Privacy built for regulated environments.

This document is a template and should be reviewed by qualified legal counsel before publication, especially if Rumbe AI is used in healthcare, insurance, financial services, or other regulated industries.

1. Who we are

Rumbe AI is a product of Vovance Inc. and is owned, provided, operated, and commercially administered by Vovance Inc.

• —Business Address: 1338 Eastbrooke Trace, Marietta, GA 30066, USA
• —Website: https://rumbe.ai
• —Parent / Operator: Vovance Inc.
• —Product Platform: Rumbe AI
• —Products: The Scout, The Mothership, and related Rumbe AI modules

For customer deployments, Rumbe AI may operate as a technology service provider, processor, subprocessor, or business associate, depending on the contractual relationship and the nature of the data processed.

2. Scope of this policy

• —Rumbe AI websites and product pages
• —The Scout customer-facing chatbot and customer portal
• —The Mothership enterprise AI support platform
• —Embedded chat widgets deployed on customer websites
• —Agent dashboard, admin dashboard, and support operations tools
• —APIs, integrations, secure actions, ticketing, voice, and automation
• —Knowledge base ingestion, retrieval, and AI-assisted workflows

This Policy does not replace the privacy policy of a Rumbe AI customer. If you interact with a Rumbe AI-powered assistant on a customer’s website, that customer remains responsible for its own privacy notices and lawful basis for processing user data.

3. Information we collect

3.1 Account and organization information

• —Organization name
• —Administrator name
• —Agent or user name
• —Business email address
• —Company details
• —Role, permissions, and access level
• —Billing, invoice, payment status, plan, commercial account, and deployment configuration

3.2 Customer support interaction data

• —Chat messages and support requests
• —Ticket details and conversation history
• —Sentiment, urgency, routing, and escalation signals
• —Knowledge base references used to generate answers
• —Human handoff details
• —Secure action events (billing, payment, appointment, account workflows)

3.3 PII and PHI

Depending on the customer’s use case, Rumbe AI may process PII or PHI including name, email, phone, account identifiers, support context, and healthcare-related information for regulated deployments. Where PHI is processed, additional contractual protections may apply, including a BAA where required.

3.4 Technical and usage data

• —IP address
• —Browser and device information
• —Session metadata
• —Widget domain and deployment source
• —Login/logout events
• —API request metadata
• —Error logs and diagnostic events
• —Security events
• —Performance and reliability metrics

3.5 Knowledge base and customer content

Customers may upload or authorize access to help center articles, FAQs, policies, product documentation, internal playbooks, ticket history (where enabled), and other approved sources for retrieval-augmented generation. Rumbe AI is designed to answer from approved sources and maintain source-anchored responses.

4. How we use information

• —Provide, operate, and maintain Rumbe AI
• —Power AI-assisted support, deflection, triage, routing, and escalation
• —Deliver The Scout chatbot and customer portal
• —Deliver The Mothership enterprise support command platform
• —Authenticate users and manage secure sessions
• —Enforce organization-level data isolation
• —Enable agent handoff and support workflows
• —Generate source-anchored AI responses
• —Process secure actions authorized by customers or end users
• —Monitor reliability, performance, abuse, fraud, and security risks
• —Maintain audit trails and forensic records
• —Support compliance, privacy, and contractual obligations
• —Improve platform quality, accuracy, and safety

We do not use customer content, PII, or PHI to train public AI models unless explicitly agreed in writing and legally permitted.

5. Data classification and privacy controls

5.1 Classification tiers

• —High: PII, PHI, account identities, agent identities, sensitive support content
• —Medium: Operational support records, configuration data, KB metadata, routing, workflow records
• —Low: General platform metadata, public configuration labels, non-sensitive analytics

5.2 PII protection

User identities, agent identities, and organization-level personal details are treated as high-sensitivity data and isolated with elevated controls.

5.3 Email blinded indexing

Where email lookup is required, Rumbe AI may use HMAC-based blinded indices so the system can match users by email without storing or exposing plain-text email in searchable indexes.

5.4 Right to erasure

Rumbe AI supports erasure workflows through soft-delete patterns such as deletedAt across PII-heavy tables, enabling scrubbing and applicable deletion requests.

6. PHI and regulated data safeguards

6.1 PHI access auditing

• —Accessor ID
• —Record ID
• —Fields accessed
• —Access type
• —Reason for access
• —Timestamp

6.2 AI integrity audit

Rumbe AI may maintain AI transaction logs containing SHA-256 hashes of AI request payloads, creating an integrity record without duplicating sensitive content unnecessarily.

6.3 Business Associate Agreements

Where required by law or contract, Vovance Inc. may enter into a BAA with covered entities or business associates using Rumbe AI for PHI-related workflows.

7. Multi-tenant data isolation and encryption

7.1 Organization-level isolation

Customer data is isolated using organization-level identifiers, and one organization is not permitted to access another organization’s data.

7.2 Secret management

API keys and integration secrets are not stored in plain text. Secrets may be encrypted using AES-256-GCM with unique initialization vectors and authentication tags.

7.3 Encryption key separation

Application-level secrets encryption is managed using a dedicated secrets encryption key that is separate from primary database credentials.

