Privacy Policy

Vouch (“Vouch”, “we”, “us”, or “our”) operates the software platform available at tryvouch.io, app.tryvouch.io, and related subdomains (collectively, the “Platform”). This Privacy Policy explains how we handle personal information when you visit our marketing website, when our business customers use the Platform, and when consumers interact with a Vouch-powered review or feedback request sent by one of those businesses.

The Platform exists to let independent businesses run their own review solicitation, reputation, and customer-feedback programs. We are the technology provider. We are not the business sending you the request, and we do not own the relationship with the consumer.

Under privacy laws such as the GDPR, the UK GDPR, and the CCPA/CPRA, Vouch plays two distinct roles depending on whose data is involved:

• When a business signs up for Vouch, configures campaigns, uploads their customer list, or asks their customers for reviews, that business is the controller (or, in CCPA terms, the business). Vouch is the processor (service provider). We only handle their customer data on their documented instructions.
• When you visit our marketing site, request a demo, sign up for Vouch yourself, or contact us, Vouch is the controller of that limited set of data — for example, your work email and what plan you asked about.

If you received a review request, SMS, email, or feedback survey through Vouch, the business that contacted you is the controller of your data. Their privacy policy governs how they collect and use it. Vouch will not — and contractually cannot — use that data for any purpose other than delivering the service to that business.

Marketing site visitors. When you browse tryvouch.io we collect limited analytics (pages viewed, referrer, coarse location derived from IP, device type). If you submit a demo or contact form we collect your name, work email, company, and anything you choose to write in the message.

Business customers and their team members. When you create or join a Vouch workspace, we collect your name, work email, hashed password (or SSO identifier), role, locations you manage, and audit-log activity required to run the service securely.

Consumer recipients of campaigns. When a business uploads or syncs customer records to Vouch — typically name, email, phone, locale, transaction context, and any review or feedback the consumer chooses to submit — we store and process that data strictly to deliver the business’s campaign and surface its results back to that business.

Third-party review platform content. When a business connects Google, Yelp, Facebook, Tripadvisor, Trustpilot, or similar accounts, we ingest the public reviews and metadata associated with that business’s own listings, so the business can manage responses from Vouch.

Public review and survey pages. When a consumer follows a Vouch-powered link or scans a kiosk QR code and submits a rating, review, survey answer, or callback request, we record the response, the timestamp, the IP address, and the user agent. The IP address and user agent are recorded as evidence of submission and to detect abuse; they are scoped to the workspace that ran the campaign and are not used to track the consumer across other sites.

Consent evidence. Where you provide consent to receive marketing communications (for example by opting into a business’s SMS list), we record the consent channel, the timestamp, the IP address, and the user agent that accompanied the opt-in so that the business can demonstrate compliance with TCPA, GDPR, and equivalent laws if challenged. We also record opt-outs the same way.

Kiosk sessions. The Vouch kiosk app, when used by a business in its own premises, records a short-lived session identifier and a device fingerprint (browser and device characteristics) for the kiosk device only — not for the consumer interacting with it — to bind a feedback submission to the specific kiosk that produced it and to prevent abuse. The kiosk does not capture signatures, photos, or government identification.

We process personal data only for the following purposes:

• Operating the Platform — sending the campaigns a business has configured, routing replies to that business's inbox, generating their analytics and Vouch Score.
• Securing the Platform — fraud detection, abuse prevention, audit logs, rate limiting, tenant isolation enforcement.
• Supporting our business customers — answering their tickets, debugging issues they report, training their team if they ask us to.
• Improving the Platform — only using aggregated, de-identified usage signals (e.g. feature adoption counts) that cannot reasonably be tied to an individual consumer.
• Complying with legal obligations — tax records, lawful requests from authorities, retention periods required by law.

Where GDPR or UK GDPR applies and Vouch is acting as a controller, we rely on: (a) contract to provide the Platform to our business customers and their team members; (b) legitimate interests for securing and improving the Platform, where those interests are not overridden by your rights; (c) consent for optional marketing emails about Vouch (you can withdraw at any time); and (d) legal obligation where applicable.

Where we act as a processor for a business customer, the lawful basis is determined by that business — we follow their documented instructions under our Data Processing Agreement.

We only share data with the categories of recipients listed below, and only to the extent needed to operate the Platform:

• Infrastructure providers — Microsoft Azure (hosting, database, storage), under enterprise data-protection terms.
• Communication providers — email, SMS, and WhatsApp gateways used to actually deliver the messages a business asked us to send on its behalf.
• Identity and authentication — SSO and identity providers used by the business customer (e.g. SAML IdPs).
• Connected review platforms — only the data needed to authenticate and operate the business's own connected listings on Google, Yelp, Facebook, Tripadvisor, Trustpilot, and similar services.
• Professional advisors — auditors, lawyers, and accountants under confidentiality obligations.
• Authorities — where required by valid legal process. We will notify the affected business customer unless legally prohibited.

