Last Updated: June 5, 2026
This Privacy Policy explains how Netpeak LTD ("eniq.ai", "we", "us", "our") collects, uses, discloses, and protects personal data in connection with the eniq.ai conversation intelligence platform, including the websites at https://eniq.ai and https://app.eniq.ai and the APIs at https://api.eniq.ai (the "Service").
This policy is written for two groups of people:
- Account Users — individuals who register for and use the Service on behalf of an organization (salespeople, managers, analysts, admins). For Account Users, we act as a controller of your account data.
- Communication Participants — individuals whose voice, image, text, or other communications are captured because the Service recorded, ingested, or analyzed a call, online meeting, chat, message, or email they participated in. For those participants, our customer is the controller and we act as a processor on that customer's behalf. We describe that role briefly in Section 12 below; for information about why your communication was processed, contact the customer that processed it.
If there is a conflict between this policy and a Data Processing Addendum ("DPA") between us and a customer, the DPA controls with respect to Customer Data.
1. Who We Are and How to Reach Us
Controller: Netpeak LTD, 41 Devonshire Street, Ground Floor, London, United Kingdom, W1G 7AJ. Privacy contact: [email protected] Data Protection Officer: Yurii Bondar, [email protected] EU representative (if applicable): NETPEAK EOOD (LTD), 47 Cherni vrah blvd., 1407 Sofia, Bulgaria UK representative (if applicable): Not applicable; Netpeak LTD is established in the United Kingdom.
If you have any question about this policy or your personal data, email [email protected].
2. Personal Data We Collect
2.1 Data You Provide Directly (Account Users)
| Category | Examples |
|---|---|
| Identification | Full name, email address, password (stored hashed, never in clear text), profile photo |
| Organization | Company name, job role, team, assigned role (Owner, Admin, Team Leader, Analyst, User, or custom role) |
| Billing | Company name, tax/VAT ID, billing address, payment-method metadata (card brand, last four digits, expiry — full card numbers are handled by Stripe, not by us) |
| Support | Messages you send us by email, through Intercom in-app chat, or via Telegram; attached screenshots or files |
| Integration credentials | OAuth tokens, API keys, and connection metadata for CRMs (e.g., Zoho, HubSpot, Pipedrive, Salesforce, Creatio), telephony, and meeting platforms (encrypted at rest) |
| Preferences | Language, timezone, notification settings, UI settings |
2.2 Customer Data Uploaded or Streamed to the Service
When you or your Authorized Users use the Service, you may upload or stream to us:
| Category | Examples |
|---|---|
| Call and meeting recordings | Audio and (for meetings) video of phone calls and online meetings |
| Chat and message content | Text of live-chat, WhatsApp, Telegram, Viber, Messenger, Instagram Direct, SMS/MMS, email, and similar conversations ingested from connected platforms or pushed through our APIs |
| Transcripts | Machine-generated transcriptions of voice/video |
| Communication metadata | Date/time, duration, participant identifiers (phone numbers, email addresses, usernames, handles), direction, channel, tags |
| CRM records | Deal data, contact records, lead fields that you choose to sync |
| AI analyses | Summaries, scores, sentiment, topic tags, coaching insights generated from the above |
Recordings, transcripts, and chat/message content frequently contain personal data about third parties — your customers, prospects, employees — including their names, phone numbers, email addresses, chat handles, voices, message content, purchase information, and anything else they say or write. You are responsible for lawful processing of that data (see Section 12).
2.3 Data Collected Automatically (all visitors)
| Category | Examples | How |
|---|---|---|
| Device and technical | IP address, browser type and version, OS, screen size, language, referring URL | Standard web logs, first-party cookies |
| Usage | Pages viewed, buttons clicked, features used, timestamps, session IDs, errors encountered | Our application logs, Sentry error logs |
| Analytics | Aggregate traffic and funnel data | Google Analytics 4 / Google Tag Manager (subject to cookie consent via Cookiebot) |
| Support chat | Messages, identity, technical context | Intercom |
2.4 Data from Third Parties
- Google OAuth / Single Sign-On (when used): name, email, profile image from your Google account.
- Meeting platforms (Zoom, Google Meet, Microsoft Teams, Webex, and similar): meeting metadata and, for meetings you instruct us to join, audio/video streams.
