eniq.ai
FeaturesUse CasesIntegrationsPricing
Sign InStart Free Trial

Privacy Policy

Legal terms and privacy information for eniq.ai customers, account users, and communication participants.

Last Updated: June 5, 2026

This Privacy Policy explains how Netpeak LTD ("eniq.ai", "we", "us", "our") collects, uses, discloses, and protects personal data in connection with the eniq.ai conversation intelligence platform, including the websites at https://eniq.ai and https://app.eniq.ai and the APIs at https://api.eniq.ai (the "Service").

This policy is written for two groups of people:

  • Account Users — individuals who register for and use the Service on behalf of an organization (salespeople, managers, analysts, admins). For Account Users, we act as a controller of your account data.
  • Communication Participants — individuals whose voice, image, text, or other communications are captured because the Service recorded, ingested, or analyzed a call, online meeting, chat, message, or email they participated in. For those participants, our customer is the controller and we act as a processor on that customer's behalf. We describe that role briefly in Section 12 below; for information about why your communication was processed, contact the customer that processed it.

If there is a conflict between this policy and a Data Processing Addendum ("DPA") between us and a customer, the DPA controls with respect to Customer Data.

1. Who We Are and How to Reach Us

Controller: Netpeak LTD, 41 Devonshire Street, Ground Floor, London, United Kingdom, W1G 7AJ. Privacy contact: [email protected] Data Protection Officer: Yurii Bondar, [email protected] EU representative (if applicable): NETPEAK EOOD (LTD), 47 Cherni vrah blvd., 1407 Sofia, Bulgaria UK representative (if applicable): Not applicable; Netpeak LTD is established in the United Kingdom.

If you have any question about this policy or your personal data, email [email protected].

2. Personal Data We Collect

2.1 Data You Provide Directly (Account Users)

CategoryExamples
IdentificationFull name, email address, password (stored hashed, never in clear text), profile photo
OrganizationCompany name, job role, team, assigned role (Owner, Admin, Team Leader, Analyst, User, or custom role)
BillingCompany name, tax/VAT ID, billing address, payment-method metadata (card brand, last four digits, expiry — full card numbers are handled by Stripe, not by us)
SupportMessages you send us by email, through Intercom in-app chat, or via Telegram; attached screenshots or files
Integration credentialsOAuth tokens, API keys, and connection metadata for CRMs (e.g., Zoho, HubSpot, Pipedrive, Salesforce, Creatio), telephony, and meeting platforms (encrypted at rest)
PreferencesLanguage, timezone, notification settings, UI settings

2.2 Customer Data Uploaded or Streamed to the Service

When you or your Authorized Users use the Service, you may upload or stream to us:

CategoryExamples
Call and meeting recordingsAudio and (for meetings) video of phone calls and online meetings
Chat and message contentText of live-chat, WhatsApp, Telegram, Viber, Messenger, Instagram Direct, SMS/MMS, email, and similar conversations ingested from connected platforms or pushed through our APIs
TranscriptsMachine-generated transcriptions of voice/video
Communication metadataDate/time, duration, participant identifiers (phone numbers, email addresses, usernames, handles), direction, channel, tags
CRM recordsDeal data, contact records, lead fields that you choose to sync
AI analysesSummaries, scores, sentiment, topic tags, coaching insights generated from the above

Recordings, transcripts, and chat/message content frequently contain personal data about third parties — your customers, prospects, employees — including their names, phone numbers, email addresses, chat handles, voices, message content, purchase information, and anything else they say or write. You are responsible for lawful processing of that data (see Section 12).

2.3 Data Collected Automatically (all visitors)

CategoryExamplesHow
Device and technicalIP address, browser type and version, OS, screen size, language, referring URLStandard web logs, first-party cookies
UsagePages viewed, buttons clicked, features used, timestamps, session IDs, errors encounteredOur application logs, Sentry error logs
AnalyticsAggregate traffic and funnel dataGoogle Analytics 4 / Google Tag Manager (subject to cookie consent via Cookiebot)
Support chatMessages, identity, technical contextIntercom

2.4 Data from Third Parties

  • Google OAuth / Single Sign-On (when used): name, email, profile image from your Google account.
  • Meeting platforms (Zoom, Google Meet, Microsoft Teams, Webex, and similar): meeting metadata and, for meetings you instruct us to join, audio/video streams.
  • Telephony, contact-center, and chat/messaging platforms you connect (including providers such as WhatsApp, Telegram, Viber, Messenger, Instagram Direct, SMS/MMS gateways, live-chat widgets, email, and any platform you integrate through our generic APIs): call audio, chat/message content, participant identifiers, and metadata, as authorized by you.
  • Payment processor (Stripe): payment status, card metadata, fraud signals.
  • CRM integrations (when you connect them): contact, company, and deal data you authorize us to read or write.

