Legal

Privacy Policy

Last updated: May 15, 2026  ·  Effective: May 15, 2026

1. Overview

VoxelEon, a product of Global Elite Concern (GEC), is committed to protecting the privacy and security of personal data. This Privacy Policy describes how we collect, use, process, store, and disclose information when you use the VoxelEon platform, website, APIs, SDKs, or any related services (collectively, the "Services").

VoxelEon is designed and operated in alignment with the requirements of the General Data Protection Regulation (GDPR), HIPAA, SOC2, and ISO 27001. If you have questions about this policy, contact us at support@voxeleon.com.

2. Data We Collect

2.1 Account & Identity Data

  • Name, email address, and password hash (PBKDF2-SHA256 — never stored in plaintext)
  • Organizational affiliation and assigned role (annotator, reviewer, manager, admin, owner)
  • Subscription plan tier (free, professional, enterprise)
  • Account creation timestamp, last login, and session metadata

2.2 Platform Usage Data

  • Dataset uploads — image files and associated metadata submitted for annotation
  • Annotation actions — label edits, approvals, rejections, and escalations with timestamps
  • Confidence scores and model outputs associated with each annotation event
  • Audit trail entries — every label version, annotator ID, and correction event (immutable)
  • API request logs — endpoints accessed, HTTP methods, response codes, latency (no request bodies)

2.3 Technical & Infrastructure Data

  • IP address, browser user-agent, and operating system (for security and fraud prevention)
  • Prometheus metrics — aggregated, anonymized platform performance telemetry
  • Error logs and stack traces (sanitized — personal data stripped before logging)

2.4 Data We Do Not Collect

  • We do not collect payment card data — billing is handled by PCI-DSS-compliant third-party processors
  • We do not use advertising trackers, third-party marketing pixels, or behavioral profiling cookies
  • We do not sell, rent, or trade personal data to any third party

3. How We Use Your Data

  • Service delivery: authenticate users, enforce RBAC, route annotation tasks, and generate platform outputs
  • Quality assurance: compute consensus scores, track annotator accuracy, detect systematic bias or drift
  • Active learning: use anonymized correction signals to improve AI model confidence calibration
  • Security: detect unauthorized access, rate-limit abuse, and maintain JWT session integrity
  • Compliance: maintain immutable audit trails for HIPAA, GDPR, and SOC2 obligations
  • Platform improvement: aggregate, anonymized usage analytics to guide product development
  • Communications: service-critical notifications (password resets, security alerts, billing notices)

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)): processing necessary to provide the Services you have subscribed to
  • Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, and platform stability
  • Legal obligation (Art. 6(1)(c)): compliance with applicable laws including audit retention requirements
  • Consent (Art. 6(1)(a)): where explicitly obtained for optional communications

5. Data Storage & Security

Technical Safeguards

  • Passwords hashed with PBKDF2-SHA256 (260,000 iterations) — OWASP 2024 standard
  • JWT sessions signed with HS256; tokens expire and are invalidated on logout
  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control enforced at the application layer and via OPA policy engine
  • Secrets managed via environment variables — never committed to version control
  • Audit log entries are cryptographically immutable — no delete or modify operations permitted

Infrastructure

  • Primary storage: Google Cloud Storage (GCS) and Firestore — data centers in agreed-upon regions
  • Vector embeddings: Qdrant — stored on isolated container networks, not accessible externally
  • PostgreSQL 15/16 databases — restricted network access, no public endpoint exposure
  • Monitoring data: Prometheus + Grafana — internal network only, no personal data in metrics

6. Data Retention

  • Active accounts: data retained for the duration of the subscription plus 90 days after termination
  • Audit trails: retained for a minimum of 7 years for compliance with HIPAA and enterprise obligations
  • API logs: retained for 90 days in rolling log storage, then purged
  • Deleted accounts: personal identifiers purged within 30 days of verified deletion request; anonymized aggregates may be retained indefinitely

7. Your Rights (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data:

  • Right of access (Art. 15): request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): request deletion of your personal data where no overriding legal obligation applies
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format
  • Right to object (Art. 21): object to processing based on legitimate interests
  • Right to restrict processing (Art. 18): request temporary restriction of processing
  • Right to lodge a complaint: with your local supervisory authority

To exercise any of these rights, contact us at support@voxeleon.com. We will respond within 30 days.

8. Data Sharing & Third Parties

  • We do not sell personal data to any third party under any circumstances
  • We may share data with sub-processors (e.g., cloud infrastructure providers, billing processors) under data processing agreements (DPAs) that enforce equivalent protections
  • We may disclose data if required by law, court order, or to protect the rights and safety of our users and services
  • In the event of a merger or acquisition, data may be transferred as part of business assets — users will be notified in advance

9. Cookies & Tracking

The VoxelEon platform uses only essential session cookies required for authentication and security. We do not use:

  • Third-party advertising or marketing cookies
  • Cross-site tracking technologies
  • Browser fingerprinting beyond basic security verification

Session tokens are stored in HTTP-only, SameSite=Strict cookies where applicable to prevent CSRF attacks.

10. International Data Transfers

If we transfer personal data outside the EEA, we do so under Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguard mechanisms. Enterprise customers may negotiate data residency requirements as part of their contracts.

11. Children's Privacy

The VoxelEon platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us immediately at support@voxeleon.com.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or platform capabilities. We will notify registered users of material changes via email at least 14 days before the effective date. The current version will always be published at voxeleon.com/privacy.

13. Contact & Data Controller

Data Controller: Global Elite Concern (GEC), operating VoxelEon

Privacy inquiries: support@voxeleon.com

Website: voxeleon.com

For GDPR-related requests, include "GDPR Request" in your email subject line. We will verify your identity before processing any data access, rectification, or erasure request.