- Telephony, contact-center, and chat/messaging platforms you connect (including providers such as WhatsApp, Telegram, Viber, Messenger, Instagram Direct, SMS/MMS gateways, live-chat widgets, email, and any platform you integrate through our generic APIs): call audio, chat/message content, participant identifiers, and metadata, as authorized by you.
- Payment processor (Stripe): payment status, card metadata, fraud signals.
- CRM integrations (when you connect them): contact, company, and deal data you authorize us to read or write.
2.5 Sensitive Data
We do not intentionally collect special categories of personal data (health, biometric for identification, religion, political views, union membership, sex life or sexual orientation, race or ethnicity). If recordings you upload happen to contain such data, you are responsible for identifying the lawful basis and, where required, obtaining explicit consent. Voice recordings are considered highly sensitive under several privacy regimes and may qualify as biometric data in some jurisdictions — consult local counsel.
2.6 Children
The Service is not directed to children. We do not knowingly collect personal data from anyone under 16 (or under 13 in the United States). If you become aware that a child has provided us with personal data, contact [email protected] and we will delete it.
3. Why We Use Personal Data — and the Legal Basis
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Create and authenticate your account | Account identification, credentials | Contract (Art. 6(1)(b)) |
| Deliver the Service (upload, transcribe, analyze, integrate) | Customer Data, account data | Contract |
| Process payments and prevent fraud | Billing data, IP, device | Contract; legal obligation |
| Customer support | Support messages, account data | Contract; legitimate interests |
| Service security and abuse prevention | Access logs, IP, device, usage | Legitimate interests; legal obligation |
| Error monitoring and reliability | Crash logs, request logs | Legitimate interests |
| Product improvement (aggregated / de-identified only) | Aggregated usage | Legitimate interests |
| Transactional emails (receipts, alerts, account notices) | Email, account data | Contract; legal obligation |
| Marketing emails (product news, tips) | Email, preferences | Consent (where required); otherwise legitimate interests — you may opt out any time |
| Legal claims, compliance, tax | As needed | Legal obligation; legitimate interests |
| Analytics, cookies, tracking (non-essential) | Device, behavior | Consent (via cookie banner) |
Where our basis is legitimate interests, we have balanced our interests against your rights and concluded that our processing is necessary and proportionate. You may object at any time by writing to [email protected].
No AI Model Training on Your Data
We do not use Customer Data (including recordings, transcripts, or analyses) to train or fine-tune foundation models operated by us or by our AI subprocessors, except with your explicit opt-in. Our AI subprocessors are engaged on zero-retention or no-training terms where such terms are available.
No Sale of Personal Data
We do not sell personal data in the commercial sense and do not sell personal data as defined under the California Consumer Privacy Act (CCPA/CPRA). We do not "share" personal data for cross-context behavioral advertising.
4. Cookies and Similar Technologies
We use first-party cookies for authentication and core functionality, and — subject to your consent via our cookie banner (Cookiebot) — third-party cookies for analytics (Google Analytics 4 / Google Tag Manager) and in-product support chat (Intercom). You can change your preferences at any time through the "Cookie settings" link in our footer or by clearing cookies in your browser.
Categories commonly set:
| Category | Examples | Duration | Purpose |
|---|---|---|---|
| Strictly necessary | Session, CSRF, auth, cookie-consent | Session / up to 12 months | Login, security, remembering your consent |
| Analytics | _ga, _ga_* (Google Analytics) | Up to 24 months | Traffic and usage statistics |
| Support | Intercom cookies | Up to 9 months | In-product chat |
5. Who We Share Personal Data With
We share personal data only with the parties described below and only to the extent necessary for the purposes listed.
