Privacy Policy

1. Introduction

Volari AI, Inc. (“Volari,” “we,” “us,” or “our”) has prepared this Privacy Policy to explain what Personal Data we collect, how we use and share that data, and your choices concerning our data practices. This Privacy Policy is incorporated into and forms part of our Terms of Service.

Through our web application and related services (the “App”), Volari provides an AI-powered execution partner that helps you align your calendar to your goals, analyze how you spend your time, and optimize your schedule for focused execution. The App, including volari.ai, app.volari.ai, and any other products and services that link to this Privacy Policy, are referred to collectively as the “Service” or “Services.”

Before using the Service or submitting any Personal Data to Volari, please review this Privacy Policy carefully. By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not access or use the Service.

“Personal Data” means any information that identifies or relates to a particular individual and also includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules, or regulations, including the California Consumer Privacy Act (“CCPA”) and the General Data Protection Regulation (“GDPR”).

2. Personal Data We Collect

Personal Data You Provide

• Account Data. We collect your name, email address, and account credentials when you create an account to use the Services.
• Calendar Data. We collect and store calendar data for calendars you authorize us to connect to the Services, including event titles and descriptions, emails of invitees on those events, locations of events, event durations, recurrence patterns, and other calendar metadata. Calendar data is encrypted in transit and at rest.
• Email Data. When you connect your email account (Gmail or Outlook), we access email metadata (sender, recipient, subject, date) and message content for the purpose of extracting commitments, follow-up needs, and relationship context. Email data is processed by our AI systems to identify actionable items and is stored as structured signals in our memory index. We do not store full email bodies beyond the extracted signals. Email data is encrypted in transit and at rest.
• Messaging Data. When you connect your messaging platform (Slack or Microsoft Teams), we access message content from channels you authorize for the purpose of detecting decisions, commitments, and action items made in team conversations. We do not access direct messages unless explicitly authorized. Messaging data is processed and stored as structured signals, not raw message archives.
• Document Data. When you connect your document workspace (Notion or Google Docs), we access documents you authorize for the purpose of enriching goal context, understanding strategic priorities, and identifying dependencies. We extract structured signals (goals referenced, deadlines, risks) and do not store full document content.
• Project Management Data. When you connect your project management tool (Jira or Linear), we access issue/ticket status, sprint progress, and work package data to provide real execution velocity tracking. We read issue metadata (title, status, assignee, dates) and do not modify issues unless you explicitly authorize agent actions.
• CRM Data. When you connect your CRM (Salesforce or HubSpot), we access contact records, deal/opportunity pipeline data, and activity history for the purpose of relationship intelligence and commitment tracking. We read CRM data for context enrichment and create/update records only when you explicitly approve agent-recommended actions.
• Agent Execution Data. Our AI agents produce deliverables on your behalf, including email drafts, decision memos, research briefs, execution plans, and calendar modifications. We store records of agent actions, outcomes produced, and your approval/rejection decisions to improve agent accuracy and compute execution metrics.
• Goal and Priority Data. We collect goals, priorities, and strategic objectives you provide through the Services, including information entered during coaching conversations and execution planning sessions.
• Coaching Conversation Data. We collect the content of your interactions with Volari's AI coaching features, including questions, responses, strategic context, and feedback you provide during coaching sessions.
• Scheduling Decision Data. We collect data about scheduling suggestions the Service makes and your responses to those suggestions, including whether you accept, reject, or modify a recommendation, how long you take to respond, and the calendar context at the time of the suggestion.
• Execution Metrics. We generate and store execution analytics, including your Volari Score (a proprietary metric measuring time capital efficiency), pattern analysis data, and scheduling optimization recommendations.
• Feedback Data. We collect feedback you provide about the Service, including thumbs-up/down ratings on coaching responses, corrections, and other explicit feedback signals.
• Payment Data. We collect billing information necessary to process payments, including your payment method details. Payment processing is handled by our third-party payment processor, Stripe, Inc. We do not store full credit card numbers on our servers.
• Voice Data. If you use the Service's voice input feature, we collect audio recordings from your device's microphone for the purpose of transcribing your spoken input into text. Audio is transmitted to our third-party transcription provider, OpenAI, Inc. (using the Whisper API), solely for real-time transcription. We do not store audio recordings after transcription is complete. The resulting text is treated as Coaching Conversation Data and subject to the same protections described above.
• Communication Data. We collect information you provide when you contact us for support, provide feedback, or communicate with us through email or other channels.

