Privacy Policy

VOUCH Privacy Policy Last updated: 9 February 2026 1. Introduction Vouch ("we", "us", or "our") is an AI-agent-native ESG compliance platform operated by Vouch Technologies. We are committed to protecting the privacy and security of the personal data of our users, their organisations, and their supply chain partners. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our platform (vouchcompliance.com), including our web application, APIs, and AI-powered compliance agents. It applies to all users of our services across the European Economic Area (EEA) and beyond. Vouch acts as a data processor on behalf of our customers (data controllers) for organisation-level and supplier data. For user account data, Vouch acts as the data controller. 2. Data We Collect The following table summarises the categories of personal data we process, their purposes, legal basis, and retention periods in accordance with GDPR Article 30 (Records of Processing Activities): Category Data Types Purposes Legal Basis Retention User account data Email, full name, avatar URL, role Authentication, account management, support Contract performance Account lifetime + 30 days Organisation data Company name, industry, employee count, country, postal code, website Service delivery, compliance reporting, AI context Contract performance Account lifetime + 30 days Emissions & compliance data Emissions values, scope categories, compliance answers, gap analyses ESG reporting, carbon calculations, compliance automation Contract performance 7 years (regulatory) Integration tokens OAuth tokens for accounting platforms Accounting data synchronisation Contract performance Until disconnect + 30 days Supplier data Supplier company info, questionnaire responses Supply chain ESG compliance Legitimate interest / Contract Account lifetime; responses 7 years RAG documents Uploaded compliance documents, embeddings AI-powered compliance assistance Contract performance Until deletion + 30 days Audit logs User actions, timestamps, IP addresses Security, accountability, troubleshooting Legitimate interest 2 years 3. How We Use Your Data We process personal data for the following purposes: • Providing and operating the Vouch platform, including AI-powered compliance agents (Carbon Collection, EcoVadis Assistant, Gap Analysis, Regulatory Monitoring, and Data Validation) • Calculating carbon emissions and generating ESG compliance reports • Automating responses to sustainability questionnaires (e.g. EcoVadis) • Synchronising financial data from connected accounting platforms (Xero, QuickBooks, Sage, DATEV) • Generating AI-powered recommendations and gap analyses • Communicating with you about your account and service updates • Ensuring the security and integrity of our platform • Complying with legal and regulatory obligations 4. AI Processing and Automated Decision-Making Vouch uses artificial intelligence to automate ESG compliance tasks. Our AI agents process your organisation's data to generate compliance reports, identify gaps, calculate emissions, and prepare questionnaire responses. These agents operate with approximately 90% autonomy but are designed to surface recommendations for human review before final submission. AI processing involves sending data to our AI sub-processor (Anthropic/Claude) under strict contractual safeguards including Standard Contractual Clauses for international data transfers. No automated decisions with legal or similarly significant effects are made without human oversight. You have the right to request human review of any AI-generated output and to object to automated processing of your data. 5. Sub-processors We use the following third-party sub-processors to deliver our services. Each sub-processor is bound by data processing agreements and appropriate safeguards for international data transfers: Sub-processor Purpose Location Safeguards Supabase Database, authentication, storage EU (Ireland) GDPR compliant; EU data residency Anthropic (Claude) AI agent processing US Standard Contractual Clauses (SCCs) Pinecone Vector database for document search US/EU SCCs; DPA available Vercel Frontend hosting EU/US GDPR compliant; DPA Railway Backend API hosting US/EU DPA; SCCs Xero Accounting sync (when connected) Australia/NZ Customer-initiated; Xero DPA Intuit (QuickBooks) Accounting sync (when connected) US Customer-initiated; DPA Sage Accounting sync (when connected) UK/EU GDPR compliant; DPA DATEV Accounting sync (when connected) Germany GDPR compliant; German data protection Accounting platform integrations (Xero, QuickBooks, Sage, DATEV) are only activated when you voluntarily connect your account. You may disconnect at any time through your Vouch dashboard. 6. International Data Transfers Your data is primarily stored within the EU (Supabase, Ireland). Where data is transferred outside the EEA (for example, to Anthropic or Pinecone in the United States), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary technical measures such as encryption in transit and at rest. 7. Data Retention We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows: • User account data: Account lifetime plus 30 days after deletion request • Organisation data: Account lifetime plus 30 days after deletion request • Emissions and compliance data: 7 years (to meet regulatory and financial reporting requirements) • Integration tokens: Until disconnection plus 30 days • Supplier data: Account lifetime; questionnaire responses retained for 7 years • RAG documents: Until deletion plus 30 days • Audit logs: 2 years Upon expiry of the retention period, data is securely deleted or anonymised. 8. Data Security We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, regular security assessments, and audit logging. Our platform architecture is designed with privacy by design and by default principles in accordance with GDPR Article 25. 9. Your Rights Under GDPR Under the General Data Protection Regulation, you have the following rights regarding your personal data: Right Description How to Exercise Access Request a copy of your personal data Contact [email protected] or use in-app request Rectification Correct inaccurate data Edit profile in Settings; contact support for other data Erasure Request deletion of your data Account deletion in Settings; contact [email protected] Restriction Limit how we process your data Contact [email protected] Data portability Receive your data in machine-readable format Export via API or contact [email protected] Object Object to processing based on legitimate interest Contact [email protected] Withdraw consent Withdraw consent where processing is consent-based Update preferences in Settings Complaint Lodge a complaint with a supervisory authority Contact your local data protection authority We will respond to all data subject requests within 30 days of receipt, as required by GDPR. 10. Cookies and Tracking Vouch uses essential cookies required for the operation of our platform (such as authentication session cookies). We do not use advertising or third-party tracking cookies. Analytics, where used, are privacy-respecting and do not involve cross-site tracking. 11. Children's Privacy Vouch is a business-to-business platform and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly. 12. Changes to This Policy We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via email or through a prominent notice on our platform. We encourage you to review this policy periodically. 13. Contact Us If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have a complaint about how we handle your personal data, please contact us: Email: [email protected] Company: Vouch Compliance You also have the right to lodge a complaint with your local data protection supervisory authority.