Privacy Policy

This Privacy Policy explains how Daya Corp("Voxly," "we," "us") collects, uses, shares, and protects personal data when you visit our marketing site, sign in to a workspace, or submit feedback through a customer's Voxly-powered portal. Voxly is a multi-tenant feedback platform: our customers (companies) collect feedback from their end users via branded portals.

We act as a controller for marketing-site visitors, workspace administrators, and billing contacts. We act as a processorfor the end-user ("portal user") data our customers collect through their workspaces — the customer is the controller for that data and their privacy notice governs its primary use. Where law requires, our role and obligations are codified in the Data Processing Addendum (DPA) made available to customers on request.

Account data. Email address, display name, hashed password (managed by Supabase Auth), workspace role. Collected when you sign up or are invited to a workspace.

Workspace content. Boards, feedback posts, comments, votes, segment assignments, and configuration you create inside a workspace. May contain personal data if you or your end users include it in free-text fields.

End-user (portal user) data.When an end user submits feedback through one of our customers' portals, we collect the email address and display name they provide, plus an optional customer-supplied opaque identifier (externalUserId). We process this data on the customer's behalf and for their stated purposes.

Billing data. Billing contact name and email, plus a Stripe customer and subscription identifier. We never store payment card data— Stripe holds it under PCI DSS SAQ A scope.

Technical and security data. IP address, user agent, request timestamps, and audit-log entries. Used to operate, secure, and debug the service. IP and user agent are stored only inside the audit log; emails are redacted from non-audit logs (first character + domain).

Cookies. We set strictly necessary HTTP-only session cookies for authentication. We do not set advertising cookies. We do not currently set analytics cookies; if we add them, we will request consent for non-essential cookies in applicable regions.

We use personal data to:

• Provision and operate workspaces, boards, and portals (the core service);
• Authenticate users, enforce tenant isolation via Postgres row-level security, and maintain an audit trail;
• Bill subscriptions and manage account lifecycle through Stripe;
• Generate vector embeddings of feedback titles and descriptions through OpenAI's text-embedding-3-small API to power our Autopilot search and clustering features (server-side only; embeddings are not used to train OpenAI models);
• Send transactional email (account verification, invitations, security alerts) via our email provider;
• Detect and respond to abuse, debug errors (via Sentry, with request bodies, cookies, and auth headers stripped), and meet legal and contractual obligations.

Where the EU/UK GDPR applies, we rely on the following lawful bases:

• Contract performance— for workspace subscription, billing, and the operation of features the customer has contracted for.
• Legitimate interests— for product security, abuse detection, audit logging, and the limited processing required to serve our customers as processor (operating their portals on their instructions). We balance these against your rights and freedoms.
• Consent— for any non-essential cookies, marketing communications, or features that require it. You can withdraw consent at any time.
• Legal obligation— to retain audit-log entries (1 year minimum under PCI DSS 10.5.1) and to respond to lawful requests.

We use the following sub-processors. A live, dated list is published at voxly.io/legal/sub-processors. Customers can subscribe to material-change notifications.

• Supabase— managed Postgres, authentication, storage. Holds the primary database (encrypted at rest, TLS 1.3 in transit).
• Vercel— hosting, edge runtime, content delivery. Processes requests and serves application code.
• Stripe— subscription billing and payment processing. Holds card data under their own PCI scope; we hold only customer and subscription tokens.
• Sentry— error tracking and 10%-sampled session replay. Replay sessions are recorded with all text masked, all inputs masked, and all media blocked; request bodies, cookies, and authentication headers are stripped before transmission.
• OpenAI— vector embedding API for feedback content (titles and descriptions). OpenAI does not train on Voxly API data. Standard API retention is 30 days for abuse monitoring.
• Email delivery vendor(Resend or successor) — transactional email delivery only.

When a workspace administrator connects an integration (e.g. Jira, Slack, Zapier), data flows to that connector vendor under the workspace's own configuration. Each connector vendor is disclosed at the sub-processor URL above with a Data Processing Addendum executed before the connector is enabled.

Voxly is operated from the United States. Personal data we receive may be transferred to, stored in, or processed in the US and other countries where our sub-processors operate. Where data leaves the EU, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss mechanisms, supplemented by the technical and organisational measures described in our DPA (encryption in transit and at rest, role-based access, audit logging, and tenant isolation through row-level security).

We retain personal data for the periods set out below.

Soft-deleted records remain queryable to platform staff for the grace period and are then hard-deleted. Audit-log entries linking to a deleted person are anonymised (actor and resource identifiers replaced with a tombstone UUID; sensitive payload fields stripped) so that the audit record itself is preserved without re-identifying the individual.

We protect personal data with technical and organisational controls including: row-level security policies on every tenant-scoped table; AES-256 encryption at rest (Supabase managed); TLS 1.3 in transit; HTTP-only session cookies; secret storage in Supabase Vault (service-role access only); a structured audit log with payload redaction; an incident-response runbook with a 72-hour GDPR notification clock; and change management through code review, automated tests, and staged deployments.

No system is perfectly secure. If you believe you have discovered a vulnerability, please email security@voxly.io. We do not take legal action against good-faith security research conducted under our responsible-disclosure guidelines.

If the EU/UK GDPR applies to you, you have the right to:

• Access the personal data we hold about you;
• Request rectification of inaccurate data;
• Request erasure (the "right to be forgotten");
• Restrict or object to processing;
• Receive your data in a portable, machine-readable format;
• Withdraw any consent you have given;
• Lodge a complaint with your supervisory authority (we will identify the lead authority once an EU representative is designated — see Section 13).

For end users of a customer's portal, please contact the workspace operator (controller) first; we will assist them as processor. For data we hold as controller, email privacy@voxly.io. We respond within 30 days.

If you are a California resident, you have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of its sale or sharing. We do not sell personal information and we do not share it for cross-context behavioral advertising.

To exercise a CCPA right, email privacy@voxly.io. We will verify your identity using information already associated with your account. We do not discriminate against users who exercise their rights.

Voxly is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact privacy@voxly.io and we will delete it.

We do not make decisions producing legal or similarly significant effects about you using solely automated processing. Our Autopilot features cluster, summarise, and recommend feedback — they assist human reviewers and do not, on their own, determine access, pricing, or eligibility.

We may update this policy. Material changes (for example, adding a sub-processor that receives personal data, or expanding the categories of data we collect) will be notified at least 30 days before they take effect, by email to workspace administrators and by an in-product notice. The "Last updated" date at the top reflects the most recent revision.

Controller: Daya Corp (operating Voxly).

Privacy enquiries: privacy@voxly.io
Security disclosures: security@voxly.io
Legal: legal@voxly.io

Data Protection Officer: not currently designated; an EU representative under GDPR Article 27 will be appointed before general availability. Until then, please direct all GDPR enquiries to privacy@voxly.io.

This policy is provided in good faith and reflects the controls we have shipped to date. The full set of controls (data classification, retention, vendor register, incident response, audit-log architecture) is documented internally and available to customers under NDA.