Personal Data We Collect Automatically

• Log Data. Information that your browser or device automatically sends when you visit or use the Services, including your Internet Protocol (IP) address, browser type and settings, the date and time of your request, and how you interacted with the Services.
• Device Information. Information about the device you use to access the Services, including device type, operating system, and unique device identifiers.
• Usage Data. Information about how you interact with the Services, including features used, session duration, actions taken, engagement patterns, and interaction patterns with coaching features.
• Cookies and Similar Technologies. We use cookies and similar technologies to operate and improve the Services. We use the following categories of cookies:

• Essential Cookies. Required for the Service to function, including authentication session cookies and security cookies. These cannot be disabled while using the Service.
• Analytics Cookies. Used to understand how users interact with the Services, measure feature usage, and improve the user experience. We use PostHog for product analytics. You may opt out of analytics cookies through our cookie settings or by contacting us at privacy@volari.ai.
• Error Monitoring. We use Sentry to detect, diagnose, and resolve technical errors. Sentry may collect limited technical data (such as browser type, error stack traces, and session identifiers) to facilitate error reporting.

We do not use advertising cookies or third-party tracking pixels for cross-site behavioral advertising. You can control cookies through your browser settings. For more information on managing cookies, refer to your browser's help documentation.

AI-Generated Data

In the course of providing the Services, our AI systems generate data about you, including your Volari Score, pattern analysis, scheduling recommendations, coaching insights, and coaching moment detection (identifying significant inflection points in your coaching interactions). Under applicable law, including California's AB 1008, such AI-generated inferences constitute Personal Data and are subject to the same rights and protections described in this Privacy Policy.

Mobile Application Data

When you use the Volari mobile application (available on iOS and Android), we may collect the following additional data specific to your mobile device:

• Push Notification Tokens. If you enable push notifications, we collect a device token through Expo Notifications (which uses Apple Push Notification service on iOS and Firebase Cloud Messaging on Android) to deliver notifications to your device. You may disable push notifications at any time through your device settings. We do not use push notification tokens for advertising or tracking purposes.
• In-App Purchase Data. If you subscribe to Volari through the iOS App Store or Google Play Store, your purchase is processed by Apple or Google respectively, and subscription management is handled by RevenueCat, Inc. on our behalf. We receive a transaction identifier, subscription status, and plan type from RevenueCat. We do not receive or store your Apple ID password, Google Play credentials, or full payment card details from in-app purchases.
• Advertising Identifier (IDFA/GAID). Volari does not collect or use the Apple Identifier for Advertisers (IDFA) or the Google Advertising ID (GAID) for tracking or advertising purposes. On iOS, the Volari app will request your permission via Apple's App Tracking Transparency (ATT) framework before any access to the IDFA. We do not track you across other companies' apps or websites.
• Mobile Device Identifiers. We may collect non-advertising device identifiers (such as a vendor identifier or instance ID) solely for the purposes of app functionality, error reporting (via Sentry), and analytics (via PostHog). These identifiers are not shared with third parties for advertising purposes.

The Volari mobile application is subject to the same data handling practices described throughout this Privacy Policy. Your use of the mobile app is also subject to the applicable app store's terms of service (Apple App Store or Google Play Store).