5.1 Subprocessors and Service Providers
| Provider | Purpose | Data involved | Location |
|---|---|---|---|
| Google Cloud (Google Cloud Storage, and related services) | Hosting and storage of recordings and application data | Account data, Customer Data | EU/US (per region configured) |
| Stripe, Inc. | Payment processing | Billing data, card metadata | EU/US |
| Anthropic, PBC | AI transcription/analysis (Claude models) | Transcripts and prompts derived from Customer Data | US |
| OpenAI, L.L.C. | AI transcription/analysis (optional) | Transcripts/prompts derived from Customer Data | US |
| Google LLC (Gemini / Speech-to-Text) | AI transcription/analysis (optional) | Audio / transcripts | EU/US |
| xAI Corp. | AI analysis (optional, Grok models) | Transcripts/prompts | US |
| Groq, Inc. | AI inference (optional) | Transcripts/prompts | US |
| Functional Software, Inc. (Sentry) | Error monitoring | IP, user ID, stack traces | US/EU |
| Intercom R&D Unlimited Company | In-product support chat | Account identity, support messages | EU/US |
| Cookiebot (Cybot A/S) | Cookie consent management | IP (truncated), consent records | EU |
| Google LLC (Google Analytics 4 / Tag Manager) | Analytics | Pseudonymous device/usage data (after consent) | EU/US |
| Telegram FZ-LLC | Optional bot notifications | Notification content, Telegram user ID | UAE/US |
| Telephony, contact-center, and chat providers you connect in project settings (via native connectors or our generic API) | Call/chat metadata, audio, messages | As configured by you | Provider-specific |
| Zoom, Google Meet, and similar meeting platforms you connect | Meeting audio/video | As authorized by you | Provider-specific |
| CRM integrations you enable (Zoho, HubSpot, Pipedrive, Salesforce, Creatio, others) | CRM data exchange | As configured | Provider-specific |
We require subprocessors to provide appropriate safeguards (including Standard Contractual Clauses or equivalent for international transfers) and to process data only on documented instructions. A current list of subprocessors is available at https://eniq.ai/subprocessors and will be updated before adding a new subprocessor that materially affects customers.
5.2 Our Group Companies
We may share personal data with affiliates under common control for the purposes described in this policy, subject to confidentiality and applicable law.
5.3 Legal and Safety Disclosures
We may disclose personal data when we believe in good faith that disclosure is necessary to: comply with law or a valid legal process (including subpoenas, court orders, or governmental requests); enforce our Terms; protect our rights, property, or safety, or those of our users or the public; or investigate fraud, security, or abuse. Where permitted by law, we will notify the affected customer before disclosing Customer Data.
5.4 Business Transfers
If we are involved in a merger, acquisition, reorganization, financing, sale of assets, or insolvency, personal data may be transferred as part of that transaction. We will notify affected users of any change in controller as required by law.
6. International Data Transfers
We operate from the United Kingdom and rely on providers in the European Economic Area, the United Kingdom, the United States, and other countries. Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not been recognized as providing adequate protection, we rely on:
- the EU Standard Contractual Clauses (2021) and, where applicable, the UK International Data Transfer Addendum;
- the EU–US Data Privacy Framework (for certified U.S. recipients, when used);
- supplementary technical and organizational measures as required (encryption in transit, at-rest encryption of sensitive secrets, pseudonymization where practical, access controls).
For transfers from Ukraine or other jurisdictions with similar mechanisms, we rely on the corresponding safeguards available under local law.
You may request a copy of the relevant transfer mechanism by writing to [email protected].
7. How Long We Keep Personal Data
We keep personal data only as long as we need it for the purposes described in this policy, including to meet legal, tax, or accounting obligations, or to resolve disputes.
| Category | Default retention |
|---|---|
| Account data | Lifetime of the account |
| Customer Data (recordings, transcripts, chat/message content, analyses) | For the lifetime of your Subscription, subject to any in-product retention controls you configure; deleted within 60 days after termination (except as required by law) |
| Backups | Up to 35 days, then purged on rolling schedule |
| Billing/invoice records | As required by tax law (typically 5–10 years) |
| Security and audit logs | Up to 18 months |
| Support tickets | Up to 3 years after the last interaction |
| Marketing contact data (with consent) | Until you withdraw consent |
You or your organization's administrator can delete specific records earlier via the in-product controls. On termination, you can request an export within 30 days (see Terms, Section 16).
8. Your Rights
Depending on where you live, you may have some or all of the following rights:
- Access — know what personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure / deletion — have your data deleted in certain circumstances.
- Restriction of processing — limit how we use your data.
- Portability — receive a copy in a common, machine-readable format and have it transmitted to another controller where technically feasible.
- Objection — object to processing based on legitimate interests, and to direct marketing at any time.
- Withdraw consent — where processing is based on consent, withdraw it at any time (without affecting prior lawful processing).
