Assay
How it works
PricingBlog
Start free trial →

Contents

Plain-English summaryWho we areWho this policy coversWhat we collectHow we use itWho we share it withHow long we keep itYour rightsHow we secure itChildrenOutside the USCookies and local storageChanges to this PolicyContact

Last updated: January 6, 2026

Privacy Policy

This Privacy Policy describes what Assay collects, why, who we share it with, how long it lives, and how to make it stop. It applies to the website at getassay.io, the Assay dashboard, the Assay calling service, and any other service we operate that links to it.

Plain-English summary

This is the legal version. The short version, which is binding to the same extent the legal version is, is this:

  • We collect what we need to place and score calls — your contact lists, the audio of those calls, transcripts, and the scores we produce.
  • We store all of it on US servers, region-locked. It never crosses a border.
  • We never sell your data and we never train the underlying model on your customers' voices or your transcripts.
  • We keep call audio for 90 days by default. Transcripts and scores live in your account until you delete them.
  • You can export everything, delete everything, or pause processing at any time from your dashboard.
  • The marketing site stores nothing but your cookie-consent choice. No analytics, no tracking, no advertising.

The rest of this document is the precise version, in case it matters in court.

Who we are

This Privacy Policy describes how KGDT Enterprise Software Solutions LLC ("Assay", "we", "us") collects, uses, and discloses personal information when you use getassay.io, the Assay dashboard, the Assay calling service, and any other website or service we operate that links to this Policy (collectively, the "Service").

Our principal place of business is in Canton, Ohio, United States. We are the data controller for personal information collected through marketing and account administration on the Service. Where we process personal information on behalf of our customers — primarily call recordings and contact-list data — we act as a data processor (or "Service Provider," for the purposes of the California Consumer Privacy Act).

Who this policy covers

This Policy applies to three categories of person:

Customers

Individuals who sign up for an Assay account, including their employees, agency teams, and authorized administrators. We collect account information, billing information, and usage telemetry from customers.

End-call participants

Individuals who Assay calls on behalf of a customer, or who call into a number that routes through Assay. We process the audio of those calls, derived transcripts, and scoring outputs as a processor on behalf of the customer who owns the campaign or inbound line.

Site visitors

Anyone who browses getassay.io. The marketing site does not run analytics or advertising trackers. The only data stored in your browser is your cookie-consent preference (a single localStorage entry). Server infrastructure logs standard HTTP request data — IP address, browser string, and URL — for security and abuse prevention; these logs are not used for marketing profiling and are purged on a rolling 30-day basis.

What we collect

Account information

Name, email address, company name, billing address, and payment information processed via Stripe. We never see your full payment card number.

Contact list data

Any list of contacts a customer uploads to be called, including names, phone numbers, email addresses, and any additional metadata the customer provides for personalization.

Call audio and derived data

Audio recordings of calls placed or received through the Service, time-stamped transcripts, sentiment readings, intent extractions, and the resulting Assay Score for each call. Audio is recorded only where lawful under the relevant state and federal regimes; calls in two-party-consent states include a recorded disclosure at the top of the call.

Browser storage

The marketing site stores a single item in your browser's localStorage: your cookie-consent preference (assay-cookie-consent). No other cookies, localStorage entries, sessionStorage entries, IndexedDB records, or tracking pixels are set by the marketing site. If you use the Assay dashboard (app.getassay.io), standard session cookies are used to maintain your authenticated session; those are covered separately in the dashboard's own policy.

Server infrastructure logs (marketing site)

Standard HTTP request logs — IP address, request URL, timestamp, HTTP status code, and browser user-agent string — are generated by our web server for security monitoring and abuse prevention. These are not shared with third parties for marketing purposes and are purged on a rolling 30-day cycle.

Static asset delivery

The marketing site self-hosts all scripts including the React and Babel libraries from getassay.io/vendor/. No scripts are loaded from third-party CDN origins (unpkg, cdnjs, Google CDN, etc.), so no visitor IP address is disclosed to CDN operators as a consequence of loading the page.

What we do not collect

We do not collect biometric identifiers other than voice samples (which are processed transiently for scoring and not retained as biometric templates). We do not collect Social Security numbers, government-issued ID numbers, or financial-account numbers other than payment information. We do not collect health information except where a customer's vertical script captures it; in those cases the customer is responsible for HIPAA compliance and we provide the BAA on the Enterprise tier.

How we use it

We use personal information to provide and improve the Service. Specifically:

  • To place and answer calls on behalf of our customers, the core function of the Service.
  • To compute Assay Scores from call content and surface them in the dashboard and via API.
  • To deliver dispatch actions you have configured — calendar bookings, CRM updates, SMS follow-ups, Slack notifications.
  • To bill you accurately and provide receipts and invoices.
  • To respond to support requests and notify you about meaningful changes to the Service.
  • To detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service.

We do not use customer call audio, transcripts, or contact lists to train the underlying language or speech models that power the Service. The scoring model is fine-tuned on a separate, consented dataset which does not include any customer-belonging audio or text.