3. How We Use Personal Data

We use Personal Data for the following purposes:

• Providing the Services. To operate, maintain, and deliver the features and functionality of the Services, including calendar analysis, execution coaching, Volari Score calculation, and calendar optimization.
• Personalization. To build and maintain your personal context within the Service, including remembering your goals, preferences, coaching history, and scheduling patterns, so that the Service becomes more effective for you over time.
• Calendar Optimization. To analyze your calendar against your stated goals and priorities, identify scheduling patterns, defend time for focused work, and suggest or implement schedule modifications when you authorize such actions.
• AI Coaching. To provide personalized coaching conversations, strategic recommendations, and execution insights based on your goals and calendar data.
• Analytics and Insights. To generate your Volari Score and other execution metrics, and to provide you with personalized analytics about how you spend your time, including benchmarks comparing your metrics against aggregate, anonymized data from the broader user base.
• Improvement of Services. To understand how the Services are used and to improve and develop new features. We analyze interaction patterns — including which coaching approaches, scheduling suggestions, and product features correlate with positive user outcomes — to improve the quality and effectiveness of the Service. We use de-identified and aggregated data for this purpose wherever possible. See Section 8 (Aggregate and De-Identified Data) for details.
• Communications. To send you transactional communications (account confirmations, billing notifications, security alerts), and with your consent, marketing communications such as our Execution Edge newsletter. You may opt out of marketing communications at any time.
• Safety and Security. To protect the safety, security, and integrity of the Services, to detect and prevent fraud, abuse, or other harmful activity, and to enforce our Terms of Service.
• Legal Compliance. To comply with applicable laws, regulations, legal processes, or governmental requests.

4. Legal Bases for Processing

We process your Personal Data only when we have a valid legal basis to do so. The legal bases we rely on depend on the specific processing activity:

• Performance of a Contract. We process your Account Data, Calendar Data, Goal and Priority Data, Coaching Conversation Data, Scheduling Decision Data, and Execution Metrics as necessary to perform our contract with you — specifically, to provide the Services you have subscribed to, including calendar analysis, coaching, and Volari Score calculation.
• Legitimate Interests. We process Usage Data, Log Data, Device Information, and Feedback Data based on our legitimate interest in improving the Services, ensuring security, preventing fraud, and understanding how users interact with the Service. We also rely on legitimate interests for generating aggregate and de-identified data for benchmarking and product development (see Section 8). We balance these interests against your rights and freedoms, and you may object to processing based on legitimate interests at any time (see Section 11, Your Rights).
• Consent. We process your Personal Data based on your consent for marketing communications (such as our Execution Edge newsletter), optional analytics cookies, and any other processing for which we specifically request your consent. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal Obligation. We process certain Personal Data (including Payment Data and billing records) as necessary to comply with applicable legal obligations, such as tax and financial reporting requirements.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we do not process your Personal Data unless one of the above legal bases applies. For more information about your rights under the GDPR, see Section 13 (European Economic Area, United Kingdom & Swiss Privacy Rights).

5. Sharing and Disclosure of Personal Data

We do not sell your Personal Data. We do not share your Personal Data for cross-context behavioral advertising. We may share Personal Data in the following circumstances:

