1. Who We Are
MicHelper ("we", "us", "our") provides AI-powered sales quality control software for retail networks. Our platform enables businesses to record, transcribe, and analyze sales consultations to improve service quality and sales performance.
Controller vs. Processor
Depending on the context, MicHelper acts in different capacities:
- Data Controller: For account information, billing data, and service usage analytics, we determine the purposes and means of processing.
- Data Processor: For audio recordings, transcripts, and employee performance data, we process this information on behalf of our business customers (the Controllers) according to their instructions and our Data Processing Agreement.
If you are an employee whose conversations are being recorded, your employer is the Data Controller for that processing. Please contact your employer for information about how they handle your data.
2. Data We Collect
2.1 Account Information
When you create an account or your employer creates one for you, we collect:
- Name, email address, phone number (optional)
- Company/organization name and role
- Login credentials (passwords are hashed, never stored in plain text)
- Language and timezone preferences
2.2 Usage Data
We automatically collect information about how you interact with our service:
- Login timestamps and session duration
- Features accessed and actions performed
- Browser type, operating system, and device information
- IP address and approximate location (country/region level)
2.3 Device & Technical Data
For our recording devices (microphones) and web application:
- Device identifiers and status
- Connection quality metrics
- Error logs and diagnostic information
2.4 Audio & Transcript Data
This is the core data we process for our service. See Section 3 for detailed information.
2.5 Cookies & Similar Technologies
We use cookies for authentication, preferences, and analytics. See our Cookie Policy for details.
2.6 Data from Third-Party Authentication
If you choose to sign in using Google OAuth, we receive and store:
- Your Google account email address
- Your display name
- Your Google account identifier
We do not access your Google contacts, calendar, or any other Google services data. You can disconnect Google authentication at any time through your account settings.
2.7 Push Notifications
If you enable push notifications, we collect and store a device token provided by Apple Push Notification Service (APNs) or Google Firebase Cloud Messaging (FCM). This token is used solely to deliver notifications to your device. You can disable push notifications at any time through your device settings or the application. Device tokens are deleted when you unsubscribe from notifications or delete your account.
2.8 Telegram Bot Data
If you interact with our Telegram bot, we collect and store:
- Your Telegram chat ID and username
- Message history with the bot
- Your notification preferences
- Files shared through the bot (retained for 3 days)
This data is used to provide bot functionality, deliver notifications, and process your requests. You can stop interacting with the bot at any time by blocking it in Telegram, which will cease all data collection. Existing data will be deleted according to our standard retention policies or upon request.
3. Audio Recordings & Transcripts
3.1 What We Record
Our service records audio from designated microphones in retail locations. These recordings capture sales consultations between employees and customers. The recording devices are placed in accordance with local laws and with appropriate signage.
3.2 Processing Modes
MicHelper offers different processing modes to balance functionality with privacy:
- Full Processing: Audio is stored, transcribed, and analyzed. Audio files are retained according to the retention policy.
- Transcript-Only Mode: Audio is transcribed in real-time and then immediately deleted. Only the text transcript is retained.
- Metadata-Only Mode: Only session metadata (duration, timestamps, quality scores) is retained. No audio or transcript.
The processing mode is configured by the network administrator (your employer) based on their legal requirements and business needs.
3.3 Transcription Process
Audio is transcribed using AI speech recognition technology. Transcripts may include:
- Text content of the conversation
- Speaker identification (employee vs. customer)
- Timestamps and segment boundaries
- Language detection results
3.4 Quality Analysis
Transcripts are analyzed against sales scripts and rules configured by the network administrator to generate:
- Script compliance scores
- Performance metrics and rankings
- Violation flags and recommendations
4. Legal Bases for Processing (GDPR)
We process personal data based on the following legal grounds:
4.1 Contract Performance
Processing necessary to fulfill our service agreement with business customers, including account management, service delivery, and support.
4.2 Legitimate Interests
Processing necessary for our legitimate business interests, such as:
- Improving and developing our services
- Preventing fraud and ensuring security
- Analyzing usage patterns to optimize performance
4.3 Consent
Where required by law, we obtain consent for:
- Marketing communications
- Non-essential cookies and analytics
- Processing beyond what is strictly necessary for service delivery
4.4 Legal Obligations
Processing necessary to comply with applicable laws, such as tax reporting, fraud prevention, and responding to lawful requests from authorities.
5. How We Use Your Data
We use the data we collect for the following purposes:
5.1 Service Delivery
- Processing and analyzing audio recordings
- Generating transcripts and quality scores
- Creating reports, rankings, and analytics
- Enabling Excel/CSV exports
5.2 Account Management
- User authentication and authorization
- Role-based access control (RBAC)
- Subscription and billing management
5.3 Communication
- Service notifications and alerts
- Support responses
- Product updates (with consent)
5.4 Improvement & Development
- Analyzing usage patterns to improve features
- Training and improving our AI models (only with aggregated, anonymized data)
- Debugging and troubleshooting
6. Data Sharing & Subprocessors
6.1 We Do Not Sell Your Data
We do not sell, rent, or trade personal data to third parties for their marketing purposes.
