CommU Privacy Policy

Last updated: December 9, 2025

This Privacy Policy describes how CommU Ltd. (“CommU”, “we”, “us”, “our”) collects, uses, discloses, stores and protects information when you use the CommU platform - whether via our website, mobile application, or other services (collectively, the “Platform”). By using the Platform, you accept and consent to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Platform.

1. Information We Collect

1.1 Account and Login Information

When you create or use a CommU account, we may collect:

  • Name, email address, and organization or institution (if provided)
  • User role (e.g., clinician, staff member, administrator)
  • Authentication credentials or identifiers, such as email addresses, passwords provided by users at registration or login, hashed passwords, authentication tokens, or single sign-on identifiers.
  • Account status, permissions, and access logs

CommU does not store plaintext passwords.

1.2 User Input and Conversation Data

When you use the Platform’s interpretation and translation features, CommU may process:

  • Audio recordings of conversations submitted for real-time interpretation, translation, or transcription
  • Text input you type into the Platform
  • Text-based outputs generated by the Platform, such as transcripts and translations

By default, audio and text are processed in real time and not stored.

If you explicitly choose to save a conversation, CommU may store the associated audio recordings and transcripts in accordance with your settings and this Privacy Policy.

1.3 Usage Data and Non-PHI Analytics

CommU may collect and process usage, configuration, and technical data that does not constitute Protected Health Information (PHI), including:

  • Language selections and preferences
  • Application settings and configuration choices
  • Feature usage and interaction data (e.g., session duration, frequency of use)
  • Device type, operating system, and application version
  • Error logs, crash reports, and performance metrics
  • Approximate location information (such as country or region inferred from IP address)

Such data may be used solely for operating, securing, supporting, and improving the Platform, including analytics, troubleshooting, usage analysis, and service optimization.

1.4 Communications and Support

If you contact CommU for support, compliance inquiries, or feedback, we may collect:

  • Contact details
  • The content of your communications
  • Support tickets and related correspondence

1.5 Cookies and Similar Technologies (Web Use Only)

When you use the web version of the Platform, we may use cookies or similar technologies to:

  • Maintain user sessions and authentication
  • Store preferences and settings
  • Enable analytics, security, and platform performance monitoring

You may control cookies through your browser settings, subject to functionality limitations.

2. How We Use Your Information

We use collected data for the following purposes:

  • To provide, maintain, and operate the Platform (e.g. speech recognition, translation, transcription, interpretation).
  • To process your inputs in real time, and to return outputs (translations, transcripts) to you.
  • If you consent, to store and archive your data (transcripts, uploads, history) so you can retrieve, review, or export it later.
  • For account management: user authentication, preferences, support, communications with you.
  • For analytics and service improvement: aggregated usage statistics, performance logs, bug detection, product optimization.
  • For legal, compliance, and security purposes: fraud detection, abuse prevention, responding to legal requests or claims, enforcing our Terms of Use, audit and logging.

3. Legal Basis & Consent

  • By using the Platform, you consent to the processing described in this Privacy Policy.
  • For sensitive data (e.g. audio containing PHI, medical context), you must explicitly opt in before storage - otherwise, data is processed only transiently and discarded.
  • If you withdraw consent (for stored data), we will cease future processing/storage and delete your data per your request (see Section 6 below).

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We may share your data only under these conditions:

  • With Third-Party Service Providers: CommU may engage carefully vetted third-party service providers to perform limited services on our behalf that are necessary to operate and deliver the Platform. These services may include, without limitation, cloud infrastructure and hosting, secure data storage, speech recognition, text-to-speech processing, language model computation, analytics, monitoring, and customer support tooling. Such service providers process data solely on CommU’s behalf, in accordance with our instructions, and are contractually prohibited from using Customer Data or any Protected Health Information (PHI) for their own purposes. All such providers are subject to confidentiality, security, and data-protection obligations consistent with this Privacy Policy, our Terms of Use, and any applicable Business Associate Agreement (BAA).
  • When required by law, regulation, court order, or legal process.
  • To enforce our Terms of Use, protect our rights, safety or property, or those of our users or the public.
  • With your explicit consent (e.g. if you choose to share transcripts or data externally, or export your data).
  • In connection with a business restructuring (e.g. merger, acquisition, sale) - only under confidentiality commitments; and you will be notified in advance.

5. Data Storage, Retention & Deletion

  • Real-time processing without storage (default): By default, audio, translations, transcripts, and other processed data are not retained. Once processing is complete, such data is discarded.
  • Opt-in storage: If you explicitly choose to store data, we retain it in encrypted form on secure servers (e.g. cloud infrastructure with strong security protocols).
  • Default Retention Period.
  • By default, if you choose to store conversation data, CommU retains stored audio recordings and transcripts for up to ninety (90) days from the date of creation. After this period, such data is automatically deleted, unless a different retention period is configured by you or your organization.
  • User-Defined Retention.
  • You or an authorized administrator may modify the default retention period, including extending, shortening, or disabling retention, subject to applicable law and organizational policies.
  • User-Initiated Deletion.
  • You may delete stored conversations, transcripts, or audio recordings at any time through the Platform or by contacting CommU support. Upon deletion, CommU will permanently remove the data from active systems and backups within a reasonable period, unless retention is required by applicable law or contractual obligation.
  • Legal and Compliance Exceptions.
  • In limited cases, CommU may retain certain records for longer periods where required to comply with applicable law, regulation, audit requirements, or to establish, exercise, or defend legal claims.
  • Analytics and Non-PHI Operational Data.                      Notwithstanding the retention periods described above, CommU may retain non-PHI analytics, usage metrics, configuration data, and operational logs for longer periods, including on an ongoing basis, where reasonably necessary to operate, secure, maintain, and improve the Platform, comply with legal or audit obligations, and analyze usage trends. Such data does not include the content of conversations, audio recordings, transcripts, or translations, and is not used to reconstruct individual conversations.


