Last updated: January 6, 2026
This Privacy Policy describes what Assay collects, why, who we share it with, how long it lives, and how to make it stop. It applies to the website at getassay.io, the Assay dashboard, the Assay calling service, and any other service we operate that links to it.
This is the legal version. The short version, which is binding to the same extent the legal version is, is this:
The rest of this document is the precise version, in case it matters in court.
This Privacy Policy describes how KGDT Enterprise Software Solutions LLC ("Assay", "we", "us") collects, uses, and discloses personal information when you use getassay.io, the Assay dashboard, the Assay calling service, and any other website or service we operate that links to this Policy (collectively, the "Service").
Our principal place of business is in Canton, Ohio, United States. We are the data controller for personal information collected through marketing and account administration on the Service. Where we process personal information on behalf of our customers — primarily call recordings and contact-list data — we act as a data processor (or "Service Provider," for the purposes of the California Consumer Privacy Act).
This Policy applies to three categories of person:
Individuals who sign up for an Assay account, including their employees, agency teams, and authorized administrators. We collect account information, billing information, and usage telemetry from customers.
Individuals who Assay calls on behalf of a customer, or who call into a number that routes through Assay. We process the audio of those calls, derived transcripts, and scoring outputs as a processor on behalf of the customer who owns the campaign or inbound line.
Anyone who browses getassay.io. The marketing site does not run analytics or advertising trackers. The only data stored in your browser is your cookie-consent preference (a single localStorage entry). Server infrastructure logs standard HTTP request data — IP address, browser string, and URL — for security and abuse prevention; these logs are not used for marketing profiling and are purged on a rolling 30-day basis.
Name, email address, company name, billing address, and payment information processed via Stripe. We never see your full payment card number.
Any list of contacts a customer uploads to be called, including names, phone numbers, email addresses, and any additional metadata the customer provides for personalization.
Audio recordings of calls placed or received through the Service, time-stamped transcripts, sentiment readings, intent extractions, and the resulting Assay Score for each call. Audio is recorded only where lawful under the relevant state and federal regimes; calls in two-party-consent states include a recorded disclosure at the top of the call.
The marketing site stores a single item in your browser's localStorage: your cookie-consent preference (assay-cookie-consent). No other cookies, localStorage entries, sessionStorage entries, IndexedDB records, or tracking pixels are set by the marketing site. If you use the Assay dashboard (app.getassay.io), standard session cookies are used to maintain your authenticated session; those are covered separately in the dashboard's own policy.
Standard HTTP request logs — IP address, request URL, timestamp, HTTP status code, and browser user-agent string — are generated by our web server for security monitoring and abuse prevention. These are not shared with third parties for marketing purposes and are purged on a rolling 30-day cycle.
The marketing site self-hosts all scripts including the React and Babel libraries from getassay.io/vendor/. No scripts are loaded from third-party CDN origins (unpkg, cdnjs, Google CDN, etc.), so no visitor IP address is disclosed to CDN operators as a consequence of loading the page.
We do not collect biometric identifiers other than voice samples (which are processed transiently for scoring and not retained as biometric templates). We do not collect Social Security numbers, government-issued ID numbers, or financial-account numbers other than payment information. We do not collect health information except where a customer's vertical script captures it; in those cases the customer is responsible for HIPAA compliance and we provide the BAA on the Enterprise tier.
We use personal information to provide and improve the Service. Specifically:
We do not use customer call audio, transcripts, or contact lists to train the underlying language or speech models that power the Service. The scoring model is fine-tuned on a separate, consented dataset which does not include any customer-belonging audio or text.
We share personal information with a small set of subprocessors, each scoped to a single purpose and bound by a written contract:
An up-to-date subprocessor list is maintained at getassay.io/legal/subprocessors. We notify customers by email 30 days before adding a new subprocessor.
We may also disclose personal information in response to a valid legal request — subpoena, court order, or other process that we are legally obligated to honor. When we receive such a request that is not subject to a non-disclosure obligation, we will notify the affected customer before producing data wherever lawful, so the customer has the opportunity to contest the request.
Different categories of data have different retention windows:
When you close your account, we delete your contact lists, transcripts, and any remaining call audio within 30 days, except where we are legally required to retain a record (billing, fraud investigation, valid legal process).
If you are a California resident, the California Consumer Privacy Act ("CCPA") gives you the following rights regarding personal information about you:
To exercise these rights, email [email protected] from the address associated with your account, or — for end-call participants — contact the Assay customer on whose behalf the call was placed; they are the controller of that data and we will support them in completing your request within the statutory window.
We extend the same set of rights, in substance, to residents of any US state with a comprehensive privacy law including Colorado, Connecticut, Texas, Virginia, Utah, Oregon, Montana, and Tennessee.
All data in transit is protected with TLS 1.3. All data at rest is encrypted with AES-256-GCM using per-tenant keys. Customer-managed encryption keys are available on the Enterprise tier.
Access to customer data by Assay personnel is gated behind role-based access control and logged. Engineering access to production data is break-glass only — every access requires written justification, is reviewed weekly, and can be exported to the affected customer on request.
We undergo third-party penetration testing semi-annually. Our most recent SOC 2 Type II report is available to customers and prospective customers under NDA. The full set of compliance controls is described at getassay.io/security.
The Service is intended for use by businesses. We do not knowingly collect personal information from children under the age of 16. If you believe we have inadvertently collected personal information from a child, please contact [email protected] and we will delete it.
Assay processes data only in the United States. We do not have infrastructure, personnel, or subprocessors outside the United States. If you are located outside the United States and you provide personal information to us, you are consenting to its transfer to and processing in the United States.
If your jurisdiction requires a specific lawful basis or cross-border transfer mechanism that is incompatible with US-only processing, the Service may not be available to you. We will say so clearly during account setup rather than after the fact.
The marketing site (getassay.io) uses browser localStorage for one purpose only: storing your cookie-consent preference under the key assay-cookie-consent. The value is either accepted or declined. It is never transmitted to our servers. It persists until you clear your browser storage or use the "Cookie preferences" link in the site footer to reset it.
We do not set HTTP cookies on the marketing site. We do not use tracking pixels, session-replay scripts, heatmap tools, fingerprinting libraries, or advertising tags of any kind on the marketing site.
If and when we add analytics to the marketing site, we will update this Policy before doing so, and we will load any analytics scripts only after your explicit acceptance of the consent banner.
The Assay dashboard (app.getassay.io) uses a session cookie to maintain your authenticated login state. That cookie is HttpOnly, Secure, and SameSite=Strict. It expires when your session ends or after 24 hours of inactivity, whichever is sooner.
We will update this Policy when we change our practices. If a change is material — meaning, it broadens the categories of data we collect, the purposes for which we use it, or the parties with whom we share it — we will notify the named account owner by email at least 30 days before the change takes effect.
Smaller corrections — typo fixes, clarifying language that does not change meaning — may be made without notice; in those cases the "Last updated" date at the top of this page will change but the substance will not.
Privacy questions, deletion requests, or anything else covered by this Policy: [email protected].
Mailing address — for written correspondence and legal process: KGDT Enterprise Software Solutions LLC, 45 Market Ave. North STE 100, Canton, OH 44721, United States.