Privacy Policy

Last Updated: June 5, 2026

Agreement to This Privacy Policy

This Privacy Notice for Concord Voice LLC (“we,” “us,” or “our”), a Virginia limited liability company, describes how and why we might access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you:

Visit our website at https://www.concordvoice.com or any website of ours that links to this Privacy Notice;
Download and use our desktop application (Concord Voice), or, if and when released, our mobile application, or any other application of ours that links to this Privacy Notice;
Use Concord Voice, an end-to-end encrypted communications platform designed with privacy and security first, protecting your messages, calls, and video communications across the platform; or
Engage with us in other related ways, including any marketing or events.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed for the hosted Concord Voice Service operated by Concord Voice LLC. We are not responsible for data processed on self-hosted Concord Voice deployments that you or another operator runs (see Section 18 below). If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

Summary of Key Points

This summary provides key points from our Privacy Notice. You can find more details about each topic in the linked section below, or use our table of contents to navigate.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

End-to-end encryption: what we CANNOT access. Concord Voice uses end-to-end encryption (E2EE) for messages. We do not possess the keys necessary to decrypt your end-to-end encrypted content, and we are technically unable to read, scan, analyze, moderate, or disclose the content of encrypted messages — even when compelled by legal process. See Section 2.

Do we process sensitive personal information? Some of the information may be considered “special” or “sensitive” in certain jurisdictions, for example date of birth or geolocation data. We process sensitive personal information when necessary with your consent or as otherwise permitted by applicable law. See Section 1.

Do we collect information from third parties? Generally no, beyond what you provide directly or what is automatically collected when you use the Services. We do not collect from social media platforms or marketing-data brokers for Concord-platform users. See Section 1.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We process your information only when we have a valid legal reason to do so. See Section 3.

In what situations and with which parties do we share personal information? We may share information with specific service providers (Stripe for payments, KLIPY for the GIF-search privacy proxy, NVIDIA Broadcast as an opt-in AI provider, identity providers for Single Sign-On). We do not sell your personal information. See Section 5.

Self-hosted Concord Voice — operator is the data controller. If you use a Concord Voice instance hosted by an organization other than Concord Voice LLC (a “self-hosted” deployment under the Concord Voice Source License 1.0), the operator of that instance — not Concord Voice LLC — is the data controller responsible for your personal information on that instance. See Section 18.

How do we keep your information safe? We have appropriate organizational and technical processes and procedures in place to protect your personal information, including end-to-end encryption for messages. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. See Section 11.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information. See Section 12.

How do you exercise your rights? The easiest way is by submitting a data subject access request, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

What Information Do We Collect?
End-to-End Encryption and Content Inaccessibility
How Do We Process Your Information?
What Legal Bases Do We Rely On to Process Your Personal Information?
When and With Whom Do We Share Your Personal Information?
Do We Use Cookies and Other Tracking Technologies?
Do We Offer Artificial Intelligence-Based Products?
How Do We Handle Your Single Sign-On?
Is Your Information Transferred Internationally?
How Long Do We Keep Your Information?
How Do We Keep Your Information Safe?
What Are Your Privacy Rights?
Controls for Do-Not-Track Features
Do United States Residents Have Specific Privacy Rights?
Age and Minors
Transparency Report
Law Enforcement and Legal Process
Source Code; Self-Hosted Instances
Do We Make Updates to This Notice?
How Can You Contact Us About This Notice?
How Can You Review, Update, or Delete the Data We Collect From You?

1. What Information Do We Collect?

Personal Information You Disclose to Us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

email addresses
usernames
display names
passwords (stored as Argon2id hashes; we never store plaintext passwords)
phone numbers (only if you choose to enable SMS multi-factor authentication)
contact preferences
billing addresses (only if you subscribe to a paid plan)
contact or authentication data (for example, multi-factor-authentication setup)

Sensitive Information

When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information:

Date of birth — collected at registration for age-verification purposes consistent with applicable age-of-majority laws.
Approximate geolocation — collected for the limited purpose of jurisdictional compliance with age-verification and online-services laws (see “Age Attestation, Assurance, and Verification” in Section 3).