All vendors are vetted, contractually bound to security and confidentiality obligations at least as strict as ours, and are not permitted to use personal data for their own purposes. The current list of sub-processors that handle workspace data is maintained at tryvouch.io/subprocessors/. Customers under a Data Processing Agreement receive advance notice of new sub-processors with an opportunity to object before processing begins.

OAuth applications and the MCP server. Each workspace can authorise third-party applications — such as a CRM connector, an internal copilot, or an LLM client connecting via Vouch’s Model Context Protocol (MCP) server — to act on the workspace’s behalf via Vouch’s OAuth 2.1 server. When you authorise an application, the data it can read or write is scoped to the OAuth scopes you approve and to the workspace whose user authorised it. The third-party application is not a Vouch sub-processor; once data leaves our API in response to that application’s request, the application’s own terms and privacy notice govern how it handles the data. Authorise only applications you trust. You can revoke an authorisation at any time from the workspace admin console.

The Platform is primarily hosted in Microsoft Azure regions selected based on the customer’s residency preference. Where personal data is transferred out of the EEA, UK, or Switzerland, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary technical measures (encryption in transit and at rest, tenant isolation).

We design Vouch to be secure by default. Our controls include:

• TLS 1.2+ for all data in transit; AES-256 for data at rest.
• Row-level tenant isolation: every record is scoped to a workspace, and access is enforced at the application and database layer.
• Least-privilege role-based access control, with separate write-gating for sensitive admin actions.
• SAML SSO and short-lived API tokens for business customer authentication.
• Comprehensive immutable audit logs covering campaign sends, data exports, and admin actions.
• Continuous monitoring, dependency scanning, and W3C trace-based observability.
• Encrypted, region-pinned backups with documented restore procedures.
• Annual penetration testing and a responsible-disclosure program for security researchers.
• Workforce background checks, mandatory security training, and 2FA on all internal access.

To report a security issue, email support@aartha.ai. We respond within one business day. Full detail on our controls, certifications, and the responsible-disclosure program is published at tryvouch.io/security/.

Breach notification. In the event of a confirmed personal data breach affecting a customer’s workspace, we notify the customer’s designated security contact without undue delay and in any event within 72 hours of confirmation, including what we know about scope, affected data categories, technical specifics, and remediation in progress. Where we act as a processor, we support our business customers in meeting their own regulatory notification obligations under GDPR Article 33, state breach-notice statutes, and equivalent laws.

When we act as a processor, we retain workspace data for as long as the business customer’s subscription is active and for a short wind-down period afterward for backup and restore safety. The business can request deletion or export at any time, and we will action it within the timeframes set out in our Data Processing Agreement.

Operational retention defaults. Within an active workspace, we apply the following retention defaults to specific record types. Business customers can shorten these in their workspace compliance settings or, where the legal basis permits, extend them via written agreement:

• Solicitation records (the trail of who was contacted, when, on which channel, with what result): 365 days from the send date.
• Interaction events (campaign opens, clicks, form starts): 180 days from the event date.
• Audit log entries (sensitive admin actions, exports, role changes, content publications): 730 days (2 years) from the action date.
• Consent records (opt-in / opt-out evidence): retained for the life of the workspace and at least the period required by the applicable legal basis (typically 4 years for TCPA proof of consent, longer where local law requires).
• Webhook delivery logs: 90 days from delivery.
• Connector and integration credentials: retained encrypted while the integration is active; deleted within 30 days of disconnection.

When the workspace itself is terminated, we follow the wind-down described in §10 of our Terms of Use — a final export window of at least 30 days, then deletion of production records on a defined schedule, with encrypted backups expiring on their normal rotation thereafter.

When we act as a controller (e.g. for our marketing site contacts and our own business customer account records), we retain data only as long as needed for the purpose described, or as required by law.

Depending on where you live, you may have the right to access, correct, delete, port, restrict, or object to our processing of your personal data, and the right not to be subject to solely automated decision-making that produces legal effects. California residents have the rights set out in the CCPA/CPRA, including the right to know, the right to delete, the right to correct, and the right to limit use of sensitive personal information. We do not sell or share personal data for cross-context behavioral advertising, so there is nothing to opt out of in that respect — but you can still exercise your other rights.

If you received a Vouch-powered request from a business and you want your data corrected or deleted, the fastest path is to contact that business directly — they control your record. You can also email support@aartha.ai and we will route your request to the right workspace and confirm action with you.

If you are a Vouch business customer, you can exercise your rights about your own account data, or your team’s, by emailing support@aartha.ai.

This section gives California residents the disclosures required by the California Consumer Privacy Act (as amended by the CPRA). It applies to personal information that Vouch processes as a business — that is, on our marketing site, in our account and billing systems, and in support interactions. When Vouch processes personal information on behalf of a business customer (a workspace), Vouch is a service provider under the CCPA, and the workspace operator is the business; the workspace operator’s privacy notice governs that processing.