• Service Providers and Subprocessors. We share Personal Data with third-party service providers (“subprocessors”) who perform services on our behalf. These providers are bound by contractual obligations to use Personal Data only as directed by us and consistent with this Privacy Policy. A current list of our subprocessors is maintained on our Subprocessors page and in Section 15 of this Policy. We will provide at least 30 days' notice before adding new subprocessors that handle Personal Data.
• AI Model Providers. To provide AI coaching and calendar optimization features, we transmit certain data to Anthropic, PBC (“Anthropic”), the provider of the Claude AI model that powers the Service's coaching features. When you interact with Volari's coaching features, relevant context from your account is transmitted to Anthropic's API to generate responses. Under our current commercial agreement with Anthropic: (a) your data is not used by Anthropic to train AI models; (b) API data is automatically deleted from Anthropic's systems within their standard retention period (currently 7 days as of the effective date of this Policy); and (c) Anthropic's Commercial Terms of Service govern this processing. For more information about Anthropic's data practices, visit anthropic.com/privacy. We do not control Anthropic's policies and they may change; we will update this Policy if material changes to our agreement with Anthropic occur.
• Voice Transcription Provider. When you use the Service's voice input feature, audio recordings are transmitted to OpenAI, Inc. (“OpenAI”) for transcription using the Whisper API. Under OpenAI's commercial API terms: (a) your data is not used by OpenAI to train AI models; (b) API data is retained by OpenAI for up to 30 days for abuse monitoring and then deleted; and (c) OpenAI's Business Terms govern this processing. Audio is transmitted solely for real-time transcription and is not stored by Volari after the transcription is complete. For more information about OpenAI's data practices, visit openai.com/enterprise-privacy.
• Legal Requirements and Government Requests. We may disclose Personal Data if required to do so by law, or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or address security or technical issues; (d) protect the personal safety of users of the Service or the public. We evaluate all government and law enforcement requests for legal validity and will limit disclosure to information that is strictly necessary. We will notify affected users before complying with such requests, unless we are prohibited from doing so by law or court order, or where notification would create a risk of harm.
• Business Transfers. If Volari is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your Personal Data may be transferred as part of that transaction. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy.
• Aggregated or De-Identified Data. We may share aggregated or de-identified data that cannot reasonably be used to identify you, as described in Section 8 below.
• With Your Consent. We may share your Personal Data for other purposes with your express consent.

6. Integrations & API Compliance

Google Calendar Integration

In order to provide the Services, we authenticate your Google Calendar account to gather your calendar data, including event titles and descriptions, emails of invitees on those events, locations of events, and other calendar metadata (“Google Calendar Data”). Notwithstanding anything else in this Privacy Policy, we:

1. Only use the necessary Google Calendar Data to provide and improve the Services;
2. Do not transfer Google Calendar Data to third parties except as necessary to provide the Services, as required by law, or in connection with a merger, acquisition, or sale of assets where we provide notice to users;
3. Do not use Google Calendar Data for serving advertisements;
4. Do not permit humans to read Google Calendar Data, except (a) if we obtain your affirmative consent, (b) as necessary for security purposes or to comply with applicable law, or (c) where our use is limited to internal operations such as resolving support issues or analyzing aggregate data to improve the Service.

Google API Services Disclosure: Volari's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Microsoft Outlook Integration

When you connect your Microsoft Outlook calendar, we access your calendar data through Microsoft's Graph API. We apply the same data handling practices described above for Google Calendar Data to all Microsoft calendar data. Our use of information received from Microsoft APIs adheres to the Microsoft APIs Terms of Use.

Calendar Write Access

Certain features of the Services (including calendar optimization, time defense, and autonomous scheduling) require write access to your calendar. When you enable these features, you explicitly authorize Volari to create, modify, reschedule, or remove calendar events on your behalf, in accordance with your preferences and instructions. You may revoke calendar write access at any time through your account settings or by disconnecting your calendar integration.

Gmail/Outlook Email Integration

We apply the same Limited Use commitment to email data as we do to calendar data. We access email data solely to provide the Services. We do not use email content for advertising. Email send actions (such as AI-drafted follow-ups) are always user-approved before transmission. Our use of Gmail data adheres to the Google API Services User Data Policy, including the Limited Use requirements. Our use of Outlook data adheres to the Microsoft APIs Terms of Use.

Slack Integration

We access authorized channels via Slack's API. We post messages on your behalf only when you explicitly approve. We do not access channels you have not authorized.

Notion Integration

We access pages and databases you authorize. We create or update pages only when you approve agent actions.

Jira/Linear Integration

We access issue data via their APIs. We create or update issues only when you approve agent actions.

Salesforce/HubSpot Integration

We access CRM data via their APIs. We create or update records only when you approve agent actions.

Data Ingestion Schedule

Connected services are synced automatically: email and messaging every 30 minutes, project management hourly, documents every 2 hours. You may disconnect any integration at any time through Settings.