Payment Data

We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number, and the security code associated with your payment instrument. All payment data is handled and stored by Stripe. You may find their privacy notice at https://stripe.com/privacy. Concord Voice LLC does not store full payment-card numbers or CVV codes.

We may provide you with the option to register with us using your existing identity-provider account. Currently supported providers include Google and Apple Sign-In (configurable per deployment). If you choose to register or sign in this way, we will collect certain profile information about you from the identity provider, as described in Section 8.

Application Data

If you use our application(s), we may also collect the following information if you choose to provide us with access or permission:

Geolocation Information. We may request approximate location (typically derived from IP address rather than precise GPS) for the purposes described under “Approximate Geolocation” in Section 3. Precise location is not requested by the Concord Voice client.
Device Access. We may request access or permission to certain features from your device, including your device’s microphone (for voice calls), camera (for video calls), notifications (for incoming calls and messages), and storage (for media attachments). If you wish to change our access or permissions, you may do so in your device’s settings.
Device Data. We automatically collect device information such as your device model and manufacturer, operating system, version information and system configuration information, device and application identification numbers, Internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server).
Push Notifications. We may send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device’s settings.

This information is primarily needed to maintain the security and operation of our application(s), for troubleshooting, and for our internal analytics and reporting purposes. Concord Voice has a low-telemetry architecture by design — we collect only what is necessary to operate the Service, and we do not collect crash dumps or behavioral analytics from the application.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information Automatically Collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

The information we collect includes:

Log and Usage Data. Service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and information about your activity in the Services.
Device Data. Information about your computer, phone, tablet, or other device you use to access the Services, including IP address (or proxy server), device and application identification numbers, approximate location, browser type, hardware model, ISP or mobile carrier, operating system, and system configuration information.
Location Data. Approximate location data derived from IP address. We do not collect precise GPS data for the Concord Voice client. You can disable location-based features by refusing IP-based location resolution or by using a VPN.

Like many businesses, we also collect information through cookies and similar technologies. You can find out more about this in our Cookie Notice at https://www.concordvoice.com/cookie-policy [Cookie Notice publication is pending].

Google API

Our use of information received from Google APIs (Google Sign-In) adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Information Collected From Other Sources

In Short: We may collect limited data from public databases and other outside sources.

In order to verify accounts and enhance our ability to provide relevant service to you, we may obtain information about you from other sources, such as public databases (for example, sanctions-list checks per applicable export-control and sanctions laws), data providers, and from other third parties. We do not purchase contact lists, intent data, or behavioral data from data brokers for marketing or profiling purposes.

If you interact with us on a social media platform using your social media account, we may receive limited personal information about you from such platforms. Any personal information that we collect from your social media account depends on your social media account’s privacy settings. Please note that their own use of your information is not governed by this Privacy Notice.

2. End-to-End Encryption and Content Inaccessibility

In Short: Concord Voice uses end-to-end encryption (E2EE) for messages. We do not possess the keys needed to decrypt your encrypted content and cannot read, scan, analyze, moderate, or disclose it — even when compelled by legal process.

2.1 Encryption of Message Content

Concord Voice employs end-to-end encryption for messages transmitted in servers, channels, and direct messages. Messages are encrypted on your device before transmission using AES-256-GCM (authenticated encryption), with encryption keys wrapped using RSA-OAEP 4096-bit encryption. Only the intended recipients possess the keys necessary to decrypt the content.

2.2 Voice and Video Streams

Voice and video streams transmitted via our media plane (a mediasoup SFU) are end-to-end encrypted at the frame level. Media frames are encrypted on your device using AES-128-GCM via the WebRTC Encoded Transform API before they reach our media server. The media server (a Selective Forwarding Unit, or SFU) forwards the encrypted RTP payloads to other participants in the same channel or call without seeing the plaintext audio or video content.

Frame encryption keys are derived from the same per-channel symmetric keys that protect text messages (see Section 2.1), using HKDF-SHA256 key derivation. This means voice/video end-to-end encryption is bound to the same Role-Based Access Control as message end-to-end encryption — only members with access to a channel can derive the keys to decrypt voice and video from that channel. Keys are rotated on an epoch basis when channel membership changes, so users who leave a channel cannot decrypt subsequent voice or video on that channel.