Categories of personal information we have collected in the last 12 months (CCPA categories under Cal. Civ. Code §1798.140):

• Identifiers — name, work email, employer, IP address, account identifier.
• Commercial information — products/plans you have asked about, subscription history.
• Internet or other electronic network activity — pages viewed on tryvouch.io, referrer, device and browser type, in-product feature usage.
• Professional or employment information — job title and role within your organisation.
• Geolocation — coarse location derived from IP address (city level).
• Inferences — none drawn for advertising or profiling.
• We do not collect sensitive personal information for the purposes defined in Cal. Civ. Code §1798.121, and we do not use any personal information for cross-context behavioural advertising.

Sources: directly from you (forms, support tickets, account creation), from your device (cookies, analytics), and from your employer when they invite you to a workspace or set you up via SSO.

Business purposes for which we use this information: operating the Platform; responding to demo and contact requests; securing the Platform; debugging and improving the Platform; complying with law. We do not use it for cross-context behavioural advertising.

Categories of recipients: the categories listed in §6 above — hosting and infrastructure providers, communication providers, identity providers, connected review platforms, professional advisors, and authorities where legally required.

Retention: marketing-site contacts are retained for up to 24 months after last interaction; account records are retained for the life of the account plus a wind-down period; security and audit logs are retained for at least one year as described in §8. Workspace data we process as a service provider is retained according to the workspace operator’s instructions.

Sale and sharing: Vouch does not sell personal information, and does not share personal information for cross-context behavioural advertising, within the meaning of the CCPA. We have not done so in the preceding 12 months and have no plans to do so. There is therefore nothing for you to opt out of in relation to sale or sharing.

Your CCPA rights: you have the right to know what personal information we have collected about you, to receive a copy, to correct it, to request deletion, to limit the use of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right), and to be free from retaliation for exercising any of these rights. To exercise these rights, email support@aartha.ai. We respond within 45 days, extendable by a further 45 days where reasonably necessary with notice to you. We verify requests by matching the email address and, for higher-risk requests (e.g. deletion of an active workspace), by confirming account-control with a workspace administrator. Authorised agents may submit requests with written, signed permission from the consumer and proof of the agent’s registration.

Global Privacy Control (GPC). We honour the GPC signal where applicable. Because we do not sell or share personal information for cross-context behavioural advertising, the practical effect of a GPC signal on tryvouch.io is that we treat the visit as one in which the visitor has objected to any such processing — but since we don’t do it, your baseline experience is the same. We do not use the GPC signal as a basis for differential treatment.

Other US state privacy laws. If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Utah (UCPA), or another state with a comprehensive consumer privacy law, you have substantially similar rights and the same email contact applies. We will honour your rights as required by the law of your state of residence.

Vouch uses AI features (reply drafting, the Recommendation Engine, Vouch Score, sentiment and theme extraction, translation, and content assistance) within workspaces. These features operate on the data in a single workspace at a time, do not learn from or mix data across workspaces, and run on model providers configured with zero-day retention and no-training terms.

For the purposes of GDPR Article 22, Vouch does not make decisions about consumers that produce legal effects or similarly significant effects on the consumer using solely automated processing. Outputs of AI features — including reply drafts, recommendations, and Vouch Score — are decisional input for the business that runs the workspace, with a human in the loop before any customer-facing publication. If you have received a Vouch-powered message and you want a human to review any decision that affected you, contact the business that sent the message, or email support@aartha.ai and we will route your request.

Full detail is in our AI Policy.

Our marketing site uses essential cookies plus a small set of first-party analytics cookies to understand which pages are useful. We do not run advertising trackers on the marketing site, and we do not run any third-party advertising trackers inside the Platform itself. The Platform uses only the cookies necessary to keep you logged in and to keep your session secure.

Vouch is not intended for children under 16, and we do not knowingly collect data from them. Business customers are responsible for not uploading consumer data of children below the applicable age of consent in their jurisdiction.

We will post any material changes to this policy here and update the “Last updated” date at the top of this page. If the changes are significant, we will notify business customers in-app or by email before the changes take effect.

Vouch (operated by Aartha, Inc.)
Attn: Privacy Officer
San Ramon, CA 94582
United States

Privacy questions and data subject requests: support@aartha.ai
Security issues: support@aartha.ai
Procurement / security questionnaires: support@aartha.ai
General contact: support@aartha.ai

For the purposes of GDPR and the UK GDPR, Vouch Inc. is the data controller for the personal data described in this policy that we process as a controller, and the data processor for the personal data we process on behalf of a business customer. EEA, UK, and Swiss residents may also lodge a complaint with their local supervisory authority; we ask that you contact us first so we can try to resolve the issue directly.