Coraltalk AI Data Privacy

and Protection Terms

Effective Date: April 23 2026
Last Updated: April 23 2026

Coraltalk AI Inc. ("Coraltalk", "we", "us", or "our") is committed to protecting your privacy.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use

our AI-powered oral assessment and roleplay platform ("Services"), accessible via coraltalk.com

and app.coraltalk.com.

By using our Services, you agree to the collection and use of information in accordance with this

policy. If you do not agree, please discontinue use of our Services.

1. Data Collection and Handling

1.1 Personal Data We Collect

Coraltalk AI may collect or process the following categories of personal data, either directly or

through authorized third-party services:

• Identity data: Full name, email address, and contact details

• Voice and assessment data: Voice recordings and spoken responses captured during

oral assessments and roleplay interactions

• Account credentials: Username, hashed password (where applicable), and

authentication tokens managed via Clerk

• Payment and billing information: Processed securely via Stripe — Coraltalk never stores

raw card data

• Technical data: Device type, IP address, browser type, operating system, and session

identifiers

• Usage data: Interaction patterns, feature usage, assessment results, and platform

activity

• Educational data: Course information, rubric configurations, and grade data synced via

Canvas LMS integration

• Any additional information you voluntarily provide when contacting support or using the

platform

1.2 Why We Collect Personal Data

We collect personal data to:

• Provide, operate, and improve the Coraltalk AI platform and Services

• Authenticate users and manage secure access to the platform

• Process payments and manage billing (via Stripe)

• Deliver AI-driven voice assessments, grading, and personalized learning experiences

• Sync course data and grades with Canvas LMS on behalf of instructors and institutions

• Conduct product research and development to improve service quality

• Detect, prevent, and respond to fraudulent or unauthorized activities

• Comply with applicable legal obligations

1.3 How Personal Data Is Used

Personal data is used exclusively to:

• Enable and deliver AI-powered oral assessments and roleplay interactions

• Process audio and voice input through our speech-to-text pipeline (Deepgram) and AI

grading systems (OpenAI)

• Generate assessment scores and feedback for instructors and students

• Provide customer support and respond to user enquiries

• Improve platform functionality through aggregated, anonymized analytics (PostHog)

• Detect and prevent security threats and unauthorized access

We do not use your personal data or uploaded content to train AI models. Our AI inference is

conducted via third-party API providers (OpenAI, Deepgram, ElevenLabs) under commercial

agreements that prohibit the use of customer data for model training. OpenAI Zero Data

Retention (ZDR) is enabled for all AI inference requests.

1.4 Data Retention

We retain personal data only as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law. Our retention schedules are as follows:

Data Type

Active account data

Voice recordings and assessment data

Payment records

Audit and security logs

Anonymized analytics

Retention Period

Duration of account + 2 years

Until deleted by user or institution

7 years

12 months

Indefinite

Notes

Deleted upon account closure + grace period

Permanently removed upon deletion request

Required by tax and financial

MongoDB Atlas Activity Feed and Vercel logs

Non-personal aggregated data only

Once data is no longer needed, we securely delete or irreveribly anonymize it.

2. Non-Personal Data Collection & Usage

2.1 Non-Personal Data We Collect

We may collect anonymized or aggregated non-personal data, directly or via third-party

analytics tools (PostHog), including:

• Usage patterns and interaction data

• Device type and operating system

• Browser type and version

• AI performance metrics and error rates

• Platform load and performance statistics

2.2 How We Use Non-Personal Data

• Improving AI model performance and service quality

• Enhancing platform security and reliability

• Generating anonymized insights for business development and product roadmap

decisions

• Monitoring system health and observability (via Vercel Observability and PostHog)

3. Privacy by Default

Coraltalk AI enforces privacy by default across its architecture:

• Minimum data collection: Only data necessary to deliver the Services is collected

• Encryption at rest: All data stored in MongoDB Atlas is encrypted using AES-256

(WiredTiger Encrypted Storage Engine)

• Encryption in transit: All data transmitted uses TLS 1.2 or higher — enforced across all

services

• Access controls: Role-based access control (RBAC) ensures only authorized personnel

can access personal data

• No AI training on user data: Customer data is never used to train or fine-tune AI models

• Secure file storage: Files and voice recordings are stored in AWS S3 with SSE-S3

encryption and accessed only via short-lived presigned URLs

• Keyless AWS access: Coraltalk uses OIDC Federation to access AWS — no static

credentials are stored

• MFA enforced: Multi-factor authentication is required for all administrative access to

production systems

4. Compliance with Data Protection Laws

4.1 GDPR Compliance

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right to access — request a copy of your personal data held by Coraltalk

• Right to rectification — request correction of inaccurate or incomplete data

• Right to erasure — request permanent deletion of your data (subject to legal retention

requirements)

• Right to data portability — request transfer of your data in a machine-readable format

• Right to withdraw consent — withdraw consent at any time without affecting the

lawfulness of prior processing

• Right to restrict or object — object to or restrict certain types of processing

To exercise any of these rights, contact: adhi@coraltalk.com. We will respond within 30 days.