In addition to frame-level end-to-end encryption, the connection between your device and our media server is protected by DTLS-SRTP transport-layer encryption, providing a defense-in-depth layer against passive network adversaries.

Voice and video streams are not persisted on our servers — they are forwarded in real time and discarded.

Both server-channel voice/video rooms and direct-message 1:1 voice calls use this same end-to-end encryption substrate.

2.3 What Concord Voice CANNOT Access

For end-to-end encrypted content (messages):

We cannot read, listen to, watch, scan, analyze, moderate, train AI models on, advertise based on, or otherwise process the plaintext content.
We cannot disclose the plaintext content to third parties — including law enforcement, government agencies, or any other requesting party — even when compelled by valid legal process. This is a technical limitation, not a policy choice.
We cannot recover end-to-end encrypted content that is lost due to key loss (for example, if you lose all devices holding key material without first having backed up your keys).

2.4 What Concord Voice CAN See: Metadata

Unencrypted metadata necessary for service operation may be collected and processed. This includes:

Account registration information (email address, username, date of account creation, hashed password, MFA configuration)
Timestamps of messages and other events
IP addresses and access logs
Server membership and channel membership
Presence status (online, away, offline)
Aggregate counts (number of messages in a channel, etc.)
Payment records (handled by Stripe, see Section 1)

Metadata is processed under the legal bases described in Section 4. Metadata retention is subject to the policies described in Section 10.

2.5 Limits of End-to-End Encryption

End-to-end encryption protects message content in transit and at rest on our servers. It does not prevent:

A recipient from copying, screenshotting, or otherwise sharing decrypted content on their own device.
A user with access to the message (you or another recipient) from voluntarily sharing the decrypted content with us (for example, in response to a content moderation report).
A user from voluntarily exporting their conversation history outside the Service.

Concord Voice is not responsible for actions taken by other users with content you share.

2.6 Cross-Reference to Terms of Service

This Section 2 is the privacy-policy counterpart to Section 3 of our Terms of Service. Both documents describe the same encryption properties; this Privacy Notice frames them as “what we don’t process,” while the Terms of Service frames them as “what the Service does technically.” The substantive facts are identical.

3. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes only with your prior explicit consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

To facilitate account creation and authentication and otherwise manage user accounts. We process your information so you can create and log in to your account, as well as keep your account in working order.
To deliver and facilitate delivery of services to the user. We process your information to provide you with the requested service, including transmitting end-to-end encrypted messages, routing voice and video calls, and maintaining presence status.
To send administrative information to you. We process your information to send you details about our products and services, changes to our terms and policies, security alerts, account verification, and other similar transactional communications. These communications are necessary for account operation and cannot be opted out of while your account remains active.
To enable user-to-user communications. We process metadata about who is communicating with whom (server/channel membership, timestamps, presence) so that messages and calls are routed correctly. Message content itself is end-to-end encrypted (see Section 2).
To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention, rate-limiting, and abuse detection (based on metadata, not encrypted content).
To save or protect an individual’s vital interest. We may process your information when necessary to save or protect an individual’s vital interest, such as to prevent imminent harm.
Age Attestation, Assurance, and Verification. We may process data associated with age (user-provided date of birth; Apple’s Declared Age Range API [opt-in]; Google’s Play Age Signals API [opt-in]) for the purposes of compliance with relevant laws within jurisdictions requiring attestation, assurance, or verification of age to access online communication services.
Approximate Geolocation. We may process data related to approximate geolocation (typically derived from IP address) for the purposes of compliance with relevant laws within jurisdictions requiring jurisdictional verification to access online communication services.

We do not process your information to:

Train artificial-intelligence or machine-learning models on your content (other than the opt-in NVIDIA Broadcast feature described in Section 7).
Build advertising profiles or sell your personal information.
Engage in behavioral targeting or share with marketing-data brokers.