7. AI and Automated Processing Disclosure

Volari uses artificial intelligence and automated processing technologies to provide the Services. We believe in transparency about how AI is used with your data.

How We Use AI

• Execution Coaching. AI analyzes your calendar data and stated goals to provide strategic recommendations, pattern insights, and coaching conversations. The AI model powering these features is Claude, developed by Anthropic, PBC.
• Volari Score. Our proprietary algorithms calculate your Volari Score by comparing how you allocate your time against your stated priorities. The Volari Score weights and methodology are refined over time based on aggregate, de-identified outcome data across our user base.
• Calendar Optimization. AI identifies scheduling patterns, recommends changes, and when authorized, autonomously optimizes your calendar to protect focused work time and align your schedule with your goals.
• Pattern Recognition. AI identifies trends in your time usage, meeting patterns, energy cycles, and productivity behaviors.
• Coaching Effectiveness. We analyze how users interact with our coaching features — including which recommendations are accepted, modified, or rejected, and feedback signals such as thumbs-up/down ratings — to improve the quality, relevance, and effectiveness of the Service for all users. This analysis uses structured interaction metadata and aggregate patterns, not individual users' raw conversation content.
• AI Agent Execution. Volari operates 21 specialized AI agents that produce deliverables such as meeting follow-ups, decision memos, research briefs, goal execution plans, and weekly digests. Agents produce artifacts that you review before any external action is taken. No agent sends emails, creates documents, or modifies external systems without your explicit approval. Agent actions classified as irreversible (sending email, creating external records) always require human approval regardless of trust level.
• Outcome Measurement. We track agent-produced outcomes to compute capacity metrics (hours reclaimed, execution velocity) and to bill outcome credits. Each outcome is a verifiable deliverable — the artifact exists or it doesn't. We do not charge for awareness, coaching, or the user's own actions.

What We Do Not Do

Volari does not train large language models or other generative AI foundation models on your Personal Data. The AI model (Claude) is provided by Anthropic as a commercial service and is not trained on data from Volari's users. Volari improves its Service by refining the instructions, context, and decision frameworks used when interacting with the AI model — not by modifying the model itself. This distinction means your conversations and data are used to make Volari smarter for you and, in de-identified aggregate form, for all users — but they are never fed into an AI training pipeline.

Limitations of AI

AI-generated outputs, including coaching recommendations, the Volari Score, and calendar optimization suggestions, are provided for informational purposes to support your decision-making. They are not professional advice of any kind (including financial, legal, career, or therapeutic advice). AI outputs may be inaccurate, incomplete, or not applicable to your specific circumstances. You retain full authority and responsibility for all decisions regarding your schedule, goals, and professional activities.

Automated Decision-Making

Volari classifies agent actions into three autonomy zones: (1) Autonomous — reversible, measurable actions like calendar event classification and pattern detection execute without approval; (2) Human-in-the-Loop — partially irreversible actions like sending emails or creating external records require your explicit approval before execution; (3) Human-Only — strategic decisions like goal prioritization and personnel decisions are never performed or recommended by agents. You may review and adjust autonomy levels at any time.

You may disable autonomous features at any time through your account settings. You may also reverse any calendar modification made by the Service. If you believe an automated action has adversely affected you, please contact us at privacy@volari.ai.

8. Aggregate and De-Identified Data

We generate and use aggregate and de-identified data derived from your use of the Service to improve, develop, and operate the Services. This section explains what that means and how it benefits you.

What We Do With Aggregate Data

We use de-identified and aggregated data — meaning data from which all personally identifying information has been removed and which is combined across many users — for the following purposes:

• Improving the Service. Analyzing aggregate patterns in scheduling decisions, coaching interactions, and engagement to improve the quality of suggestions, coaching effectiveness, and product features.
• Benchmarks. Creating anonymized benchmarks (such as average Volari Scores or time-allocation patterns by segment) that help users understand how their execution compares to peers. No individual user is identifiable in any benchmark.
• Research. Conducting and publishing research about execution patterns and productivity (e.g., “How professionals allocate time vs. their stated priorities”). Published research uses only aggregate statistics derived from a minimum threshold of users.
• New Feature Development. Using aggregate insights to design new product capabilities, such as predictive coaching or team analytics.

