PRIVACY POLICY

DOCENT LABS INC.

EFFECTIVE DATE: NOVEMBER 1, 2025.
LAST UPDATED: MARCH 10, 2026.

Docent Labs Inc. (“Docent,” “we,” “us,” or “our”) respects privacy and takes seriously the trust placed in us by customers, users, and visitors. This Privacy Policy describes how Docent collects, uses, discloses, stores, transfers, and safeguards information in connection with our websites, developer portals, software, APIs, platform features, and related services (collectively, the “Services”). This Privacy Policy also explains the choices and rights that may be available to individuals, depending on location and applicable law.

In many cases, Docent provides infrastructure and developer tools that enable a business customer (“Customer”) to deploy automated agents or communication tools that interact with individuals (“Users”), such as callers or individuals communicating with automated voice agents. In those situations, the Customer controls how the Services are configured and deployed and determines what information is collected, recorded, or otherwise processed during interactions with Users. Docent processes such information on behalf of the Customer in accordance with the applicable Customer Agreement and the Customer’s instructions.

This Privacy Policy is intended to be read together with any applicable master services agreement, statement of work, data processing addendum, or other written agreement governing a customer’s use of the Services (each, a “Customer Agreement”). If there is a conflict between this Privacy Policy and a Customer Agreement regarding the processing of Customer Data (defined below), the Customer Agreement will control to the extent of the conflict.

Anonymous Interactions. Many deployments of the Services are designed to allow individuals to interact with the platform without providing personally identifiable information. For example, when a User scans a QR code in a retail environment and interacts with the Services, the interaction may occur without the User creating an account or submitting identifying information. In such cases, Docent may generate a randomly created, session identifier that allows the system to recognize returning devices or sessions without identifying the individual. These identifiers are designed to enable continuity of interactions and system performance measurement without revealing the identity of the individual interacting with the Services.

1. Scope; Who This Policy Applies To. This Privacy Policy applies to information Docent collects or processes: (a) when you visit our website or interact with our marketing or product pages; (b) when you register for, access, or use the Services; (c) when you communicate with us (including support tickets, emails, calls, or other communications); and (d) when Docent processes information as part of providing the Services to a business customer. This Privacy Policy does not govern information practices of third parties, including third-party services that may integrate with or be accessible through the Services, or information collected by our customers through their own products and applications.
2. Roles and Responsibilities (Docent as Controller vs. Processor). Docent may process information in different roles depending on how the Services are used and how information is submitted to or processed through the platform. When Docent collects information for its own purposes, such as operating our website, managing accounts, billing, security, product improvement, and customer support, Docent generally acts as a “controller” (or “business” under certain U.S. state privacy laws). When a business customer uses the Services to submit, transmit, store, or otherwise make available content or data to be processed through the Services, Docent generally acts as a “processor” (or “service provider”) and processes such data on the Customer’s behalf and in accordance with the Customer’s instructions and the applicable Customer Agreement. In that processor/service provider context, the Customer is responsible for providing appropriate notices to, and obtaining any legally required consents from, its end users and other individuals whose information may be included in Customer Data submitted to the Services.
For clarity, when used in this Privacy Policy:

“Account Data” means information Docent collects in connection with account creation, administration, billing, and customer relationship management, including names, business email addresses, phone numbers, company information, authentication credentials, and related administrative details.

“Customer” means the business entity or organization that purchases, licenses, or otherwise uses the Services, such as a retail store or other business deploying the Services in its operations.

“Customer Data” means data, content, instructions, files, audio recordings, call recordings, transcripts, text, call metadata, and other information that a Customer or its authorized users submit to the Services or cause Docent to process through the Services. Customer Data may include information relating to Users where such information is captured during interactions with the Services.

“Usage Data” means technical and operational information generated through the operation or use of the Services, including logs, telemetry, system diagnostics, API request metadata, performance metrics, and similar operational information.

“User” means an individual who interacts with or communicates with the Services, including individuals who call, message, or otherwise engage with an automated agent or interface operated through the Services on behalf of a Customer.

