Quotain Privacy Policy

1.1 Information you and your organization provide.

When you or your organization uses the Service, we collect and process the following categories of information (collectively, "Customer Data"):

• Account data: your name, work email address, organization name, role, password hash, (if you register a passkey) the public-key credential used for passwordless sign-in, and (if you sign in with an identity provider) the OAuth identity returned by Google, Microsoft, or another configured provider.
• Roleplay transcripts: the text of each roleplay conversation, including speaker turns, between you and the AI buyer.
• Voice recordings: the audio of each voice roleplay, stored in Cloudflare R2.
• Facial-expression signals: if you choose to turn your camera on during a voice roleplay, your webcam video is analyzed entirely within your browser to derive a timeline of expression and engagement signals — for example, estimated attentiveness, confusion, or emotional tone, each scored from 0 to 1. The raw video and the underlying facial-geometry measurements are processed on your device in real time; they are never transmitted to or stored by Quotain. Only the derived numeric signals are saved, tied to that roleplay session, and shared with the foundation-model provider that produces the delivery feedback on your scorecard. Using your camera is optional: if you keep your camera off or decline the camera permission, no facial-expression signals are collected. We do not use these signals to identify or authenticate you, and we never use them to make decisions that produce legal or similarly significant effects.
• Scorecards and performance metrics: the rubric scores, written feedback, and derived metrics that Quotain produces from each roleplay.
• Buyer personas: the product descriptions, ideal-customer-profile descriptions, and persona attributes that representatives or admins provide so the AI buyer can simulate the right conversation.
• Uploaded files: PDFs, documents, and other files you upload to the in-product knowledge library.
• OAuth-connected integration data: when you connect a third-party tool such as Notion, Salesforce, or Gong, the access tokens we hold and the data those tools return when Quotain uses the integration on your behalf. Integration-derived content may be processed to provide requested features and may be retained where it is imported, saved, included in generated outputs, included in chat history, or otherwise used as part of the Service.
• Support communications: any messages you send us at [email protected] or through other support channels.

1.2 Information collected automatically.

When you interact with the Service, we and our service providers automatically log:

• Telemetry: Langfuse traces of LLM calls (prompts, tool inputs and outputs, model identifiers, latencies); Sentry error reports (stack traces, breadcrumbs); and PostHog product-analytics events (page views, feature usage, anonymous and authenticated user identifiers).
• Application logs: HTTP request logs, including IP address, user agent, request path, timing, and outcome.
• Device and browser data: browser type and version, operating system, device type, screen resolution, and language settings.
• Cookies and similar technologies: see our Cookie Notice for details.

1.3 Information about others.

Some features let you bring information about other people into the Service. When you connect a third-party tool (such as Notion, Salesforce, or Gong) or upload files to the knowledge library, the data we process on your behalf may include personal information about third parties — for example, your prospects, customers, or colleagues. You and your organization are responsible for having the rights and permissions needed to provide that information to us. We process it on your organization's behalf, as a service provider, solely to provide the Service, and we do not use it for our own independent purposes.

1.4 Children.

The Service is intended for use by sales professionals and is not directed to anyone under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at [email protected].

4.1 Biometric data: retention and destruction.

This subsection is our written retention schedule and destruction policy for biometric data, published as required by applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA). When you choose to enable your camera during a voice roleplay, the facial-expression feature transiently computes facial-geometry measurements within your browser to derive the numeric expression and engagement signals described in Section 1.1.

We do not transmit or store the raw webcam video or the underlying facial-geometry measurements. That biometric data is processed in real time on your device and is permanently destroyed as soon as the analysis that produces each derived signal is complete. We retain only the derived numeric signals, tied to their roleplay session, until you delete that session or close your account. In no event will we retain biometric data, or signals derived from it, longer than the purpose for which it was collected requires, and in any case no later than three (3) years after your last interaction with the Service.

We do not sell, lease, trade, or otherwise profit from biometric data, and we do not disclose it to any third party except as needed to provide the facial-expression feature you have requested — namely, sharing the derived numeric signals with the foundation-model provider that generates your delivery feedback — and only with your consent.

8.1 Your rights.

Depending on your state of residence, you may have the right to:

• Request information about the categories of personal information we collect, the sources of that information, the purposes for which we use it, and the categories of third parties with whom we share it.
• Request access to a copy of the personal information we have collected about you.
• Request correction of inaccurate personal information we hold about you.
• Request deletion of personal information we have collected from you.
• Appeal our denial of a request submitted under these rights.

8.2 No sale, sharing, or targeted advertising.

We do not sell personal information within the meaning of the State Privacy Laws. We do not share personal information for cross-context behavioral advertising. We do not process personal information for targeted advertising purposes. We do not use personal information to engage in profiling that results in legal or similarly significant effects.

8.3 Sensitive personal information.

We do not collect Social Security, driver's license, or financial-account numbers, account credentials, precise geolocation, or information revealing racial or ethnic origin, religious beliefs, health, sex life, sexual orientation, or union membership.

If you choose to enable your camera during a voice roleplay, Quotain analyzes your webcam video within your browser to derive expression and engagement signals, as described in Section 1.1. This processing happens on your device; we do not retain the raw video or the underlying facial-geometry measurements, and we use the derived signals only to give you coaching feedback on your own delivery. We never use them to identify or authenticate you, and never to make decisions that produce legal or similarly significant effects. To the extent any State Privacy Law treats these signals as sensitive or biometric personal information, we process them solely at your direction to provide the feature you have requested, and we limit our use of this information to performing the Service as permitted under those laws.

Your right to limit. You may decline this processing at any time by leaving your camera off, and you may ask us to stop processing or to delete the derived signals we have stored by emailing [email protected]. We do not use sensitive or biometric personal information to infer characteristics about you for our own purposes, or for any purpose other than providing the coaching feedback you have requested.

8.4 Nondiscrimination.

You are entitled to exercise the rights described above free from unlawful discrimination.

8.5 Exercising your rights.

To exercise any of the rights above, email [email protected]. We may need to verify your identity (or that of your authorized agent) before fulfilling your request, and we may require additional information for verification. If your request is denied, you may appeal by replying to our response with the word "Appeal" in the subject line.

8.6 Additional notices.

California Shine the Light. California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. We do not make such disclosures.

Nevada. Nevada residents may request that we not sell their personal information. We do not sell personal information, but you may direct any inquiry to [email protected].

8.7 Categories of personal information we collect, disclose, and sell or share.

The following describes our practices during the preceding 12 months (or since we began offering the Service, if shorter). We collect the categories of personal information below from the sources described in Section 1, for the business and commercial purposes described in Section 2, and we disclose each category only to the categories of recipients described in Section 3. Categories are listed by reference to the statutory categories in the California Consumer Privacy Act (Cal. Civ. Code § 1798.140).

We do not collect protected classification characteristics (category C), education information (category J), or government-issued identification, financial-account, or payment-card numbers. We have not sold or "shared" — as those terms are defined under the State Privacy Laws, including sharing for cross-context behavioral advertising — any category of personal information, and we do not do so.