7.4 BYOL architecture

Rumbe AI may support BYOL/BYOK for providers such as OpenAI, Groq, Gemini, Twilio, Stripe, SMTP providers, and other integrations, allowing customers to control provider relationships and applicable data terms.

8. AI providers and subprocessors

Rumbe AI may connect to AI, communication, payment, analytics, email, database, hosting, and other infrastructure providers as needed. Depending on configuration, providers may include OpenAI, Groq, Gemini, Twilio, Stripe, SMTP/email providers, vector retrieval systems, and hosting / monitoring providers. See the Subprocessors page for the current disclosure framework.

9. Retrieval-augmented generation and vector security

• —Knowledge base records are associated with the customer’s organization
• —Vector collections are tenant-isolated
• —Retrieval is restricted to the organization’s own approved content
• —The AI should not retrieve another organization’s knowledge base content
• —Responses are designed to be grounded in approved sources and governed by customer-configured guardrails

10. Application-level security

10.1 Authentication and sessions

Rumbe AI may use JWT-based authentication, secure session management, and session secret rotation capabilities.

10.2 Role-based access

Access may be limited by role, organization, permissions, and product area, including customer administrator, agent, operator, and system-level access.

10.3 Audit trails

• —Login and logout activity
• —Status changes
• —Configuration changes
• —Chat transfers
• —Ticket routing and escalation events
• —Secure action events
• —Administrative actions

10.4 Input validation

Rumbe AI uses strict schema validation across API boundaries to reduce injection risks and unsafe data processing.

10.5 Widget security

Embeddable chat widgets may use a dual-key system (public key + server-side secret key hash) and domain whitelisting to prevent unauthorized embedding.

11. Infrastructure and network security

• —Separate configuration for support, agent, and admin environments
• —TLS/SSL support for email delivery and SMTP connections
• —SMTP certificate validation controls
• —Secure environment variables and secret management
• —Access-controlled deployment environments
• —Monitoring, logging, and operational alerting

12. Cookies and similar technologies

Rumbe AI websites and deployed interfaces may use cookies, local storage, session identifiers, and similar technologies to keep users signed in, secure sessions, remember preferences, measure performance, detect abuse, and support analytics. Customers embedding Rumbe AI widgets are responsible for disclosing cookie or tracking behavior in their own privacy notices where required.

13. Data retention

We retain information only as long as reasonably necessary to provide the service, maintain security and audit trails, support customers, comply with legal obligations, and resolve disputes. Periods vary by contract, plan, configuration, and whether the data includes PII or PHI. Customers may request deletion or export of applicable data subject to legal, security, and contractual limitations.

14. Data sharing and disclosure

• —With service providers and subprocessors that help operate Rumbe AI
• —With AI providers configured by the customer or by Rumbe AI
• —With payment, communication, email, hosting, logging, security, and infrastructure providers
• —With the customer organization that controls the relevant deployment
• —To comply with law, regulation, subpoena, court order, or government request
• —To protect rights, safety, security, platform integrity, or prevent fraud and abuse
• —In connection with a merger, acquisition, financing, restructuring, or sale of assets

We do not sell PII or PHI.

15. Customer responsibilities

• —Providing accurate privacy notices to their own users
• —Obtaining required consents and permissions
• —Configuring knowledge sources, prompts, workflows, and integrations responsibly
• —Ensuring they do not upload prohibited or unnecessary sensitive data
• —Managing user access and agent permissions
• —Reviewing AI responses and escalation workflows for regulated or high-risk use cases
• —Complying with laws applicable to their industry and users
• —Managing their own BYOL provider accounts and data processing terms

16. End user responsibilities

End users should avoid submitting unnecessary sensitive personal information unless the customer deployment clearly requests it and provides appropriate notice. AI-generated responses may be helpful but should not be treated as professional, medical, legal, financial, tax, insurance, or emergency advice unless verified through authorized human channels.

17. International data transfers

Information may be processed in the United States or other countries where Rumbe AI, Vovance Inc., customers, providers, subprocessors, or infrastructure partners operate. Where required, we use appropriate contractual and technical safeguards for cross-border processing.

18. Your privacy rights

• —Access personal information
• —Correct inaccurate information
• —Delete personal information
• —Restrict or object to processing
• —Request data portability
• —Withdraw consent where processing is based on consent
• —Opt out of certain sharing or marketing activities

If you are an end user of a Rumbe AI-powered assistant operated by one of our customers, please contact that customer first. We may need to coordinate with the customer because they may be the controller of your data.

19. Children’s privacy

Rumbe AI is not intended for use by children under the age required by applicable law. Customers must not knowingly configure Rumbe AI to collect information from children unless legally permitted and properly authorized.

20. Security limitations

We use technical, organizational, and administrative safeguards to protect information. However, no system can be guaranteed to be completely secure. Customers and users are responsible for maintaining secure credentials, managing access, and using the platform responsibly.

21. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date and may provide additional notice where required.

22. Contact us

Vovance Inc. / Rumbe AI · 1338 Eastbrooke Trace, Marietta, GA 30066, USA · Website: https://rumbe.ai