3. Information We Collect and Process. Docent collects and processes information in several ways.

First, we collect Account Data when you create an account, request a demo, sign up for the Services, purchase a subscription, or otherwise interact with us in a commercial context. Account Data may include name, business email address, phone number, company name, title/role, authentication credentials (or credentials for integrated identity providers), billing contact information, and related administrative details.
Second, we collect and process Usage Data when the Services are accessed or used. Usage Data may include device and browser information, IP address, approximate location derived from IP, timestamps, response status codes, error logs, diagnostic information, performance and latency metrics, system configuration details, and other operational telemetry that helps us provide, secure, and maintain the Services.

In certain deployments of the Services, Docent may generate a randomly assigned identifier associated with a device or session in order to recognize returning interactions with the platform. These identifiers do not directly identify a specific individual and are used solely for operational purposes such as maintaining session continuity, improving system performance, measuring usage patterns, and providing analytics to Customers about the effectiveness of the Services.

Third, we process User Data that users submit to the Services or cause us to process through interactions with the platform. Depending on how a Customer instructs Docent to configure and use the Services, User Data may include audio recordings, voice interactions, transcripts, text inputs, model outputs, reference documents, session identifiers, interaction metadata, and other content processed to deliver requested functionality.

For example, when a User scans a QR code or otherwise interacts with an automated assistant deployed through the Services, the User’s voice, questions, or statements may be temporarily recorded or transcribed in order to process the request and generate a response. These recordings or transcripts may be retained for a limited period of time for system operation, quality monitoring, troubleshooting, and security purposes, after which they may be deleted or de-identified according to system configuration and retention practices.

Docent does not require Users to provide identifying personal information to interact with the Services, and many deployments are designed to operate without collecting information that directly identifies an individual.

Fourth, we collect communications and support information when you contact us, request support, participate in troubleshooting, or communicate with our team. This may include the content of your communications, contact details, and diagnostic details you provide to help resolve issues.

Finally, to the extent payments are required, we process billing and transaction information. Payment transactions are typically processed by third-party payment processors. Docent generally does not store full payment card numbers; instead, we may receive limited payment-related data such as billing contact, payment method type, and transaction status.

4. How We Use Information. Docent uses information to operate the business, provide the Services, and meet legal and contractual obligations. We use Account Data to create and administer accounts, authenticate users, provide access to the Services, communicate operational notices, provide customer support, manage billing and collections, and maintain accurate records of our commercial relationship. We use Usage Data to maintain the reliability and security of the Services, monitor performance, debug and troubleshoot errors, prevent fraud and abuse, enforce acceptable use rules, and improve our infrastructure and feature set. We use communications data to respond to inquiries, provide support, improve our documentation and customer experience, and maintain business records. For clarity, Customer Data and User interaction content remain under the control of the Customer that deploys the Services. Docent processes such information solely for the purpose of providing and supporting the Services in accordance with the applicable Customer Agreement.

Docent processes Customer Data primarily to provide the Services as directed by customers, including processing inputs, generating outputs, routing requests, and returning results to the customer. We may also process Customer Data as reasonably necessary to secure the Services, detect and prevent abuse, respond to incidents, comply with law, and enforce agreements. Where permitted by the applicable Customer Agreement and Customer configuration, we may use limited portions of Customer Data for product improvement activities described below; however, we are deliberate about ensuring customers understand and control how their data is used.

Docent may also create and use aggregated or de-identified information derived from Usage Data and, where applicable, Customer Data, for analytics and improvement purposes. Aggregated or de-identified information is used in a manner intended not to identify any individual or reveal customer confidential content.

Docent may also generate analytics and performance reports derived from interaction data and Usage Data. These reports may include aggregated metrics such as interaction volume, feature usage, session duration, and the number of returning sessions associated with anonymous identifiers. These analytics are designed to help Customers evaluate the effectiveness of the Services in their environment and are not intended to identify individual Users.