4. What Legal Bases Do We Rely On to Process Your Personal Information?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

If you are located in the EU or UK, this section applies to you.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:

Consent. We may process your information if you have given us permission to use your personal information for a specific purpose. You can withdraw your consent at any time.
Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, to:
- Diagnose problems and/or prevent fraudulent activities
- Provide and maintain the security of the Services
- Detect and prevent abuse
Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

If you are located in Canada, this section applies to you.

We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:

If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way
For investigations and fraud detection and prevention
For business transactions provided certain conditions are met
If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim
For identifying injured, ill, or deceased persons and communicating with next of kin
If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse
If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records
If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced
If the collection is solely for journalistic, artistic, or literary purposes
If the information is publicly available and is specified by the regulations
We may disclose de-identified information for approved research or statistics projects, subject to ethics oversight and confidentiality commitments

In Short: We may share information in specific situations described in this section and/or with the following third parties.

We do not sell or share your personal information for cross-context behavioral advertising. We may share your personal information with the following categories of recipients in the following situations:

5.1 Service Providers

We share information with service providers that perform specific functions on our behalf:

Service Provider	Purpose	Privacy Policy
Stripe	Payment processing for paid subscriptions	stripe.com/privacy
KLIPY	GIF search and delivery via privacy proxy (we proxy your search to KLIPY to prevent direct contact between your device and KLIPY’s servers)	See KLIPY privacy policy
NVIDIA Broadcast	Opt-in AI audio/video enhancement (RTX-Series GPU required); see Section 7	nvidia.com/en-us/about-nvidia/privacy-policy
Google	Single Sign-On (if you use Google to sign in); push notifications via FCM	policies.google.com/privacy
Apple	Single Sign-On (if you use Sign in with Apple); push notifications via APNs	apple.com/legal/privacy
Resend	Transactional email delivery (account verification, password reset, security alerts)	resend.com/legal/privacy-policy

5.2 Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

5.3 Other Users

When you share personal information (for example, by posting messages, contributions, or other content to public channels) or otherwise interact with public areas of the Services, such personal information may be viewed by other users.

If you participate in a server, your username, display name, and profile information are visible to other server members. Your messages in a channel are end-to-end encrypted and readable only by the recipients you intend (server members with access to that channel).

5.4 Law Enforcement and Legal Process

We may disclose your information to law enforcement, government authorities, or other parties in response to valid legal process. Due to end-to-end encryption, we cannot provide the plaintext content of encrypted communications even when compelled. See Section 17 for the full law enforcement process and the categories of information we may be able to provide.

We may share your information with third parties when you have given us your consent to do so.

6. Do We Use Cookies and Other Tracking Technologies?

In Short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

We do not use third-party advertising cookies or tracking pixels for cross-context behavioral advertising. The Concord Voice desktop and mobile applications do not contain advertising trackers.

Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice at https://www.concordvoice.com/cookie-policy [Cookie Notice publication is pending].

7. Do We Offer Artificial Intelligence-Based Products?

In Short: We offer optional, opt-in AI features powered by third-party AI service providers. We do not train our own AI models on your end-to-end encrypted content.

As part of our Services, we offer optional, opt-in products, features, or tools powered by artificial intelligence, machine learning, or similar technologies (collectively, “AI Products”). These tools are designed to enhance your experience.

Use of AI Technologies

We provide the AI Products through third-party service providers (“AI Service Providers”), currently including:

NVIDIA Broadcast — opt-in audio/video enhancement (background noise removal, virtual background, eye-contact correction). Requires an NVIDIA RTX-Series GPU. Usage of NVIDIA Broadcast in the app is managed under Settings → Audio & Video.

Our AI Products

Our AI Products are designed for the following functions:

Local audio/video enhancement (noise removal, background blur, etc.) via NVIDIA Broadcast

How We Process Your Data Using AI

All personal information processed using our AI Products is handled in line with this Privacy Notice and our agreement with third parties. NVIDIA Broadcast runs locally on your device — your audio and video do not leave your device for AI processing. The NVIDIA Broadcast SDK is licensed under NVIDIA’s terms; please review NVIDIA’s privacy policy for details on any telemetry the SDK may transmit.