2.5 Sensitive Data

We do not intentionally collect special categories of personal data (health, biometric for identification, religion, political views, union membership, sex life or sexual orientation, race or ethnicity). If recordings you upload happen to contain such data, you are responsible for identifying the lawful basis and, where required, obtaining explicit consent. Voice recordings are considered highly sensitive under several privacy regimes and may qualify as biometric data in some jurisdictions — consult local counsel.

2.6 Children

The Service is not directed to children. We do not knowingly collect personal data from anyone under 16 (or under 13 in the United States). If you become aware that a child has provided us with personal data, contact [email protected] and we will delete it.

3. Why We Use Personal Data — and the Legal Basis

PurposeData usedLegal basis (GDPR)
Create and authenticate your accountAccount identification, credentialsContract (Art. 6(1)(b))
Deliver the Service (upload, transcribe, analyze, integrate)Customer Data, account dataContract
Process payments and prevent fraudBilling data, IP, deviceContract; legal obligation
Customer supportSupport messages, account dataContract; legitimate interests
Service security and abuse preventionAccess logs, IP, device, usageLegitimate interests; legal obligation
Error monitoring and reliabilityCrash logs, request logsLegitimate interests
Product improvement (aggregated / de-identified only)Aggregated usageLegitimate interests
Transactional emails (receipts, alerts, account notices)Email, account dataContract; legal obligation
Marketing emails (product news, tips)Email, preferencesConsent (where required); otherwise legitimate interests — you may opt out any time
Legal claims, compliance, taxAs neededLegal obligation; legitimate interests
Analytics, cookies, tracking (non-essential)Device, behaviorConsent (via cookie banner)

Where our basis is legitimate interests, we have balanced our interests against your rights and concluded that our processing is necessary and proportionate. You may object at any time by writing to [email protected].

No AI Model Training on Your Data

We do not use Customer Data (including recordings, transcripts, or analyses) to train or fine-tune foundation models operated by us or by our AI subprocessors, except with your explicit opt-in. Our AI subprocessors are engaged on zero-retention or no-training terms where such terms are available.

No Sale of Personal Data

We do not sell personal data in the commercial sense and do not sell personal data as defined under the California Consumer Privacy Act (CCPA/CPRA). We do not "share" personal data for cross-context behavioral advertising.

4. Cookies and Similar Technologies

We use first-party cookies for authentication and core functionality, and — subject to your consent via our cookie banner (Cookiebot) — third-party cookies for analytics (Google Analytics 4 / Google Tag Manager) and in-product support chat (Intercom). You can change your preferences at any time through the "Cookie settings" link in our footer or by clearing cookies in your browser.

Categories commonly set:

CategoryExamplesDurationPurpose
Strictly necessarySession, CSRF, auth, cookie-consentSession / up to 12 monthsLogin, security, remembering your consent
Analytics_ga, _ga_* (Google Analytics)Up to 24 monthsTraffic and usage statistics
SupportIntercom cookiesUp to 9 monthsIn-product chat

5. Who We Share Personal Data With

We share personal data only with the parties described below and only to the extent necessary for the purposes listed.

