Privacy Policy

1.1 This privacy policy describes how Nivision Data Ltd., Company ID 517203170 ("Nivision" or "Company") collects, processes, stores, and protects personal and business information in the context of its conversation analysis services ("Service").

1.2 Use of the Service constitutes acceptance of this policy. This policy complements the Terms of Use and the commercial agreement between the Client and the Company.

2.1 The Client (the organization that purchased the Service) is the data controller in respect of its customers', employees', and call data transferred to Nivision.

2.2 Nivision acts as a data processor in accordance with the Client's instructions and the agreement.

2.3 Nivision is an independent controller in respect of information it collects directly from users for account operation, support, and customer relationship management.

Greenhouse Principle: Nivision operates according to the Greenhouse Principle: any information that may lead to identification of an individual, company, or specific customer of our clients is fully encrypted and protected on our side. Personal information such as first name, last name, ID number, credit card number, bank account number, and any other identifying detail is automatically masked and encrypted in our processing, so that a specific person cannot be identified from it.

Exclusive use for the Client: All information collected and processed by Nivision is used for one purpose only: to provide the Client with the Service it purchased, and to give it the information, insights, reports, and scores it needs and wants. Nivision does not use client data to train AI models, improve the system using identified data, trade with third parties, or for any purpose other than providing the Service directly to the Client.

Strict prohibition on using client data for model training: Nivision expressly undertakes that client data is not, and will never be, used to train general AI models. Data processing is static - one client's data is not mixed with or affected by another client's data. Third-party AI providers that Nivision works with (such as OpenAI, Google Gemini, and Anthropic/Claude) operate under organizational agreements requiring them not to use data for model training unless the Client has approved otherwise in writing.

Core security principles: Nivision's security strategy rests on five pillars: Least Privilege; Tenant Isolation; Defense in Depth; Secure by Design; Fail Secure (default deny).

3.1 Information provided directly by the Client or User: contact details, account details, call data, settings and configuration.

3.2 Information generated by automated processing: transcriptions, sentiment and engagement analysis, scores, speaker identification, aggregated reports, trends, alerts, insights, AI customer profiles, and competitor analysis.

3.3 Technically collected information: IP address, browser type, operating system, device identifiers, usage data, logs (stored in an unalterable form for at least two years).

3.4 Information from third parties: data received through integrations configured by the Client.

4.1 Providing the Service to the Client: transcription, analysis, scoring, report and business insight generation in line with the Client's settings. This is the sole purpose for which client data is processed.

4.2 Support and customer service: responding to inquiries, resolving issues, technical assistance.

4.3 Security and control: preventing unauthorized access, monitoring anomalies, log management and incident investigation. Nivision runs continuous health and security monitoring via AWS CloudWatch with automatic alerts.

4.4 Legal compliance: fulfilling legal and regulatory obligations, data retention as required by sector.

4.5 Communications: sending system updates, maintenance notices, and commercial offers (subject to Client consent where required).

5.1 Contract performance: processing necessary to provide the Service under the commercial agreement.

5.2 Legitimate interest: information security, fraud prevention, performance monitoring.

5.3 Legal obligation: compliance with the Israeli Privacy Protection Law, 1981, the Privacy Protection (Data Security) Regulations, 2017, and any other applicable law.

5.4 Consent: for marketing communications or processing not essential to providing the Service.

6.1 Infrastructure and processing providers: Amazon Web Services (AWS) for cloud hosting, transcription engines, enterprise-grade AI models (OpenAI/Azure, Google Gemini, Anthropic/Claude). These providers act as sub-processors only, under binding data processing agreements, and are committed to GDPR and SOC 2 Type II standards.

6.2 Legal authorities: as required by law, court order, or mandatory request from a competent authority.

6.3 Mergers and acquisitions: in the event of a change of control, merger, or acquisition, information may be transferred to the acquirer, subject to continued adherence to the same or stricter privacy terms.

6.4 Nivision does not sell, rent, or transfer personal information to third parties for their marketing or commercial purposes.

7.1 The Service is implemented at a high security level as defined in the Privacy Protection (Data Security) Regulations, 2017. Nivision's security controls are aligned with ISO 27001, SOC 2, GDPR, and Israeli privacy law.

7.2 Key security measures: encryption in transit (TLS 1.2+); encryption at rest (AES-256); key management (AWS KMS); access control (RBAC, JWT, Multi-Tenancy); immutable audit logs; PII masking; infrastructure (private VPC, environment separation); secret management (AWS Secrets Manager, SSM); data minimization; Privacy by Design/Default.

7.3 Despite these efforts, no security method guarantees absolute immunity. The Company operates in accordance with industry-accepted standards.

8.1 Data may be stored on AWS servers located outside Israel, subject to applicable law and international data transfer arrangements.

8.2 Data retention policy is configurable per client: 30, 60, 90, 180, or 365 days. At the end of the retention period, data is automatically deleted unless otherwise expressly agreed in writing in the commercial agreement.

8.3 Data processed by third-party AI providers is retained only for the time required for processing and fault monitoring, then automatically deleted.

8.4 After termination of the engagement, data will be retained for 30 additional days and then deleted, unless otherwise expressly agreed in writing in the commercial agreement or required by law.

8.5 Backups: daily encrypted backups with point-in-time recovery. File versions are retained in S3.

9.1 Under the Privacy Protection Law and applicable regulation, data subjects are entitled to: access their personal information held by the Company; request correction of incorrect, incomplete, or outdated information; request deletion of personal information, subject to legal and contractual obligations; object to marketing communications or withdraw consent at any time.

9.2 To exercise any of these requests, please contact: [email protected].

9.3 Since Nivision acts as a processor in respect of the Client's calls, requests from data subjects who are end customers of the Client will be forwarded to the Client for handling.

10.1 The Client is solely responsible for informing its customers, employees, suppliers, and data subjects about recording, processing purposes, retention period, and their rights under applicable law.

10.2 The Client is responsible for ensuring appropriate consents, transparent privacy policy, and database registration where required.

10.3 Nivision is not responsible for the Client's compliance with these regulatory obligations and shall not be liable for the Client's failure to comply with the law.

11.1 In the event of a confirmed security incident involving client data, the Company will update the Client without undue delay and no later than 72 hours from when it became aware of the incident.

11.2 The notice will include the nature of the incident, scope of impact, mitigation measures taken, and full cooperation in the investigation.

11.3 Incident response process: identify, contain, investigate, notify clients in accordance with SLA and law.

12.1 The Service may use cookies and similar technologies for operation, authentication, performance measurement, and improving the user experience.

12.2 Browser settings can be changed to block cookies; however, this may impair Service functionality.

13.1 The Company does not use identified client data to improve the system or train models. Any use of statistical data for quality monitoring or fault remediation is solely of aggregated, de-identified data that does not allow direct or indirect identification of data subjects.

13.2 The Company will not perform, or allow, re-identification attempts on data processed in anonymized form.

13.3 Aggregated information will not be used for third-party commercial purposes.

14.1 The Company may update this policy from time to time. An updated version will be published in the Service and will bear an update date.

14.2 Continued use of the Service after publication constitutes acceptance of the updated policy.

15.1 For any question, request, or report regarding this privacy policy: general email: [email protected]; website: nivision.ai; Nivision Data Ltd., Company ID 517203170.