We do not:

Train our own AI/ML models on your message content
Send your end-to-end encrypted content to any AI Service Provider for any purpose
Profile you for advertising based on AI-derived characteristics

How to Opt Out

NVIDIA Broadcast usage in the app is opt-in. To opt out, go to Settings → Audio & Video and disable NVIDIA Broadcast features.

8. How Do We Handle Your Single Sign-On?

In Short: If you choose to register or log in to our Services using a third-party identity provider, we may have access to certain information about you.

Our Services offer you the ability to register and log in using third-party identity-provider accounts. Currently supported providers (subject to per-deployment configuration) include:

Google (Google Sign-In)
Apple (Sign in with Apple)

Where you choose to do this, we will receive certain profile information about you from your identity provider. The profile information we receive may vary depending on the provider concerned, but will typically include your name, email address, and a stable identifier for your account.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services — primarily for account creation and authentication. We do not request access to your social graph, contacts, or other data beyond what is necessary for sign-in.

Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party identity provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information.

9. Is Your Information Transferred Internationally?

In Short: We may transfer, store, and process your information in countries other than your own. We disclose below the legal basis we rely on for transfers from the EEA, UK, or Switzerland to the United States, and the current status of related compliance work.

Our servers are currently located in the United States. Regardless of your location, please be aware that your information may be transferred to, stored by, and processed by us in our facilities and in the facilities of the third parties with whom we may share your personal information (see Section 5 above), primarily in the United States and other countries where our service providers operate.

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country.

9.1 Legal Basis for EEA / UK / Switzerland to United States Transfer

Concord Voice LLC currently relies on Article 49(1)(a) of the GDPR (and the equivalent UK GDPR provision) — explicit consent of the data subject — as the legal basis for transferring personal data from the EEA, UK, or Switzerland to the United States.

By creating an account on the hosted Concord Voice Service (operated from the United States), you are providing explicit consent to the transfer of your personal data to the United States, having been informed of the following risks:

The United States does not currently have an adequacy decision from the European Commission (other than the EU-US Data Privacy Framework, in which Concord Voice LLC does not participate — see Section 9.2).
US law enforcement and intelligence services may, under US law, have surveillance access to personal data transferred to US-based service providers, beyond what is permitted under EU/UK data protection law. See our Transparency Report for the legal-process requests we have received.
The data protection rights you have under GDPR/UK GDPR (access, rectification, erasure, restriction, portability, objection) are guaranteed by Concord Voice’s contractual commitment in this Privacy Notice but may not be equivalently enforceable against US-based third-party processors absent additional safeguards.
End-to-end encryption (see Section 2) provides cryptographic protection for message content even in the event of compelled disclosure, but does not protect metadata.

You may withdraw your consent at any time by deleting your account or by contacting us as described in Section 12.

9.2 EU-US Data Privacy Framework — Not Participating

Concord Voice LLC is NOT currently certified under the EU-US Data Privacy Framework (DPF), the Swiss-US Data Privacy Framework, or the UK Extension to the EU-US DPF. We do not claim DPF benefits and do not represent that we adhere to DPF Principles. If DPF certification is pursued in the future, this Privacy Notice will be updated and we will file the required certification with the US Department of Commerce.

9.3 Standard Contractual Clauses (SCCs) — In Progress

Concord Voice LLC has not yet executed Standard Contractual Clauses with all of our third-party processors (see Section 5.1). SCC execution with each processor is in progress as part of our broader EU/UK compliance program. Until SCCs are fully executed, EEA/UK personal-data transfers to our processors rely on the same Article 49(1)(a) consent basis described in Section 9.1.

Once SCCs are executed, this Privacy Notice will be updated to identify SCCs as the primary legal basis for transfer, and the Article 49(1)(a) consent basis will be supplemented (not replaced — consent remains a defensible parallel basis).

9.4 EU and UK Representative — Not Yet Appointed

Concord Voice LLC has not yet appointed a representative under Article 27 of the GDPR or under the equivalent provision of the UK GDPR. We acknowledge that appointment of a representative is required for non-EU/UK controllers offering services to EEA/UK residents who do not fall within the Article 27(2) exemption, and we do not assert that Concord Voice falls within that exemption.