5. AI, Model Processing, and Training Practices. Because the Services may involve AI-enabled processing, customers frequently ask whether Customer Data is used to train machine learning models. Docent does not use Customer Data, User Data, interaction recordings, transcripts, or other Customer content to train or improve generalized machine learning or artificial intelligence models unless a Customer has expressly agreed to such use in writing. Customer Data is processed solely for the purpose of providing the Services, including generating responses, routing requests, and returning outputs requested by Customers through their deployment of the Services. Docent may use Usage Data, aggregated metrics, system telemetry, and de-identified operational information to monitor performance, improve system reliability, and maintain the security and functionality of the Services. Such improvement activities are designed not to incorporate Customer Data in a manner that would expose identifiable customer content or confidential information.

6. AI Transparency. The Services may involve automated systems that generate responses, recommendations, or assistance using artificial intelligence technologies. These systems are designed to assist Users in accessing information or completing tasks but do not replace human judgment. Responses generated by automated systems may occasionally be incomplete or inaccurate, and Users should independently verify important information when appropriate.

7. Service Providers, Subprocessors, and Disclosures Without Naming Vendors. Docent uses third-party vendors and service providers (“Service Providers”) to support delivery of the Services. These Service Providers may include providers of cloud hosting and infrastructure, data storage, network connectivity, observability and monitoring, analytics, error reporting, communications tools, identity and access management, customer support systems, and payment processing. In addition, where our Services involve speech-to-text, text-to-speech, or other AI-enabled capabilities, Docent may use specialized third-party providers to deliver those capabilities. Service Providers may process Account Data, Usage Data, and, where required to deliver the Services, Customer Data solely for the purpose of supporting Docent’s operation and delivery of the Services and subject to contractual obligations designed to protect confidentiality, restrict use of information, and require reasonable security safeguards. Docent does not publish vendor brand names in this Privacy Policy. However, upon reasonable request from a business customer, and subject to appropriate confidentiality protections, Docent may provide subprocessor categories and, where appropriate, subprocessor lists used for the Services in connection with that customer’s deployment, particularly where required by enterprise procurement or data protection requirements.

8. Cookies, Tracking Technologies, and Analytics. Docent uses cookies and similar technologies primarily to operate the website, maintain sessions, support authentication, remember preferences, and measure website performance. We may also use analytics tools to understand website traffic and usage patterns and to improve the performance and user experience of our website and developer portal. Where required by law, Docent will provide appropriate notice and choice mechanisms regarding non-essential cookies. You can generally control cookies through your browser settings; however, disabling cookies may affect certain functionality, including login persistence and preferences.

9. Data Retention; Deletion; Customer Controls. Docent retains Account Data for as long as needed to administer accounts, provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain business records. Docent retains Usage Data for as long as reasonably necessary to operate, secure, and improve the Services, including to investigate incidents, detect abuse, and maintain system integrity. At present, retention periods may vary depending on system defaults, operational requirements, and the evolving infrastructure supporting the Services. Docent is in the process of implementing formal retention policies and system architecture designed to support scalable data governance and retention controls. Until such policies are fully implemented, data retention may be governed by system configuration, operational requirements, and applicable contractual obligations. Customer Data retention depends on customer configuration, product settings, and the applicable Customer Agreement. Where the Services provide customer-configurable retention, customers may control whether certain Customer Data, such as recordings, transcripts, logs, or outputs, is stored and for how long. Upon termination of a customer account or upon a verified deletion request consistent with the Customer Agreement, Docent will take commercially reasonable steps to delete or de-identify Customer Data within a reasonable period, subject to necessary retention for legal compliance, security, dispute resolution, and backup systems. Backup and archival systems may retain residual copies for a limited time consistent with standard industry practices, but such copies remain protected by confidentiality and security controls.

10. Security Measures. Docent maintains administrative, technical, and organizational measures designed to protect information against unauthorized access, destruction, loss, alteration, or misuse. Our security measures may include access controls and least-privilege principles, authentication protections, encryption in transit, monitoring and logging, incident detection, and internal policies governing access to customer systems and data. Security measures are designed to be appropriate to the nature of the information and the risk profile of the Services. No method of transmission or storage is completely secure; therefore, while we strive to protect information, we cannot guarantee absolute security. If Docent becomes aware of a security incident involving Customer Data or personal information, we will evaluate the incident and take steps consistent with contractual obligations and applicable law, which may include notifying affected customers and providing information reasonably necessary for customers to meet their own legal obligations.