4.2 COPPA Compliance (United States)

Coraltalk AI is not designed for or directed at children under the age of 13. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If we become aware that a child under 13 has provided personal data without parental consent, we will promptly delete that data. If you believe a child under 13 has submitted personal data to us, please contact adhi@coraltalk.com

4.3 EU Digital Services Act (DSA) Compliance

In accordance with the EU Digital Services Act (DSA), Coraltalk AI ensures:

• Transparency in AI-generated responses and content

• Clear content moderation policies for platform interactions

• User rights to report and appeal content decisions

4.4 CCPA Compliance (California, USA)

California residents have the following rights under the California Consumer Privacy Act

(CCPA):

• Right to know what personal data is collected, used, shared, or sold

• Right to delete personal data (subject to legal exceptions)

• Right to opt out of the sale of personal data — Coraltalk does not sell personal data

• Right to non-discrimination for exercising CCPA rights

To exercise CCPA rights, contact: adhi@coraltalk.com.

4.5 PIPEDA Compliance (Canada)

For users in Canada, Coraltalk AI complies with the Personal Information Protection and

Electronic Documents Act (PIPEDA). This includes obtaining meaningful consent for data

collection, limiting use to stated purposes, and providing access to personal data upon request..

5. Third-Party Data Processing & Sub-Processors

Coraltalk AI uses the following authorized sub-processors to deliver the Services. All sub-processors are contractually bound to comply with applicable data protection regulations:

Sub-Processors

Vercel

MongoDB

Atlas AWS (S3, Lambda)

OpenAI

Deepgram

ElevenLabs

Clerk

Stripe

Inngest

PostHog

Canvas LMS

Data Processed

Request data, logs

All user and assessment data

Files, audio, documents

Assessment transcripts (ZDR enabled)

Voice audio streams

Text prompts for audio generation

User identity, session tokens

Billing data (no raw card data)

Job event metadata

Anonymized usage events

Course data, student roster, grades

Purpose

Hosting & edge compute

Primary database

File storage, OCR, transcription

AI grading & evaluation

Speech-to-text transcription

Voice synthesis (TTS)

Authentication & identity

Payment processing

Async job queue

Product analytics

Course & grade sync

Location

USA / Global

USA (us-east-1/2)

USA (us-east-1)

USA

USA / EU

Institution-hosted

6. Security Measures

Coraltalk AI implements the following technical and organizational security measures to protect

your data:

• Encryption in transit: TLS 1.2+ enforced on all connections — HTTPS mandatory, HTTP

redirected

• Encryption at rest: AES-256 for all data in MongoDB Atlas, SSE-S3 for all files in AWS

• Access controls: Role-based access control (RBAC) across all systems

• Multi-factor authentication: Required for all admin access to production infrastructure

• Network security: Vercel WAF with DDoS mitigation, bot protection, and custom firewall

rules

• Keyless cloud access: OIDC Federation for AWS — no static credentials stored

• Monitoring and alerting: 24/7 observability via Vercel Observability with automated

anomaly alerts

• Regular security reviews: Quarterly firewall rule reviews, SOC 2 compliance programme

• Backups: Automated hourly backups with 7-day retention, fully encrypted

While we implement industry-standard security measures, no system is completely immune to

security risks. We encourage users to use strong passwords and enable MFA on their accounts.

7. Your Choices & Rights

You have the following rights regarding your personal data:

• Access: Request a copy of all personal data Coraltalk holds about you

• Correction: Request correction of inaccurate or incomplete personal data

• Deletion: Request permanent deletion of your personal data (subject to legal retention

requirements). When you delete content from the platform, it is permanently and

irreversibly removed.

• Portability: Request your data in a portable, machine-readable format

• Restriction: Request that we restrict processing of your data in certain circumstances

• Objection: Object to processing of your data for specific purposes

• Withdrawal of consent: Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at adhi@coraltalk.com. We will acknowledge your

request within 5 business days and respond in full within 30 days.

8. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in legal requirements,

business practices, or our technology stack. When we make significant changes, we will:

• Update the Effective Date at the top of this document

• Notify registered users via email at least 14 days before changes take effect

• Post a notice on the platform at app.coraltalk.com

Your continued use of the Services after the effective date of any update constitutes your

acceptance of the revised policy.

9. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact:

Details

Coraltalk AI Inc.

Adhi Mittal, Co-Founder & CTO

adhi@coraltalk.com

coraltalk.com

Contact

Data Controller

Privacy Contact

Website