Privacy Policy – VOXUM
This policy (the 'Policy') describes the processing of personal data carried out by MAJ Holding Sàrl ('MAJ', 'we', 'our') in connection with the VOXUM service available at https://voxum.maj.digital (the 'Site/Service').
Controller: MAJ Holding Sàrl, Ch. Bois-Gentil 7, 1203 Geneva, Switzerland. IDE/CHE: CHE-391.786.123. Contact: info@maj.digital
By accessing the Site/Service, you ('User', 'you') agree that your personal data will be processed in accordance with this Policy. We may modify the Policy; in case of material changes, we will inform you appropriately. If you do not accept the changes, stop using the Site/Service. This Policy complements our Terms of Service.
1) Our activity and your privacy
VOXUM performs brand positioning analyses by querying AI providers and search tools (OpenAI, Anthropic/Claude, Perplexity, Firecrawl, Google) based on predefined prompts. We intermediate requests to third parties and aggregate their responses to provide reports.
- Data minimization: only data necessary for Service execution is collected.
- We do not use your data to train our models. Where providers offer no-training parameters, we enable them when available.
- Third-party providers are responsible for their own processing and policies.
We process your data under Swiss nFADP and, where applicable, the GDPR.
2) What data do we collect?
2.1 Data you provide to us
- Account & identification: first name, last name, organization, role, email, phone.
- Billing & contracts: billing address, country, VAT/IDE, payment methods (via provider), histories.
- Operational content: prompts, keywords, brand/product lists, contexts, uploaded files.
- Support: messages, tickets, demo recordings (with consent), preferences.
2.2 Data collected automatically
- Technical data & logs: IP, timestamps, URLs, session identifiers, user-agent, performance, security.
- Cookies & analytics: see §8.
2.3 Data from public sources and providers
- Public content via Firecrawl/Google (web pages, search results).
- AI model outputs generated from your prompts.
Customer responsibility: if you provide us with third-party data, you warrant you have a legal basis and adequate information.
3) Legal bases & processing
- Contract performance: account, analyses, support.
- Legitimate interests: security, fraud/abuse prevention, Service improvement, aggregated analytics, legal defense, internal management.
- Legal obligations: accounting, tax, retention.
- Consent: marketing emails, non-essential cookies, demo recordings.
Technical & organizational measures: encryption, access control, logging, testing, key management. Anonymization/pseudonymization where appropriate (objection per legal basis).
4) Purposes
- Provide the Service: execute requests, orchestrate calls to providers, deliver reports, maintenance, support.
- Billing & customer management: contracts, payments (via provider), collections, operational communications.
- Security: abuse detection, account protection, continuity.
- Product improvement: usage measurement, testing, prompt quality.
- B2B marketing (with consent): newsletter, events, content.
- Compliance: legal obligations, authority requests, defense of rights.
5) Sharing & subprocessors
We do not sell your data. Sharing only with:
- Subprocessors: Vercel, Neon (Postgres), Stripe (payments), UseAutumn (subscriptions), OpenAI, Anthropic/Claude, Perplexity, Firecrawl, Google (APIs/Analytics), hosting/monitoring/email/anti-abuse.
- Independent controllers as applicable: some providers for their own purposes (security, compliance).
- Authorities & advisors: legal obligations, rights protection, financing/transaction operations (under adequate NDAs).
Transparency: subprocessor list available on request; prior notice for material changes where required.
6) International transfers
Hosting primarily in Switzerland/EU (notably via Neon). Transfers outside Switzerland/EU/EEA (e.g., United States) may occur if necessary to perform the Service. Safeguards: SCCs (EU 2021/914) adapted to Swiss law and appropriate supplementary measures. By providing your data, you consent to such transfers as permitted by law.
7) Retention periods (principles)
- Account & identity: contract term + 24 months.
- Billing & accounting: 10 years.
- Prompts & outputs: by default 12 months (configurable/shortenable upon request).
- Technical logs: 12 months (up to 24 months in case of abuse).
- Marketing: until consent withdrawal or 24 months of inactivity.
Anonymized data may be retained longer for statistical purposes.
8) Cookies & analytics
- Necessary: operation, security, session.
- Preferences: user settings.
- Audience measurement: Google Analytics (aggregated statistics). Opt-out possible via consent banner and browser.
Refusing certain cookies may limit functionalities. See dedicated Cookies Policy where applicable.
9) Your rights
- Access, rectification, erasure.
- Portability (if applicable), restriction, objection (legitimate interest/direct marketing).
- Withdrawal of consent at any time (no retroactive effect).
Exercise your rights: info@maj.digital. Right to lodge a complaint: FDPIC (Switzerland) or your local EU authority.
10) Security
Proportionate measures: encryption, segmentation, least privilege, vulnerability management, backups, logging, subprocessor review. No security is absolute; follow good practices (strong passwords, 2FA, caution with exports).
11) Roles: controller/processor & customer obligations
- MAJ is controller for account data, billing, Site usage, and orchestration of requests.
- MAJ is processor for third-party personal data provided to produce analyses (DPA available on request).
- You remain responsible for the lawfulness of data you enter and informing data subjects where required.
AI outputs may contain errors; we limit inclusion of unnecessary personal data and honor deletion requests when possible and lawful.
12) Children
B2B service; not intended for persons under 16. If collected inadvertently, contact us for deletion.
13) Contact
MAJ Holding Sàrl – VOXUM Email: privacy@maj.digital Address: Ch. Bois-Gentil 7, 1203 Geneva, Switzerland
14) Appendix – Key subprocessors
| Provider | Role | Purpose | Location(s) | Data categories |
|---|---|---|---|---|
| Neon (neon.com) | Subprocessor | Postgres database | EU (per chosen region) | Account, prompts, outputs, metadata |
| OpenAI | Subprocessor / independent controller where applicable | AI generation via API | US/EU per region | Prompts, minimal context, outputs |
| Anthropic (Claude) | Subprocessor / independent controller where applicable | AI generation via API | US/EU per region | Prompts, minimal context, outputs |
| Perplexity | Subprocessor / independent controller where applicable | Search/AI via API | US/EU per region | Queries, minimal context, outputs |
| Firecrawl | Subprocessor | Public content retrieval | Variable | URLs, public content, metadata |
| Google (APIs / Analytics) | Subprocessor / independent controller where applicable | Search, infra, analytics | Global (incl. US/EU) | Online identifiers, usage metrics |
| Stripe | Subprocessor | Payments & billing (portal) | Global (incl. US/EU) | Name, email, billing address, customer IDs, metadata and payment tokens |
| UseAutumn | Subprocessor | Subscriptions & customer management (UseAutumn) | EU/US per region | Account identifiers, email, subscription state, plan metadata |
| Vercel | Subprocessor | Hosting & deployment | Global (incl. US/EU) | Server logs, IP, request metadata |