5.1 Subprocessors and Service Providers

ProviderPurposeData involvedLocation
Google Cloud (Google Cloud Storage, and related services)Hosting and storage of recordings and application dataAccount data, Customer DataEU/US (per region configured)
Stripe, Inc.Payment processingBilling data, card metadataEU/US
Anthropic, PBCAI transcription/analysis (Claude models)Transcripts and prompts derived from Customer DataUS
OpenAI, L.L.C.AI transcription/analysis (optional)Transcripts/prompts derived from Customer DataUS
Google LLC (Gemini / Speech-to-Text)AI transcription/analysis (optional)Audio / transcriptsEU/US
xAI Corp.AI analysis (optional, Grok models)Transcripts/promptsUS
Groq, Inc.AI inference (optional)Transcripts/promptsUS
Functional Software, Inc. (Sentry)Error monitoringIP, user ID, stack tracesUS/EU
Intercom R&D Unlimited CompanyIn-product support chatAccount identity, support messagesEU/US
Cookiebot (Cybot A/S)Cookie consent managementIP (truncated), consent recordsEU
Google LLC (Google Analytics 4 / Tag Manager)AnalyticsPseudonymous device/usage data (after consent)EU/US
Telegram FZ-LLCOptional bot notificationsNotification content, Telegram user IDUAE/US
Telephony, contact-center, and chat providers you connect in project settings (via native connectors or our generic API)Call/chat metadata, audio, messagesAs configured by youProvider-specific
Zoom, Google Meet, and similar meeting platforms you connectMeeting audio/videoAs authorized by youProvider-specific
CRM integrations you enable (Zoho, HubSpot, Pipedrive, Salesforce, Creatio, others)CRM data exchangeAs configuredProvider-specific

We require subprocessors to provide appropriate safeguards (including Standard Contractual Clauses or equivalent for international transfers) and to process data only on documented instructions. A current list of subprocessors is available at https://eniq.ai/subprocessors and will be updated before adding a new subprocessor that materially affects customers.

5.2 Our Group Companies

We may share personal data with affiliates under common control for the purposes described in this policy, subject to confidentiality and applicable law.

5.3 Legal and Safety Disclosures

We may disclose personal data when we believe in good faith that disclosure is necessary to: comply with law or a valid legal process (including subpoenas, court orders, or governmental requests); enforce our Terms; protect our rights, property, or safety, or those of our users or the public; or investigate fraud, security, or abuse. Where permitted by law, we will notify the affected customer before disclosing Customer Data.

5.4 Business Transfers

If we are involved in a merger, acquisition, reorganization, financing, sale of assets, or insolvency, personal data may be transferred as part of that transaction. We will notify affected users of any change in controller as required by law.

6. International Data Transfers

We operate from the United Kingdom and rely on providers in the European Economic Area, the United Kingdom, the United States, and other countries. Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not been recognized as providing adequate protection, we rely on:

  • the EU Standard Contractual Clauses (2021) and, where applicable, the UK International Data Transfer Addendum;
  • the EU–US Data Privacy Framework (for certified U.S. recipients, when used);
  • supplementary technical and organizational measures as required (encryption in transit, at-rest encryption of sensitive secrets, pseudonymization where practical, access controls).

For transfers from Ukraine or other jurisdictions with similar mechanisms, we rely on the corresponding safeguards available under local law.

You may request a copy of the relevant transfer mechanism by writing to [email protected].

7. How Long We Keep Personal Data

We keep personal data only as long as we need it for the purposes described in this policy, including to meet legal, tax, or accounting obligations, or to resolve disputes.

CategoryDefault retention
Account dataLifetime of the account
Customer Data (recordings, transcripts, chat/message content, analyses)For the lifetime of your Subscription, subject to any in-product retention controls you configure; deleted within 60 days after termination (except as required by law)
BackupsUp to 35 days, then purged on rolling schedule
Billing/invoice recordsAs required by tax law (typically 5–10 years)
Security and audit logsUp to 18 months
Support ticketsUp to 3 years after the last interaction
Marketing contact data (with consent)Until you withdraw consent

You or your organization's administrator can delete specific records earlier via the in-product controls. On termination, you can request an export within 30 days (see Terms, Section 16).

8. Your Rights

Depending on where you live, you may have some or all of the following rights:

  • Access — know what personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure / deletion — have your data deleted in certain circumstances.
  • Restriction of processing — limit how we use your data.
  • Portability — receive a copy in a common, machine-readable format and have it transmitted to another controller where technically feasible.
  • Objection — object to processing based on legitimate interests, and to direct marketing at any time.
  • Withdraw consent — where processing is based on consent, withdraw it at any time (without affecting prior lawful processing).
  • Not to be subject to solely automated decision-making that produces legal or similarly significant effects — we do not make such decisions about you.
  • Complain to a supervisory authority (see Section 11).