Appointment of an Article 27 representative is in progress as part of our broader EU/UK compliance program. Until a representative is appointed, EEA, UK, and Swiss residents who wish to exercise their GDPR/UK GDPR rights may contact us directly at:

Data Protection Officer Concord Voice LLC Email: [email protected] Post: 2008 Bremo Road, Suite 110, Richmond, VA 23226, United States

We will respond to such requests within the timelines required under the GDPR/UK GDPR, regardless of representative status. We will publish the appointed representative’s contact details in this Privacy Notice once appointment is complete.

If you are an EEA, UK, or Swiss resident and you are uncomfortable with the current status of our EU/UK compliance program, we encourage you to either (a) wait to register until our compliance program matures, or (b) consider using a self-hosted Concord Voice deployment operated by an EU/UK organization that has its own compliance posture (see Section 18).

9.5 Self-Service Right to Compliance Status Updates

If you wish to be notified when our EU/UK compliance status changes (for example, when SCCs are executed or when an Article 27 representative is appointed), please contact [email protected] with the subject line “EU/UK Compliance Notification” and we will add you to a notification list for material privacy-program updates.

10. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us to keep your personal information for longer than the period of time in which you have an account with us.

Account data is deleted within 30 days of account deletion, except where retention is required by law. End-to-end encrypted message content stored on our servers is also deleted within this window (though ciphertext is, by construction, not readable by us — only the deletion of the ciphertext copies is meaningful from our perspective).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

11. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organizational and technical security measures, including end-to-end encryption for messages.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. These include:

End-to-end encryption for messages (see Section 2)
TLS 1.3 for all data in transit between your device and our servers
Argon2id password hashing (OWASP-recommended parameters)
Multi-factor authentication support (TOTP, SMS, hardware tokens via WebAuthn)
Rate limiting and abuse detection at the API gateway
Encrypted storage for sensitive data at rest
Regular security audits and penetration testing
Pre-commit security scanning (TruffleHog, detect-secrets, Gitleaks, Semgrep, SonarQube AI-Code Assurance) on all code changes

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

12. What Are Your Privacy Rights?

In Short: Depending on your state of residence in the US or in some regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time, depending on your country, province, or state of residence.

In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making. If a decision that produces legal or similarly significant effects is made solely by automated means, we will inform you, explain the main factors, and offer a simple way to request human review. In certain circumstances, you may also have the right to object to the processing of your personal information.

You can make such a request by:

Submitting a data subject access request via our self-serve portal, or
Contacting our Data Protection Officer at [email protected], or
Contacting our general privacy team at [email protected].

We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or the UK data protection authority.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us using the contact details provided in Section 20 or by updating your preferences.

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Opting out of marketing and promotional communications

You can unsubscribe from our marketing and promotional communications at any time by:

In the app, go to Settings → Notifications to update your preferences.
In the app, go to Settings → Privacy & Security to manage SMS multi-factor authentication enrollment.
Contacting us using the details provided in Section 20.

You will then be removed from any marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes (transactional communications).

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text-messaging originator opt-in data and consent; this information will not be shared with third parties.

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can:

Log into the application, select Settings → Account, and update your user account.
Submit an account-deletion request via Settings → Privacy & Security → Delete Account.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases within 30 days. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

Cookies and similar technologies

Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services. For further information, please see our Cookie Notice at https://www.concordvoice.com/cookie-policy.

If you have questions or comments about your privacy rights, you may email us at [email protected].

13. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.

Global Privacy Control

We recognize and honor Global Privacy Control (GPC) signals. If you use a browser or extension that supports GPC, we will treat this as a valid request to opt out of the sale or sharing of your personal information for targeted advertising purposes under applicable state privacy laws, including the California Consumer Privacy Act (CCPA). When we detect a GPC signal from your browser, we will automatically apply your opt-out preference without requiring you to take any additional action. For more information about GPC and how to enable it, visit globalprivacycontrol.org.