- Not to be subject to solely automated decision-making that produces legal or similarly significant effects — we do not make such decisions about you.
- Complain to a supervisory authority (see Section 11).
Account Users can exercise most rights directly in product settings. For anything not available in product, email [email protected]. We respond within one month (extendable to three months for complex requests, with notice). We may need to verify your identity.
California Residents (CCPA/CPRA)
You have the rights described above (phrased as "know", "correct", "delete", "opt-out of sale/sharing", "limit use of sensitive personal information", and "non-discrimination"). We do not sell or share personal data for cross-context behavioral advertising. You may designate an authorized agent to act on your behalf. Submit requests to [email protected]. We do not charge for these requests and we do not discriminate against you for exercising them.
Brazilian Residents (LGPD), Ukrainian Residents (Law on Personal Data Protection), and Other Jurisdictions
Equivalent rights apply under the Brazilian LGPD, the Ukrainian Law on Personal Data Protection, and comparable laws. Contact us at [email protected].
9. Security
We implement technical and organizational measures designed to protect personal data, including:
- TLS (HTTPS) for data in transit;
- password hashing (argon2/bcrypt), encryption at rest for sensitive secrets (OAuth tokens, API keys);
- role-based access controls with least-privilege principle;
- two-factor authentication (TOTP) for accounts where enabled;
- centralized logging, error monitoring, and alerting;
- vendor due diligence on major subprocessors;
- network segmentation and access reviews.
No system is perfectly secure. If we become aware of a personal-data breach, we will notify affected customers and, where required, supervisory authorities, without undue delay and within applicable deadlines.
10. AI-Specific Disclosures
- Probabilistic output. Transcriptions and analyses are generated by machine-learning models and may contain errors, including misheard words, speaker misattribution, omitted content, or incorrect summaries/scores. We do not guarantee accuracy.
- No solely automated decisions with legal effect. The Service provides decision-support; human review is required before any consequential decision is made. We do not make solely-automated decisions that produce legal or similarly significant effects concerning you.
- Prompt and content logging. Prompts and outputs are logged for debugging, abuse prevention, and service continuity, then retained per Section 7.
- AI subprocessors. AI subprocessors listed in Section 5.1 are engaged on zero-retention or no-training terms where available. Anthropic's standard API terms include a no-training default; OpenAI's standard API terms include a 30-day zero-retention/no-training default.
11. How to Complain
If you believe we have not complied with this policy or with applicable law, please first contact us at [email protected]. You also have the right to lodge a complaint with a supervisory authority:
- EU residents — the data protection authority of your member state (list: https://edpb.europa.eu/about-edpb/about-edpb/members_en).
- UK residents — the Information Commissioner's Office (ICO), https://ico.org.uk.
- Ukrainian residents — Ukrainian Parliament Commissioner for Human Rights, https://www.ombudsman.gov.ua.
- Polish residents — Urząd Ochrony Danych Osobowych (UODO), https://uodo.gov.pl.
- California residents — the California Privacy Protection Agency (CPPA) or the Attorney General.
12. Note to Communication Participants (Calls, Meetings, Chats, Messages)
If you are reading this because you were told that a call, online meeting, chat conversation, or message you participated in was being recorded, ingested, or analyzed by eniq.ai, then our customer (the organization that recorded or ingested the communication — typically the business running the call, chat, or help desk) is the controller of that data, not us. We process the recording, transcript, chat log, or message content on their behalf as a processor/service provider.
We can help you find the customer to exercise your rights, but we cannot respond to access/deletion requests directly without the customer's instruction or legal requirement. Contact the business that processed your communication; if you cannot identify them, email [email protected] and we will use reasonable efforts to route your request.
13. Links to Third-Party Sites
Our Service may contain links to third-party websites (for example, provider documentation). We are not responsible for the privacy practices of those sites. Read their privacy notices.
14. Changes to This Policy
We may update this policy from time to time. For material changes, we will notify you by email or in-product at least 15 days before the change takes effect. The "Last Updated" date at the top always reflects the current version. Continued use of the Service after the effective date constitutes acceptance.
15. Contact
- Privacy: [email protected]
- Security incidents: [email protected]
- DPO: Yurii Bondar, [email protected]
- Postal: Netpeak LTD, 41 Devonshire Street, Ground Floor, London, United Kingdom, W1G 7AJ