Account Users can exercise most rights directly in product settings. For anything not available in product, email [email protected]. We respond within one month (extendable to three months for complex requests, with notice). We may need to verify your identity.

California Residents (CCPA/CPRA)

You have the rights described above (phrased as "know", "correct", "delete", "opt-out of sale/sharing", "limit use of sensitive personal information", and "non-discrimination"). We do not sell or share personal data for cross-context behavioral advertising. You may designate an authorized agent to act on your behalf. Submit requests to [email protected]. We do not charge for these requests and we do not discriminate against you for exercising them.

Brazilian Residents (LGPD), Ukrainian Residents (Law on Personal Data Protection), and Other Jurisdictions

Equivalent rights apply under the Brazilian LGPD, the Ukrainian Law on Personal Data Protection, and comparable laws. Contact us at [email protected].

9. Security

We implement technical and organizational measures designed to protect personal data, including:

  • TLS (HTTPS) for data in transit;
  • password hashing (argon2/bcrypt), encryption at rest for sensitive secrets (OAuth tokens, API keys);
  • role-based access controls with least-privilege principle;
  • two-factor authentication (TOTP) for accounts where enabled;
  • centralized logging, error monitoring, and alerting;
  • vendor due diligence on major subprocessors;
  • network segmentation and access reviews.

No system is perfectly secure. If we become aware of a personal-data breach, we will notify affected customers and, where required, supervisory authorities, without undue delay and within applicable deadlines.

10. AI-Specific Disclosures

  • Probabilistic output. Transcriptions and analyses are generated by machine-learning models and may contain errors, including misheard words, speaker misattribution, omitted content, or incorrect summaries/scores. We do not guarantee accuracy.
  • No solely automated decisions with legal effect. The Service provides decision-support; human review is required before any consequential decision is made. We do not make solely-automated decisions that produce legal or similarly significant effects concerning you.
  • Prompt and content logging. Prompts and outputs are logged for debugging, abuse prevention, and service continuity, then retained per Section 7.
  • AI subprocessors. AI subprocessors listed in Section 5.1 are engaged on zero-retention or no-training terms where available. Anthropic's standard API terms include a no-training default; OpenAI's standard API terms include a 30-day zero-retention/no-training default.

11. How to Complain

If you believe we have not complied with this policy or with applicable law, please first contact us at [email protected]. You also have the right to lodge a complaint with a supervisory authority:

  • EU residents — the data protection authority of your member state (list: https://edpb.europa.eu/about-edpb/about-edpb/members_en).
  • UK residents — the Information Commissioner's Office (ICO), https://ico.org.uk.
  • Ukrainian residents — Ukrainian Parliament Commissioner for Human Rights, https://www.ombudsman.gov.ua.
  • Polish residents — Urząd Ochrony Danych Osobowych (UODO), https://uodo.gov.pl.
  • California residents — the California Privacy Protection Agency (CPPA) or the Attorney General.

12. Note to Communication Participants (Calls, Meetings, Chats, Messages)

If you are reading this because you were told that a call, online meeting, chat conversation, or message you participated in was being recorded, ingested, or analyzed by eniq.ai, then our customer (the organization that recorded or ingested the communication — typically the business running the call, chat, or help desk) is the controller of that data, not us. We process the recording, transcript, chat log, or message content on their behalf as a processor/service provider.

We can help you find the customer to exercise your rights, but we cannot respond to access/deletion requests directly without the customer's instruction or legal requirement. Contact the business that processed your communication; if you cannot identify them, email [email protected] and we will use reasonable efforts to route your request.

13. Links to Third-Party Sites

Our Service may contain links to third-party websites (for example, provider documentation). We are not responsible for the privacy practices of those sites. Read their privacy notices.

14. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify you by email or in-product at least 15 days before the change takes effect. The "Last Updated" date at the top always reflects the current version. Continued use of the Service after the effective date constitutes acceptance.

15. Contact

eniq.ai

AI-powered conversation intelligence platform for all customer interactions.

Product
FeaturesPricingIntegrations
Company

© 2025 eniq.ai. All rights reserved.

Sign InStart Free Trial