14. Do United States Residents Have Specific Privacy Rights?

In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

Categories of Personal Information We Collect

The table below shows the categories of personal information we have collected in the past twelve (12) months. The table includes illustrative examples of each category and does not reflect the personal information we collect from you. For a comprehensive inventory of all personal information we process, please refer to Section 1.

Category	Examples	Collected
A. Identifiers	Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name	YES
B. Personal information as defined in the California Customer Records statute	Name, contact information, education, employment, employment history, and financial information	YES
C. Protected classification characteristics under state or federal law	Gender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic data	YES (only date of birth for age verification)
D. Commercial information	Transaction information, purchase history, financial details, and payment information	YES
E. Biometric information	Fingerprints and voiceprints	NO
F. Internet or other similar network activity	Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements	YES
G. Geolocation data	Device location (approximate, IP-based; not precise GPS)	YES
H. Audio, electronic, sensory, or similar information	Images and audio, video or call recordings created in connection with our business activities	NO (we do not record calls; voice/video streams are transient)
I. Professional or employment-related information	Business contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with us	NO
J. Education Information	Student records and directory information	NO
K. Inferences drawn from collected personal information	Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics	NO
L. Sensitive personal information	Account login information; date of birth	YES

We only collect sensitive personal information, as defined by applicable privacy laws or the purposes allowed by law or with your consent. Sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. You may have the right to limit the use or disclosure of your sensitive personal information. We do not collect or process sensitive personal information for the purpose of inferring characteristics about you.

We may also collect other personal information outside of these categories through instances where you interact with us in person, online, or by phone or mail in the context of:

Receiving help through our customer support channels;
Participation in customer surveys or contests; and
Facilitation in the delivery of our Services and to respond to your inquiries.

We will use and retain the collected personal information as needed to provide the Services for: as long as you have an account with us (for all categories above).

Sources of Personal Information

Learn more about the sources of personal information we collect in Section 1.

Learn more about how we use your personal information in Section 3.

Will Your Information Be Shared With Anyone Else?

We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider. Learn more about how we disclose personal information in Section 5.

We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be “selling” of your personal information.

We have not disclosed, sold, or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We will not sell or share personal information in the future belonging to website visitors, users, and other consumers.

Your Rights

You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include:

Right to know whether or not we are processing your personal data
Right to access your personal data
Right to correct inaccuracies in your personal data
Right to request the deletion of your personal data
Right to obtain a copy of the personal data you previously shared with us
Right to non-discrimination for exercising your rights
Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California’s privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects (“profiling”)

Depending upon the state where you live, you may also have the following rights:

Right to access the categories of personal data being processed (as permitted by applicable law, including the privacy law in Minnesota)
Right to obtain a list of the categories of third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy law in California, Delaware, and Maryland)
Right to obtain a list of specific third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy law in Minnesota and Oregon)
Right to obtain a list of third parties to which we have sold personal data (as permitted by applicable law, including the privacy law in Connecticut)
Right to review, understand, question, and depending on where you live, correct how personal data has been profiled (as permitted by applicable law, including the privacy law in Connecticut and Minnesota)
Right to limit use and disclosure of sensitive personal data (as permitted by applicable law, including the privacy law in California)
Right to opt out of the collection of sensitive data and personal data collected through the operation of a voice or facial recognition feature (as permitted by applicable law, including the privacy law in Florida)

How to Exercise Your Rights

To exercise these rights, you can contact us by:

Submitting a data subject access request, or
Emailing us at [email protected], or
Referring to the contact details in Section 20.

We will honor your opt-out preferences if you enact the Global Privacy Control (GPC) opt-out signal on your browser.

Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws.

Request Verification

Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes.

Appeals

Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at [email protected]. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.

15. Age and Minors

You must be at least 16 years of age to create an account or use Concord Voice. If you are located in the European Economic Area, the United Kingdom, or any jurisdiction that sets a higher minimum age for digital services, you must be at least 16 years of age or the applicable minimum age in your jurisdiction, whichever is greater.

This Privacy Notice describes how we handle personal information when you are using the Services in accordance with this age requirement. We do not knowingly accept, request, or solicit information from anyone who does not meet the applicable age requirement.