Subprocessors
We use the following third-party service providers (subprocessors) to operate the Service. Each subprocessor processes data only as necessary for its stated purpose.
| Company | Purpose | Location | Data Processed |
|---|---|---|---|
| OpenAI, Inc. | Audio transcription (Whisper API) and transcript analysis (GPT API). Zero data retention enabled. | United States | Audio recordings (transient), transcripts (transient) |
| Render Services, Inc. | Cloud hosting, compute, persistent storage | United States (Oregon) | All platform data |
| Google LLC | OAuth authentication (optional), Firebase Cloud Messaging (push notifications for Android) | United States | Authentication tokens, device tokens, notification payloads |
| Apple Inc. | Apple Push Notification Service (push notifications for iOS) | United States | Device tokens, notification payloads |
| Telegram FZ-LLC | Bot notifications and management interface (optional) | United Arab Emirates | Chat IDs, notification content, user preferences |
| Fondy (CloudIpsp) | Payment processing (card payments) | Ukraine | Transaction data, payment references |
| LiqPay (PrivatBank) | Payment processing (card payments) | Ukraine | Transaction data, payment references |
| CoinGate UAB | Cryptocurrency payment processing | Lithuania (EU) | Transaction data, wallet addresses |
| Whitepay LLC | Cryptocurrency payment processing | Ukraine | Transaction data, wallet addresses |
| SMTP Provider (configurable) | Transactional email delivery | Depends on configuration | Email addresses, email content |
We maintain this list and will notify customers of changes at least 30 days in advance. The current list is always available at this page and at /legal/subprocessors.html. To subscribe to subprocessor change notifications, contact privacy@michelper.app.
6.3 Legal Requirements
We may disclose data when required by law, court order, or to protect our rights, property, or safety.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity.
7. International Data Transfers
Your data may be processed in countries outside your country of residence. When we transfer data from the European Economic Area (EEA), UK, or Switzerland to countries not deemed to provide adequate protection, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Other lawful transfer mechanisms as appropriate
Our business customers can request information about the specific safeguards in place for their data.
Restricted Transfers: MicHelper does not transfer personal data to Russia, China, Belarus, or any country subject to EU/US comprehensive sanctions. None of our subprocessors are located in these jurisdictions.
8. Data Lifecycle & Retention
Audio Recordings
Raw audio recordings are processed transiently. Audio is uploaded to our servers solely for the purpose of transcription. Once transcription is complete, the original audio file is permanently deleted immediately. Audio is never stored long-term on our servers. During the brief processing window, audio is encrypted in transit (TLS 1.2+) and at rest (AES-256-GCM).
Transcripts
Text transcripts generated from audio recordings are stored for a default period of 7 days, after which they are automatically and permanently deleted. This retention period is configurable by the customer (network administrator) and can be adjusted based on business needs. Transcripts are encrypted at rest using AES-256-GCM field-level encryption.
Analytics, Scores & Performance Data
Aggregated analytics data, compliance scores, performance ratings, KPI metrics, and point balances are retained for up to 500 days and are continuously updated as new interactions are processed. This data represents computed metrics derived from transcripts and does not contain raw audio or verbatim conversation text. Customers may request deletion of all associated analytics data through the account deletion process.
Account & Configuration Data
User accounts, network configurations, scripts, and system settings are retained for the duration of the active subscription and for 30 days following account termination to allow for data export.
Summary
| Data Type | Retention | Encryption |
|---|---|---|
| Raw audio recordings | Deleted immediately after transcription | AES-256-GCM (during processing) |
| Transcripts | 7 days (configurable) | AES-256-GCM field-level |
| Analytics & scores | Up to 500 days (continuously updated) | Database-level encryption |
| Account data | Duration of subscription + 30 days | AES-256-GCM for sensitive fields |
9. Security Measures
We implement comprehensive technical and organizational measures to protect your data:
9.1 Technical Measures
- Encryption in Transit: All data transmitted using TLS 1.2 or higher
- Encryption at Rest: AES-256 encryption for stored data
- Access Controls: Role-based access control (RBAC) with principle of least privilege
- Authentication: Secure password hashing (bcrypt), session management. Two-factor authentication is planned for a future release.
9.2 Organizational Measures
- Audit Logging: All data access and modifications are logged
- Employee Training: Regular security awareness training
- Incident Response: Documented procedures for security incidents
- Regular Reviews: Periodic security assessments and updates
9.3 Incident Notification
In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.
10. Your Rights
Depending on your location and applicable law, you may have the following rights:
10.1 GDPR Rights (EEA/UK)
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restriction: Limit how we process your data
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw previously given consent at any time
10.2 CCPA Rights (California)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what data we collect and the right to opt-out of sale (though we do not sell personal data).
10.3 Exercising Your Rights
To exercise any of these rights:
- Use the Privacy Requests feature in your MicHelper account
- Contact us via our Support Portal
- If you are an employee, contact your employer (the Data Controller)
We will respond to verified requests within 30 days (or as required by law).
11. Children's Privacy
MicHelper is a business-to-business service and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.
12. Contact & Complaints
12.1 Contact Us
For privacy-related questions or to exercise your rights, please use our Support Portal and select "Privacy Request" as the category.
12.2 Supervisory Authority
If you are in the EEA or UK and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last updated" date at the top of this page
- For significant changes, we will provide notice through our service or via email
- Continued use of our service after changes become effective constitutes acceptance
We encourage you to review this policy periodically.