Security & Privacy

Where your data lives

All primary processing and storage happens on Microsoft Azure in Sweden Central, inside the European Economic Area. Our database, blob storage, application telemetry, and compute (Azure App Services + AKS) are all EEA-resident.

Encryption

At rest: AES-256 (Azure-managed keys) on both the database and all blob storage.

In transit: TLS 1.2 or higher on every connection — APIs, WebSockets, blob downloads, and inter-service calls.

AI training

We do not train AI models on your data. The large language models, speech models, and computer-vision models behind the service are operated by Microsoft Azure (Azure OpenAI, Speech, Cognitive Search, Vision) and Google Cloud (Vertex AI / Gemini, Cloud Speech) under their enterprise tiers, which contractually prohibit training on customer content.

What we send to AI providers

Sent for processing: the text of the conversation, system prompts, any knowledge documents the persona owner has chosen to retrieve, and voice audio (to the speech-to-text provider for transcription).

Never sent: email addresses, passwords, payment information, IP addresses, or anonymous user identifiers.

What we don't persist

Voice audio. Streamed to the speech-to-text provider, transcribed, and discarded. We do not keep raw audio recordings.

Camera frames. Processed by the computer-vision provider in real time and discarded. Camera is only ever active after the visitor grants explicit OS-level permission.

Sub-processors

We share data only with the providers below, all of whom process on our behalf under their own privacy practices and data-processing agreements:

• AI & language models — Microsoft Azure (Azure OpenAI, Speech, Cognitive Search, Vision) in Sweden Central (EEA); Google Cloud (Vertex AI / Gemini, Cloud Speech) in Netherlands (EEA)
• Web search & re-ranking — Brave Search and Cohere (United States)
• Stock images — Freepik (European Union)
• Image generation — OpenAI DALL-E (United States)
• Authentication — Google OAuth (for "Sign in with Google")
• Billing — Flitt, a payment product of TBC Bank (Georgia)
• Infrastructure — Microsoft Azure (Sweden Central, EEA)

For US-based providers, we rely on Standard Contractual Clauses or equivalent transfer safeguards as required by GDPR.

Your rights (GDPR)

You can access, correct, export, delete, restrict, or object to processing of your personal data. To exercise any right, email privacy@personaizer.com from your registered address. Standard turnaround is 30 days.

For account deletion specifically, see our Delete Account page for the full procedure.

How long we keep things

Account information: while your account is active. Conversation transcripts: the period necessary to operate and improve the service. End-user consent records: 30 days. Authentication refresh tokens: 14 days. Operational telemetry: 90 days, with IP addresses masked.

Cookies & tracking

We use a single HTTP-only cookie that stores an anonymous identifier for end users of public AI personas, used for rate-limiting and abuse prevention. It expires after approximately 30 days. We do not use cookies for advertising, behavioral tracking, or cross-site profiling, and we do not sell your data.

Security incidents

If personal data is implicated in a security incident, we commit to notifying the relevant supervisory authority within 72 hours and, where the incident presents a high risk to data subjects, notifying affected users without undue delay, in line with GDPR Article 33.

Biometric data & minors

We do not store voiceprints, facial templates, or other biometric identifiers. Voice and camera data are transient as described above.

The service is not directed to children under 13 (or the higher minimum age in your jurisdiction). We do not knowingly collect personal information from minors.

Enterprise & due diligence

For enterprise customers we sign data-processing agreements (DPAs) on request — contact legal@personaizer.com.

We're also happy to complete security and privacy questionnaires from your procurement team — same address.

Contact

Privacy questions: privacy@personaizer.com
Legal / DPA / contracts: legal@personaizer.com