Who we share it with

We share personal information with a small set of subprocessors, each scoped to a single purpose and bound by a written contract:

  • Retell AI, Inc. — voice orchestration, speech-to-text, and call handling. Audio is processed through Retell AI’s US-hosted infrastructure; held in memory only and never written to disk.
  • ElevenLabs, Inc. — speech synthesis (text-to-speech) for outbound voice. US inference.
  • Google LLC (Gemini 2.0 Flash) — language-model inference for transcript understanding and decision logic. Operated under a no-retention enterprise endpoint; no data sent for inference is logged, retained, or used for training.
  • Supabase, Inc. — database for transcripts, scores, and account records. US region.
  • Hetzner Online GmbH — compute and storage for the Assay application. US deployment.
  • Stripe, Inc. — payment processing. Receives only billing information; never receives call content or contact-list data.

An up-to-date subprocessor list is maintained at getassay.io/legal/subprocessors. We notify customers by email 30 days before adding a new subprocessor.

We may also disclose personal information in response to a valid legal request — subpoena, court order, or other process that we are legally obligated to honor. When we receive such a request that is not subject to a non-disclosure obligation, we will notify the affected customer before producing data wherever lawful, so the customer has the opportunity to contest the request.

How long we keep it

Different categories of data have different retention windows:

  • Call audio — purged 90 days after the call. Enterprise customers may dial this down to 7 days.
  • Transcripts and Assay Scores — retained in the customer's account until the customer deletes them or closes the account.
  • Contact-list data — retained until the customer removes it or closes the account.
  • Account and billing records — retained for 7 years after account closure to satisfy tax and accounting obligations.
  • Audit logs — retained for 365 days from the action they describe.
  • Server infrastructure logs (marketing site) — purged on a rolling 30-day cycle.
  • Cookie-consent preference — stored in your browser's localStorage until you clear it. Not held on our servers.

When you close your account, we delete your contact lists, transcripts, and any remaining call audio within 30 days, except where we are legally required to retain a record (billing, fraud investigation, valid legal process).

Your rights

If you are a California resident, the California Consumer Privacy Act ("CCPA") gives you the following rights regarding personal information about you:

  • The right to know what personal information we have collected, used, and shared.
  • The right to delete personal information we hold about you, subject to certain exceptions.
  • The right to correct inaccurate personal information.
  • The right to opt out of the sale or sharing of your personal information. We do not sell or share personal information for cross-context behavioral advertising.
  • The right to limit our use and disclosure of sensitive personal information.
  • The right not to receive discriminatory treatment for exercising any of the above.

To exercise these rights, email [email protected] from the address associated with your account, or — for end-call participants — contact the Assay customer on whose behalf the call was placed; they are the controller of that data and we will support them in completing your request within the statutory window.

We extend the same set of rights, in substance, to residents of any US state with a comprehensive privacy law including Colorado, Connecticut, Texas, Virginia, Utah, Oregon, Montana, and Tennessee.

How we secure it

All data in transit is protected with TLS 1.3. All data at rest is encrypted with AES-256-GCM using per-tenant keys. Customer-managed encryption keys are available on the Enterprise tier.

Access to customer data by Assay personnel is gated behind role-based access control and logged. Engineering access to production data is break-glass only — every access requires written justification, is reviewed weekly, and can be exported to the affected customer on request.

We undergo third-party penetration testing semi-annually. Our most recent SOC 2 Type II report is available to customers and prospective customers under NDA. The full set of compliance controls is described at getassay.io/security.

Children

The Service is intended for use by businesses. We do not knowingly collect personal information from children under the age of 16. If you believe we have inadvertently collected personal information from a child, please contact [email protected] and we will delete it.

Outside the US

Assay processes data only in the United States. We do not have infrastructure, personnel, or subprocessors outside the United States. If you are located outside the United States and you provide personal information to us, you are consenting to its transfer to and processing in the United States.

If your jurisdiction requires a specific lawful basis or cross-border transfer mechanism that is incompatible with US-only processing, the Service may not be available to you. We will say so clearly during account setup rather than after the fact.

Cookies and local storage

The marketing site (getassay.io) uses browser localStorage for one purpose only: storing your cookie-consent preference under the key assay-cookie-consent. The value is either accepted or declined. It is never transmitted to our servers. It persists until you clear your browser storage or use the "Cookie preferences" link in the site footer to reset it.

We do not set HTTP cookies on the marketing site. We do not use tracking pixels, session-replay scripts, heatmap tools, fingerprinting libraries, or advertising tags of any kind on the marketing site.

If and when we add analytics to the marketing site, we will update this Policy before doing so, and we will load any analytics scripts only after your explicit acceptance of the consent banner.

The Assay dashboard (app.getassay.io) uses a session cookie to maintain your authenticated login state. That cookie is HttpOnly, Secure, and SameSite=Strict. It expires when your session ends or after 24 hours of inactivity, whichever is sooner.

Changes to this Policy

We will update this Policy when we change our practices. If a change is material — meaning, it broadens the categories of data we collect, the purposes for which we use it, or the parties with whom we share it — we will notify the named account owner by email at least 30 days before the change takes effect.

Smaller corrections — typo fixes, clarifying language that does not change meaning — may be made without notice; in those cases the "Last updated" date at the top of this page will change but the substance will not.

Contact

Privacy questions, deletion requests, or anything else covered by this Policy: [email protected].

Mailing address — for written correspondence and legal process: KGDT Enterprise Software Solutions LLC, 45 Market Ave. North STE 100, Canton, OH 44721, United States.

© 2026 Assay · KGDT Enterprise Software Solutions LLC
AboutBlogHow it worksPricingAgencySecurityPrivacyTermsLinkedInCookie preferences
The systemLead generationHiringReceptionistHome servicesDental & medicalReal estateLaw firmsMed spa