How We De-Identify Data

When creating aggregate datasets, we apply the following safeguards:

• User identifiers (IDs, names, email addresses) are removed or nullified
• Free-text content (messages, goal descriptions, reflections) is deleted — only structured metadata is retained (e.g., suggestion type, outcome, time-of-day, feedback signal)
• No insight is surfaced that derives from fewer than a minimum aggregation threshold of users
• De-identified data is maintained in de-identified form and we will not attempt to re-identify it, except as permitted by law

Your Choice

Your de-identified data is included in aggregate analysis by default, because the aggregate pool directly benefits you and all users through better suggestions, more accurate benchmarks, and improved coaching quality. However, you may opt out of having your data used for aggregate analysis at any time by contacting us at privacy@volari.ai. Opting out will not affect the quality of the Service for you individually, as your personal context will continue to power your personalized experience.

9. Data Retention

We retain your Personal Data for as long as your account is active or as needed to provide you the Services.

Active Accounts

• Account and Profile Data. Retained for the duration of your account.
• Calendar Data. Active calendar data is retained for the duration of your account, with historical calendar analysis data retained on a rolling 12-month basis.
• Coaching Conversation Data. Retained for the duration of your account to maintain coaching continuity and context.
• Goal and Priority Data. Retained for the duration of your account.
• Volari Score History. Retained for the duration of your account.
• Scheduling Decision Data. Retained for the duration of your account.
• Feedback Data. Retained for the duration of your account.
• Payment Data. Retained as required for billing, tax, and legal compliance purposes (up to 7 years for financial records).

Inactive Accounts (Subscription Lapsed)

If your subscription lapses but you do not request account deletion, we retain your data for 90 days to enable re-activation. After 90 days, personal data is anonymized and only aggregate, de-identified data is retained.

Account Deletion

When you request deletion of your account, we will delete or anonymize your Personal Data within 30 days, with the following specifics:

• Deleted: Account data (name, email), calendar data, coaching conversation content, goal descriptions, and all free-text personal content are permanently deleted within 30 days.
• Anonymized: Structured, non-identifiable metadata (such as scheduling decision types and outcomes, engagement metrics, and feedback signals) is anonymized by removing all user identifiers and free-text content. This anonymized data cannot be linked back to you and may be retained indefinitely for aggregate product improvement.
• Retained as required by law: Payment and billing records are retained for up to 7 years as required by tax and financial compliance obligations.

You may request deletion of your data at any time (see Section 11, Your Rights).

10. Security and Breach Notification

We implement commercially reasonable administrative, technical, and physical safeguards to protect Personal Data from unauthorized access, use, alteration, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest via our infrastructure provider's default encryption
• Secure authentication through Google and Microsoft OAuth services
• Row-level security policies ensuring users can only access their own data
• Regular security assessments and vulnerability monitoring
• Access controls limiting employee access to Personal Data on a need-to-know basis

While we strive to protect your Personal Data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data.

Breach Notification

In the event of a security breach involving your Personal Data, we will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach, where feasible. Notification will be provided via the email address associated with your account and will include: the nature of the breach, the categories of Personal Data affected, the likely consequences of the breach, and the measures we have taken or propose to take to address the breach and mitigate its effects. Where required by applicable law, we will also notify the relevant supervisory authorities within the required timeframes.

Compliance Roadmap

Volari is committed to achieving industry-standard security certifications as we scale. Our current security practices are designed to meet or exceed the standards required for SOC 2 Type II compliance, and we intend to pursue formal certification as the company grows.

