Privacy Policy
Last Updated: April 2026
Introduction
CASUMI ("we", "our", or "us") provides phone call transcription and summarization services. This Privacy Policy explains how we collect, use, and protect your personal information when you use our service.
Data We Collect
Account Information
- Email address
- Full name (optional)
- Password (hashed, never stored in plain text)
Call Recordings and Transcriptions
- Audio recordings you upload
- Transcription text generated from your recordings
- AI-generated summaries, key points, and action items
- Speaker identification data
Contacts
- Contact names, phone numbers, and email addresses you import or create
Usage Data
- API request logs (IP address, timestamps, endpoints accessed)
- Device information for push notifications
Purpose of Processing
We process your data for the following purposes:
- Service Delivery: Transcribing and summarizing your call recordings
- Account Management: Authentication, billing, and customer support
- Notifications: Sending email, WhatsApp, or push notifications when processing completes
- Service Improvement: Analyzing usage patterns to improve our service (anonymized)
Data Retention
| Data Type | Retention Period |
|---|---|
| Audio recordings | 365 days (moved to archive after 90 days) |
| Transcriptions | Retained while account active |
| Summaries | Retained while account active |
| Account data | Retained while account active |
| Audit logs | 2 years |
You may request deletion of your data at any time (see "Your Rights" below).
Third-Party Processors
We use the following third-party services to process your data:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Deepgram | Speech-to-text transcription | Audio recordings | USA |
| Anthropic | AI summarization | Transcription text | USA |
| AWS (S3) | Cloud storage | Audio recordings | USA/EU |
| SendGrid | Email delivery | Email addresses | USA |
| Twilio | WhatsApp notifications | Phone numbers | USA |
| Expo | Push notifications | Device tokens | USA |
| Paddle | Payment processing | Billing information | UK/EU |
| Mixpanel | Product analytics | Anonymous usage events, device info | EU |
All processors are bound by Data Processing Agreements (DPAs) and comply with applicable data protection regulations.
Payment Processing
We use Paddle.com as our Merchant of Record. Paddle handles all payment processing, VAT collection, invoicing, and refunds. When you make a purchase, your payment information is collected and processed directly by Paddle — we never see or store your full credit card details. Paddle's privacy policy applies to payment data: paddle.com/legal/privacy.
Cross-Border Transfers
Your data may be transferred to and processed in the United States and the United Kingdom. We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs)
- Processor agreements with data protection provisions
Your Rights
Under GDPR and Israeli Privacy Protection Law, you have the right to:
Access
Request a copy of all data we hold about you. Use the "Export Data" feature in the app settings or contact us.
Rectification
Correct inaccurate personal data through your account settings.
Erasure (Right to be Forgotten)
Delete your account and all associated data. Use the "Delete Account" feature in the app or contact us.
Data Portability
Export your data in a machine-readable format (JSON/ZIP).
Restriction
Request we limit processing of your data in certain circumstances.
Object
Object to processing based on legitimate interests.
To exercise these rights, contact us at [email protected] or use the in-app features.
Security Measures
We implement the following security measures:
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
- Authentication: JWT tokens with rotation, bcrypt password hashing
- Access Control: Role-based access, API key authentication
- Monitoring: Rate limiting, intrusion detection, audit logging
- Infrastructure: SOC 2 compliant cloud providers
Call Recording Disclosure
IMPORTANT: By using this service, you acknowledge that:
- You are responsible for complying with all applicable call recording laws
- Israel's Wiretapping Law (1979, Amendment 13) generally allows one-party consent recording
- You must inform other parties if required by law in their jurisdiction
- We are not responsible for your compliance with recording consent laws
Children's Privacy
Our service is not intended for users under 18 years of age. We do not knowingly collect data from children.
Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.
Contact Us
For privacy-related inquiries:
- Email: [email protected]
- Website: casumi.app
Data Protection Officer
For GDPR-related matters, contact our DPO at [email protected].
Jurisdiction: This policy is governed by Israeli law. Any disputes shall be resolved in the courts of Tel Aviv, Israel.