In accordance with the U.S. Children’s Online Privacy Protection Act (“COPPA”), if we receive actual knowledge that anyone under the age of 13 has provided personal information to us without verifiable parental consent, we will delete that information from the Services as quickly as is reasonably practical.

If we become aware that an account belongs to a user who does not meet the minimum age requirement (16+ generally, or the higher jurisdictional minimum where applicable), we will terminate that account without notice and delete the associated personal information consistent with our retention policies (see Section 10).

16. Transparency Report

Concord Voice publishes a transparency report annually disclosing the number and type of legal-process requests received, complied with, and challenged. This report does not include information that would identify individual users or compromise ongoing legal proceedings. The transparency report is published at www.concordvoice.com/transparency [publication URL pending].

This commitment mirrors Section 18.6 of our Terms of Service.

17. Law Enforcement and Legal Process

Concord Voice will comply with valid legal process served in accordance with applicable law, including subpoenas, court orders, and search warrants issued by courts of competent jurisdiction.

Due to the end-to-end encrypted architecture of the platform, Concord Voice does not possess and cannot provide the plaintext content of encrypted communications. This is a technical limitation, not a policy choice. See Section 2.

Information that Concord Voice may be able to provide in response to valid legal process includes, where available and applicable:

Account registration information (email address, username, date of account creation)
IP address logs and access timestamps
Server and channel membership
Payment records (if applicable)
Unencrypted metadata as described in Section 2.4

We will notify affected users of legal process requests unless prohibited by law, gag order, or court order from doing so, or where notification would jeopardize an active investigation as determined by the requesting authority.

Concord Voice does not voluntarily provide user data to law enforcement or government agencies absent valid legal process, except in cases involving an imminent threat to life or the physical safety of an individual, in which case Concord Voice may disclose information necessary to prevent harm at its discretion.

This section is consistent with Section 18 of our Terms of Service.

18. Source Code; Self-Hosted Instances

The Concord Voice source code is licensed under the Concord Voice Source License 1.0 (CVSL). Organizations and individuals may self-host the Concord Voice software on their own infrastructure, subject to the license terms.

18.1 Concord Voice LLC is NOT the data controller for self-hosted deployments.

If you use a Concord Voice instance that is not operated by Concord Voice LLC (i.e., a self-hosted instance operated by another organization or individual), then:

The operator of that instance is the data controller responsible for your personal information on that instance.
Concord Voice LLC has no access to the data processed on that instance, no control over how that data is processed, and no responsibility for compliance with applicable data protection laws for that instance.
This Privacy Notice does not apply to data processed on self-hosted instances; you should consult the privacy policy of the organization operating that instance.

18.2 When This Privacy Notice Applies to Self-Hosters

This Privacy Notice applies to you as a self-hosting operator only to the extent that:

Your self-hosted instance connects to Concord Voice LLC’s hosted infrastructure (for example, the Concord Public Directory listing service, if you opt into it).
You separately interact with Concord Voice LLC’s hosted Service (concordvoice.chat) — for example, by creating an account.
You purchase a Commercial License (Enterprise or MSP/OEM) and Concord Voice LLC processes information about you as part of the licensing and support relationship.

18.3 Commercial Licensees

If you have purchased a Commercial License under the CVSL (Enterprise or MSP/OEM track — see commercial license documentation), Concord Voice LLC may process personal information about you (such as your contact information, billing information, and support correspondence) for purposes of the licensing and support relationship. This processing is governed by the commercial license agreement and this Privacy Notice.

19. Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated “Last Updated” date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

20. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO) by email at [email protected], or contact us by post at:

Concord Voice LLC Data Protection Officer 2008 Bremo Road, Suite 110 Richmond, VA 23226 United States

Other privacy-related contact addresses:

General privacy inquiries: [email protected]
US state law rights (CCPA/CPRA, etc.): [email protected]
DPO inquiries (GDPR/UK GDPR): [email protected]
Account security concerns: [email protected]

21. How Can You Review, Update, or Delete the Data We Collect From You?

You have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to request we limit the use or disclosure of your personal information or withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

To request to review, update, or delete your personal information, please:

Fill out and submit a data subject access request, or
Email us at [email protected].