Privacy Policy

Last updated: February 2025

1. Introduction

Vishin.ai ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, and share information when you use our voice phishing (vishing) security awareness platform ("Service"). By using the Service, you agree to the practices described in this policy.

2. Information We Collect

We collect the following categories of information:

  • Account information: Name, email address, password (hashed), phone number (if provided for MFA), and role within your organization.
  • Organization data: Company name, industry, and account configuration settings.
  • Target data: Names, phone numbers, email addresses, departments, and job titles of individuals included in vishing campaigns. This data is provided by you and stored within your isolated tenant.
  • Campaign data: Scenarios, campaign configurations, call schedules, and legal signoff records.
  • Call recordings & transcripts: Audio recordings and AI-generated transcripts of outbound vishing calls conducted through the platform.
  • Usage analytics: Login events, feature usage patterns, API call logs, and session metadata.
  • Payment information: Payment method details are collected and processed by Stripe. We do not store credit card numbers or full payment details on our servers.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including executing vishing campaigns and generating reports.
  • Process payments and manage your token balance.
  • Authenticate users and enforce access controls.
  • Analyze campaign results and generate risk assessments.
  • Send transactional communications (account verification, password resets, campaign notifications).
  • Monitor and improve the security and performance of the Service.
  • Comply with legal obligations.

We do not sell your data to third parties. We do not use your campaign data, call recordings, or target information for advertising or marketing purposes.

4. Legal Basis for Processing

We process your information based on the following legal grounds:

  • Contractual necessity: Processing is necessary to provide the Service under our Terms of Service.
  • Legitimate interests: Improving the Service, ensuring security, and preventing fraud.
  • Legal compliance: Meeting regulatory and legal requirements.
  • Consent: Where required by applicable law, such as for optional communications.

5. Data Isolation & Multi-Tenancy

Vishin.ai is a multi-tenant platform with strict data isolation. All tenant data is separated using partition-key-based isolation at the database level. No data is shared between organizations. Each organization's data — including target lists, campaign results, call recordings, and user accounts — is accessible only to authorized users within that organization.

6. Data Sharing & Third Parties

We share data with the following third-party service providers, solely to operate the Service:

  • Twilio: Receives target phone numbers to place outbound calls and provide call recording and telephony services.
  • ElevenLabs: Receives scenario context to generate AI-powered voice during calls. Does not receive personally identifiable target information beyond what is spoken during a call.
  • Stripe: Receives payment information to process token purchases and manage billing. Stripe's use of your data is governed by the Stripe Privacy Policy.
  • Amazon Web Services (AWS): Hosts our infrastructure, including compute, database (DynamoDB), authentication (Cognito), file storage (S3), and AI services (Bedrock). Data is processed and stored within the United States (us-east-1 region).

We do not share your data with any other third parties except as required by law or with your explicit consent.

7. Call Recordings & Transcripts

Call recordings and AI-generated transcripts are stored securely within your tenant's isolated data environment. These recordings are used to generate campaign reports, risk assessments, and pass/fail analysis. Access to recordings is restricted to authorized users within your organization.

You are responsible for ensuring that call recording complies with all applicable laws in the jurisdictions where calls are placed and received. We recommend consulting with legal counsel regarding consent and notification requirements.

8. Data Retention & Deletion

We retain your data for as long as your account is active and as necessary to provide the Service. Specifically:

  • Account data: Retained while your account is active.
  • Campaign data & recordings: Retained while your account is active. You may request deletion of specific campaigns.
  • Payment records: Retained as required for tax and regulatory compliance (typically 7 years).
  • Usage logs: Retained for up to 12 months for security and operational purposes.

Upon account termination or deletion request, all tenant data (including campaigns, targets, recordings, and transcripts) is permanently deleted within 30 days. Some data may be retained longer if required by law.

9. Security Measures

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit: All data is transmitted over TLS 1.3 (with TLS 1.2 fallback). TLS 1.0 and 1.1 are rejected.
  • Encryption at rest: All stored data is encrypted using AES-256.
  • Authentication: User authentication is managed through AWS Cognito with mandatory multi-factor authentication (MFA).
  • DNS security: DNSSEC is enabled, along with CAA records, SPF, and DMARC policies.
  • Web Application Firewall: AWS WAF provides rate limiting and protection against common web attacks.
  • Session management: Access tokens expire after 30 minutes with automatic idle timeout and server-side session revocation.
  • Security headers: HSTS with preload, X-Frame-Options DENY, Content Security Policy, and X-Content-Type-Options are enforced.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Data portability: Request an export of your data in a machine-readable format.
  • Objection: Object to processing of your data based on legitimate interests.
  • Restriction: Request restriction of processing in certain circumstances.

To exercise any of these rights, please contact us at privacy@vishin.ai. We will respond to your request within 30 days.

11. Cookies & Session Management

The Service uses essential cookies and local storage for authentication and session management. We do not use third-party tracking cookies or advertising cookies. Specifically:

  • Authentication cookies: Used to maintain your login session. These expire after 30 minutes of inactivity.
  • Local storage: Used to store UI preferences (such as sidebar state). This data remains on your device and is not transmitted to our servers.

Because we use only strictly necessary cookies, cookie consent banners are not required under most privacy regulations.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete such information promptly.

13. International Data Transfers

The Service is hosted in the United States (AWS us-east-1 region). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We implement appropriate safeguards to protect your data in accordance with applicable data protection laws.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes acceptance of the revised policy.

15. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us at:

privacy@vishin.ai