6. Data Security

We employ reasonable technical and organizational measures to protect your data, including:

  • Encryption of data in transit (e.g. HTTPS / TLS) and at rest.
  • CommU implements role-based and credential-based access controls designed to ensure that users may access only their own accounts and the data associated with their authorized role or organization. Access to the Platform requires valid authentication credentials, and users are responsible for maintaining the confidentiality of their login information. CommU restricts internal access to Customer Data to authorized personnel with a legitimate business need, subject to confidentiality and security obligations.
  • Audit logging, monitoring, and periodic security reviews.
  • Compliance-oriented safeguards when handling sensitive or health-related data (e.g. PHI) - in line with industry best practices and, if applicable, regulatory requirements (e.g. HIPAA).

However:

  • No system can guarantee absolute security. You acknowledge that any transmission over the Internet carries inherent risks.
  • We disclaim liability for unauthorized access or breaches caused by factors beyond our control (e.g. user negligence, compromised credentials), subject to applicable law and our liability limitations.


7. User Rights & Controls

Depending on your jurisdiction and role, you have the following rights regarding your personal data:

  • Access: Request a copy of the data we hold about you (account info, stored inputs, transcripts, metadata).
  • Correction: Ask us to correct or update any incorrect or incomplete information.
  • Deletion (“Right to be forgotten”): Request erasure of your stored data. After deletion, we will remove data from active storage and backups (unless legal retention is required).
  • Export / Portability: Request an export of your data (e.g. transcripts, uploaded files, history) in a readable format (e.g. JSON, TXT, PDF).
  • Consent withdrawal: If you previously consented to data storage or processing, you may withdraw consent at any time. Withdrawal will stop future data storage/processing but won’t affect already processed data lawfully handled under prior consent.
  • Opt out of analytics / non-essential data collection: If you prefer not to be included in aggregate analytics or usage statistics, you can request exclusion. However certain security, audit, and operational logs may not be individually deletable.

To exercise any of these rights, please contact us at the details below. We commit to responding within a reasonable timeframe (e.g. 30 days), unless required by law to respond sooner or provide additional information.

8. Children & Minors

The Platform is intended for adults (18+) or authorized clinicians/users. We do not knowingly collect, store, or process data from children under the age of 18. If you believe we have inadvertently collected data of a minor, please contact us immediately - we will delete such data upon request.

9. International Data Transfers

Because CommU may use cloud infrastructure or third-party service providers in different countries, your data may be transferred to, stored, or processed in jurisdictions outside your home country. By using the Platform, you consent to such transfers. We apply industry-standard protections (encryption, confidentiality agreements) to secure your data during transfer and storage.

If you are subject to additional data-protection regulations (e.g. GDPR for EU residents), please contact us; we are committed to applying appropriate safeguards, including Standard Contractual Clauses (SCCs) or local compliance measures, where required.


10. Updates to This Privacy Policy

We may update this Privacy Policy from time to time (for example, when we add new features, change storage practices, or need to comply with new laws). When that happens:

  • We will update the “Last updated” date at the top.
  • We may notify you (e.g. via email if you have an account, or via an in-app or website notice) if changes are material.
  • Your continued use of the Platform after changes constitutes acceptance of the updated Privacy Policy.

We recommend you review this Privacy Policy periodically.

11. Additional Notes for Hospitals, Clinicians & Enterprises

Because many users of CommU may be healthcare institutions, clinicians, or organizations handling sensitive health or protected data:

  • We are committed to compliance with applicable medical-data laws and regulations (e.g. HIPAA for U.S. users).
  • If your institution requires a Business Associate Agreement (BAA) or similar data-handling contract, please contact us - we are prepared to negotiate appropriate terms.
  • We design our default behavior (real-time processing, no storage) to minimize compliance risk while providing flexibility when explicit storage consent is given.

12. Disclaimer & Limitations

  • CommU strives to maintain strong security and privacy protections, but no system is fully immune to risks (e.g. hacking, unauthorized access).
  • By using the Platform, you acknowledge these inherent risks. We disclaim liability for unauthorized access or unintended disclosure unless due to our gross negligence or willful misconduct.
  • For any content processed (translations, transcripts, interpretations), you remain responsible for verifying accuracy, especially when used for medical, legal, or high-stakes decisions.

13. Contact & Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at support@commu.ai

© 2025 CommU, Inc. All rights reserved.