Article 33 of the LGPD and ANPD Resolution CD/ANPD no 19/2024.
• Response Time: We will respond to your requests within 15 days, as required by the LGPD.

---

10. For Users in the EU/EEA (GDPR)

If you are located in the European Union or European Economic Area, this section provides additional information required by the General Data Protection Regulation (EU 2016/679).

• Legal Bases: Our processing activities and their legal bases are detailed in Section 3 above. The primary bases are contract performance (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)).
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EU/EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
• International Transfers: Data is transferred to the United States under Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with GDPR Chapter V.
• Data Protection Officer: For GDPR-related inquiries, contact legal@hearqa.com.
• Automated Decision-Making: HearQA does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you. AI coaching responses are informational only and do not constitute automated decisions under Article 22.
• Response Time: We will respond to your requests within 30 days, with a possible extension of 60 additional days for complex requests, as permitted by Article 12(3).

---

11. For Users in California (CCPA)

If you are a California resident, this section provides additional information required by the California Consumer Privacy Act (Cal. Civ. Code Section 1798.100 et seq.) and the California Privacy Rights Act (CPRA).

• We do not sell personal information. HearQA has never sold and will never sell your personal information to third parties.
• We do not share personal information for cross-context behavioral advertising.
• Right to Know: You have the right to request the categories and specific pieces of personal information we have collected about you over the past 12 months.
• Right to Delete: You have the right to request deletion of your personal information. You can do this directly through your account settings or by contacting legal@hearqa.com.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale: Since we do not sell personal information, there is no sale to opt out of.
• Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, a different quality of service, or be denied service for exercising your rights.
• Response Time: We will respond to verifiable consumer requests within 45 days, as required by the CCPA.

Categories of Personal Information Collected (per CCPA categories):

| CCPA Category | Examples | Collected | |---------------|----------|-----------| | Identifiers | Email address, name | Yes | | Commercial information | Subscription plan, payment history (via Paddle) | Yes | | Internet or network activity | Session metadata (type, duration, timestamps) | Yes | | Audio information | Microphone audio (streamed, never stored) | Transient only | | Audio/visual information | Video recordings (up to 20 seconds, auto-deleted within 24 hours) | Transient only | | Professional information | Session content related to interviews, exams, certifications | Yes (session duration only) | | Inferences | AI-generated session summaries | Yes (user-initiated) |

---

12. Children's Privacy

HearQA is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.

• Under the U.S. Children's Online Privacy Protection Act (COPPA), we do not collect data from children under 13.
• Under the GDPR, we do not process data of individuals under 16 without parental consent, and we do not have a mechanism for obtaining such consent.
• Under the LGPD, processing of data from children and adolescents requires the specific and prominent consent of a parent or legal guardian (Article 14).

If we become aware that we have collected personal data from a child under 16, we will delete that data immediately. If you believe a child under 16 has provided us with personal information, please contact us at legal@hearqa.com.

---

13. Cookies and Tracking Technologies

HearQA does not use cookies, web beacons, pixels, or similar tracking technologies.

We do not use any first-party or third-party cookies. We do not engage in cross-site tracking, behavioral advertising, or fingerprinting. Authentication tokens are stored in your browser's sessionStorage, which is cleared when you close your browser tab and is not accessible to other websites.

Because we do not use cookies or tracking technologies, there is no cookie consent banner and no opt-out mechanism is necessary.

---

14. Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption at rest: All data stored in DynamoDB and S3 is encrypted using AWS-managed encryption keys (AES-256).
• Encryption in transit: All data transmitted between your browser, our servers, and third-party processors is encrypted using TLS 1.2 or higher.
• Access controls: Access to production systems and data is restricted to authorized personnel using role-based access controls and multi-factor authentication.
• Infrastructure security: All services run on AWS infrastructure, which maintains SOC 1/2/3, ISO 27001, and other compliance certifications.
• Authentication security: User passwords are managed by AWS Cognito with industry-standard hashing. OAuth tokens follow the PKCE (Proof Key for Code Exchange) flow for enhanced security.
• Data isolation: User data is logically isolated in DynamoDB using partition key design. Each user can only access their own data.
• Regular reviews: We conduct periodic security reviews and monitor for vulnerabilities in our dependencies and infrastructure.

Vulnerability Disclosure: If you discover a security vulnerability, please report it to security@hearqa.com. We take all reports seriously and will respond promptly.

---

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• Material changes: For significant changes that affect your rights or how we process your data, we will notify you at least 30 days in advance via email to the address associated with your account.
• Non-material changes: Minor clarifications or formatting updates may be made without prior notice.
• Version history: The "Last Updated" date at the top of this policy reflects the date of the most recent revision. The version number follows semantic versioning.

We encourage you to review this policy periodically. Your continued use of HearQA after changes take effect constitutes acceptance of the updated policy.

---

16. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data:

• Privacy and legal inquiries: legal@hearqa.com
• Security vulnerability reports: security@hearqa.com

For support inquiries about your subscription or service, active Pro and Session Pack subscribers can use the contact form in their portal.

Mailing address: HC DESENVOLVIMENTO DE SOFTWARES LTDA Rua Guaicui, 715 CEP 30.380-342, Bairro Luxemburgo Belo Horizonte, MG, Brazil

We aim to respond to all privacy-related inquiries within 15 days.