11. Your Rights

Depending on your location, you may have the following rights regarding your Personal Data:

• Access. Request a copy of the Personal Data we hold about you, including AI-generated data such as your Volari Score and pattern analysis.
• Correction. Request correction of inaccurate or incomplete Personal Data.
• Deletion. Request deletion of your Personal Data, subject to certain legal exceptions. See Section 9 for details on what is deleted vs. anonymized.
• Portability. Request a copy of your data in a structured, commonly used, machine-readable format.
• Restriction of Processing. Request that we restrict the processing of your Personal Data under certain circumstances, such as when you contest the accuracy of the data or object to our processing.
• Objection. Object to the processing of your Personal Data based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Opt-Out of Aggregate Data Use. Request that your data not be used for aggregate analysis and product improvement purposes.
• Disable Automated Features. Disable autonomous calendar optimization and other automated decision-making features at any time through your account settings.
• Withdraw Consent. Where we rely on consent to process your Personal Data, you may withdraw that consent at any time.
• Lodge a Complaint. If you believe we have violated your privacy rights, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

To exercise any of these rights, please contact us at privacy@volari.ai. We will respond to your request within 30 days (or 45 days for CCPA requests where an extension is necessary), as required by applicable law. We may need to verify your identity before processing your request.

12. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”) provide you with specific rights regarding your Personal Data.

Your California Rights

• Right to Know. You have the right to request that we disclose the categories and specific pieces of Personal Data we have collected about you, the categories of sources from which your Personal Data is collected, the business or commercial purpose for collecting your Personal Data, and the categories of third parties with whom we share your Personal Data.
• Right to Delete. You have the right to request that we delete Personal Data we have collected from you, subject to certain exceptions.
• Right to Correct. You have the right to request correction of inaccurate Personal Data.
• Right to Opt-Out of Sale or Sharing. We do not sell your Personal Data. We do not share your Personal Data for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information. To the extent we process sensitive Personal Data, we do so only as necessary to provide the Services.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of Personal Data Collected

In the preceding 12 months, we have collected the following categories of Personal Data:

• Identifiers (name, email address, IP address)
• Commercial information (subscription and billing records)
• Internet or electronic network activity (usage data, log data)
• Professional or employment-related information (calendar data, meeting information, goal data)
• Inferences drawn from the above (Volari Score, pattern analysis, coaching insights, coaching moment detection)

How to Exercise Your Rights

You may submit a verifiable consumer request by emailing privacy@volari.ai. We will verify your identity by matching information you provide with information we have on file.

Notice for California Users

Under California Civil Code Section 1789.3, users of the Service from California are entitled to the following specific consumer rights notice: The Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted in writing at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (916) 445-1254 or (800) 952-5210.

13. European Economic Area, United Kingdom & Swiss Privacy Rights

If you are located in the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland, the General Data Protection Regulation (“GDPR”) and applicable local data protection laws provide you with additional rights regarding your Personal Data.

Data Controller

Volari AI, Inc. is the data controller responsible for the processing of your Personal Data as described in this Privacy Policy. You may contact us at privacy@volari.ai for any data protection inquiries.

Legal Bases for Processing

We process your Personal Data only when we have a valid legal basis under the GDPR. See Section 4 (Legal Bases for Processing) for a detailed description of the legal bases we rely on for each type of processing activity.

Your GDPR Rights

In addition to the rights described in Section 11 (Your Rights), you have the following rights under the GDPR:

• Right to Access. You have the right to obtain confirmation of whether we process your Personal Data and to request a copy of that data.
• Right to Rectification. You have the right to request correction of inaccurate Personal Data and completion of incomplete Personal Data.
• Right to Erasure. You have the right to request deletion of your Personal Data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when processing is unlawful.
• Right to Restriction. You have the right to request restriction of processing when you contest the accuracy of the data, the processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification.
• Right to Data Portability. You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object. You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds.
• Rights Related to Automated Decision-Making. You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where Volari makes automated decisions that affect your calendar, you retain the ability to disable these features and reverse any changes at any time (see Section 7).
• Right to Lodge a Complaint. You have the right to lodge a complaint with a supervisory authority in the EEA member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at privacy@volari.ai. We will respond within 30 days of receiving your request, as required by the GDPR.