11. International Data Transfers. Docent is based in the United States, and the Services are currently hosted and operated using infrastructure located within the United States. As a result, information collected or processed through the Services is generally stored and processed within the United States, including through infrastructure providers that support the operation of the Services. If you access the Services from outside the United States, you acknowledge that your information may be transferred to and processed in the United States.

Docent may, in the future, utilize infrastructure or service providers located in additional jurisdictions as the Services evolve. In the event information is transferred outside the United States, Docent will implement appropriate safeguards for cross-border data transfers as required by applicable law, which may include contractual protections or other recognized legal mechanisms.

12. Legal Bases for Processing (For EEA/UK and Similar Jurisdictions). Where applicable law requires a legal basis for processing personal information, Docent generally processes personal information on the basis of one or more of the following: (a) performance of a contract (for example, to provide the Services to you or your organization and administer accounts); (b) legitimate interests (for example, to secure and improve the Services, prevent fraud and abuse, maintain business operations, and provide support), provided such interests are not overridden by your rights; (c) compliance with legal obligations; and (d) consent, where required (for example, for certain cookies or marketing communications, depending on your region and settings). Where Docent acts as a processor for Customer Data, the customer determines the legal bases for processing and Docent processes such data in accordance with the customer’s instructions. Any transfer of information in connection with such transactions will remain subject to the commitments described in this Privacy Policy and any applicable Customer Agreements.

13. Disclosures of Information. Docent may disclose information in the following circumstances: (a) to Service Providers who process information on Docent’s behalf under appropriate contractual restrictions; (b) to comply with law, regulation, legal process, or governmental request, including where we reasonably believe disclosure is necessary to protect rights, property, safety, or the integrity of the Services; (c) to enforce agreements, prevent fraud or abuse, or address security issues; and (d) in connection with corporate transactions, such as a merger, acquisition, financing, reorganization, or sale of assets, where information may be disclosed or transferred as part of due diligence or transaction completion, subject to appropriate confidentiality protections.

Docent does not sell personal information in the conventional sense. Certain U.S. state privacy laws use the term “sharing” to describe the disclosure of personal information for cross-context behavioral advertising. Docent does not engage in such advertising practices using personal information obtained through the Services. Docent may use aggregated or de-identified usage and interaction data for analytics, performance monitoring, and service improvement purposes, which does not constitute the sale or sharing of personal information under applicable law.

14. Individual Rights and Choices. Depending on your jurisdiction, you may have rights regarding personal information, including rights to request access to, correction of, deletion of, or portability of certain personal information, and to object to or restrict certain processing. Docent will respond to verified requests in accordance with applicable law. Where Docent processes Customer Data as a processor/service provider, requests relating to Customer Data should generally be directed to the relevant customer because the customer controls the data and Docent processes it on the customer’s instructions. Docent will, as appropriate, assist customers in responding to such requests consistent with contractual obligations and applicable law.

If you are a Docent business contact or account user, you may update certain account information through your account settings (if available) or by contacting us. Marketing communications may be managed through unsubscribe mechanisms included in emails or by contacting us.

15. Children’s Privacy. The Services are intended for business use and are not directed to children under the age of 13 (or such higher age as may be required by applicable law). Docent does not knowingly collect personal information directly from children. However, because the Services may be deployed by Customers in public-facing environments, individuals of any age may interact with automated systems operated by Customers through the Services (for example, by calling a number, scanning a QR code, or interacting with a voice agent). In such cases, the Customer is responsible for determining how the Services are deployed and for providing any notices or consent mechanisms required by applicable law. If Docent becomes aware that personal information from a child has been collected in violation of applicable law, Docent will take reasonable steps to delete such information.

16. Changes to This Privacy Policy. Docent may update this Privacy Policy from time to time to reflect changes in the Services, legal requirements, or our information practices. When we update the Privacy Policy, we will update the “Last Updated” date above. If changes are material, we may provide additional notice, such as through the Services or by email for account holders, where appropriate.

17. Contact Information. If you have questions about this Privacy Policy or Docent’s privacy practices, please contact:

DOCENT LABS INC.
Email: privacy@docentlabs.ai