14. International Data Transfers

Volari is based in the United States. If you access the Services from outside the United States, your Personal Data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

We apply the protections described in this Privacy Policy to your Personal Data regardless of where it is processed. Where required by applicable law, we implement appropriate safeguards for cross-border data transfers, including:

• EU-US Data Privacy Framework. Volari relies on the EU-US Data Privacy Framework (“DPF”), the UK Extension to the EU-US DPF, and the Swiss-US DPF as set forth by the US Department of Commerce for transfers of Personal Data from the EEA, UK, and Switzerland to the United States.
• Standard Contractual Clauses. Where the Data Privacy Framework does not apply, or as an additional safeguard, we rely on the European Commission's Standard Contractual Clauses (“SCCs”) for transfers of Personal Data to countries that have not received an adequacy decision. Our subprocessors (see Section 15) maintain their own SCCs and data transfer mechanisms.

If you have questions about international data transfers, please contact us at privacy@volari.ai.

15. Service Providers and Subprocessors

We engage the following third-party service providers (“subprocessors”) who may process Personal Data on our behalf in connection with the Services:

• Anthropic, PBC — AI model provider (coaching and calendar optimization features), United States
• OpenAI, Inc. — Voice transcription (Whisper API), United States
• Vercel, Inc. — Cloud hosting and application delivery, United States
• Supabase, Inc. — Database infrastructure and authentication services, United States
• Stripe, Inc. — Payment processing and billing, United States
• PostHog, Inc. — Product analytics, United States
• Functional Software, Inc. (Sentry) — Error monitoring and performance tracking, United States
• RevenueCat, Inc. — In-app purchase and subscription management (mobile), United States
• Expo (650 Industries, Inc.) — Mobile app framework and push notification delivery, United States
• Beehiiv, Inc. — Newsletter delivery (Execution Edge), United States

Each subprocessor is bound by contractual obligations to process Personal Data only as directed by Volari and in accordance with this Privacy Policy. We will provide at least 30 days' notice before engaging new subprocessors that process Personal Data, by updating this section and our Subprocessors page, and, where required by contract, notifying affected users directly.

In addition to the subprocessors above, Volari connects to user-authorized third-party services (Google, Microsoft, Slack, Notion, Linear, Atlassian, Salesforce, HubSpot) via OAuth when you choose to connect your accounts. These integrations process data at your direction under their own privacy policies. A complete list is maintained on our Subprocessors page.

16. Children's Privacy

The Services are not directed to, or intended for, children under 16 years of age. We do not knowingly collect Personal Data from children under 16. If you are under 16, please do not use the Services or provide any Personal Data to us. If you are between 16 and 18 years of age, you may only use the Services with the consent of your parent or legal guardian. If we learn that we have collected Personal Data from a child under 16, we will promptly delete that information. If you believe a child under 16 has provided Personal Data to us, please contact us at privacy@volari.ai.

17. Do Not Track Signals

Some web browsers transmit “Do Not Track” (“DNT”) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, the Service does not currently respond to or alter its practices when it receives DNT signals from your browser. We will update this Privacy Policy if we adopt a DNT response standard in the future. Regardless of your DNT settings, we do not engage in cross-site behavioral tracking or share your Personal Data with third parties for advertising purposes.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by posting the updated policy on this page, updating the “Last Updated” date, and, where required by law, providing additional notice (such as email notification or an in-app announcement). Changes will become effective no earlier than 14 days after they are posted, except that changes addressing new features of the Services or changes made for legal reasons may be effective immediately. Your continued use of the Services after any changes become effective constitutes your acceptance of the revised Privacy Policy.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Volari AI, Inc.
Email: privacy@volari.ai
General inquiries: hello@volari.ai