PRIVACY POLICY

A. Information You Provide Directly

• Account Data: When you register, we collect your name, email address, username, and password.
• User-Generated Content (UGC): This is the core of our Service. We collect the video and audio recordings of your debates, comments, text inputs, and any other content you choose to broadcast or upload.
• Profile Information: Pictures, bio, and social media links you add to your profile.
• Communications: Content of messages you send to us (support requests) or to other users.

B. Information Collected Automatically

• Usage Data: We collect data about your interactions with the Service (e.g., debates watched, duration of use, "votes" cast, clicks, and log files).
• Device Data: IP address, browser type, operating system, device model, and unique device identifiers.
• Metadata: Information related to your UGC, such as the time and location of the recording.

C. Information from Third Parties

• Social Login: If you log in via Google, Apple, or Facebook, we receive your public profile information (name, email, profile picture) compliant with their policies.
• AI Processing: We use third-party AI services to transcribe and summarize your debates. The text generated from your audio is collected and associated with your account.

What Biometric Data We Collect

• Face Geometry: Your video recordings contain biometric identifiers derived from facial features, which are used for video hosting and processing.
• Voiceprints: Your audio recordings contain voiceprint data derived from speech patterns, which are used for transcription and AI summarization.
• Political Opinions: The content of your debates may reveal your political opinions or views on controversial topics, which is considered sensitive data under GDPR and other privacy laws.

Purpose and Consent

We collect biometric data for the following specific purposes:

• Hosting and streaming live video debates
• Recording and storing debate sessions
• Transcribing audio to text using AI services
• Generating AI-based summaries of debate content
• Creating downloadable video clips for sharing

Just-in-Time Consent (Before Recording)

BIPA Compliance: In compliance with the Illinois Biometric Information Privacy Act and similar laws, we obtain your explicit written consent immediately before collecting biometric data. This is separate from your general acceptance of this Privacy Policy.

When You'll See the Consent Modal: Before you start a video debate, a consent modal will appear on your screen with the following information:

• What Biometric Data: Face geometry from video, voiceprints from audio
• Specific Purpose: Recording, storing, and AI processing of your debate
• How Long We Keep It: Maximum 3 years or until you request deletion
• Who Has Access: Service Providers (Agora, Cloudinary, OpenAI, Google) with strict contracts
• Your Right to Refuse: You can decline and not participate in the debate
• No Sale: We never sell your biometric data

How to Consent: You must check a box stating "I agree to the collection of my biometric data as described above" and click "Start Debate." Your consent is recorded with a timestamp for our records.

Important: If you do not consent, you will not be able to participate in video debates. However, you can still use other features of the Service that do not require biometric data collection (such as watching public debates or browsing content).

Retention Period (3-Year Limit)

In compliance with the Illinois Biometric Information Privacy Act (BIPA) and other applicable laws, we retain biometric identifiers only for as long as necessary to fulfill the purposes described above, or for a maximum of 3 years from your last interaction with the Service, whichever comes first.

Automatic Deletion: Biometric data (including video and audio recordings containing face geometry and voiceprints) will be permanently deleted:

• When you request deletion of your account
• When you request deletion of specific debate recordings
• Automatically after 3 years of account inactivity
• Automatically after 3 years from the date of recording, even if your account remains active

Your Rights Regarding Biometric Data

• Right to Refuse: You may refuse to provide biometric data, but this will prevent you from using the debate recording features of the Service.
• Right to Withdraw Consent: You can withdraw your consent at any time by deleting your recordings or closing your account.
• Right to Deletion: You can request immediate deletion of any debate recording containing your biometric data (subject to a 30-day soft delete grace period).
• No Sale of Biometric Data: We do not and will never sell, lease, trade, or otherwise profit from your biometric identifiers.

Security Measures

Biometric data is protected using industry-standard encryption both in transit (TLS 1.3) and at rest (AES-256). Access to raw biometric data is restricted to authorized personnel only and is logged for audit purposes.

How We Use AI

• Audio Transcription: We use AI services (such as OpenAI Whisper or Google Speech-to-Text) to convert your spoken debate audio into written text.
• Content Summarization: We use large language models (LLMs) to generate summaries of debate transcripts, highlighting key points and arguments.
• Content Analysis: AI may be used to analyze debate content for moderation purposes, detecting potential violations of our Terms of Service.

AI-Generated Content Labeling

All content generated by AI (transcripts, summaries, analyses) will be clearly labeled as "AI-Generated" or with an "AI" badge. You will always know when you are viewing content created by a machine rather than a human.

Important Warning: AI Can Make Mistakes

Hallucination Risk: AI systems, including those we use, can sometimes generate inaccurate, incomplete, or misleading information (known as "hallucinations"). This means:

• Transcripts may contain errors or misheard words
• Summaries may misrepresent your arguments or positions
• AI analysis may draw incorrect conclusions

You should always review AI-generated content for accuracy before relying on it or sharing it publicly.

Your Right to Correction

If AI-generated content about you (such as a transcript or summary) is inaccurate, you have the right to:

• Request Correction: Contact us at info@debatable.tech to report inaccurate AI-generated content
• Request Deletion: Ask us to delete inaccurate AI-generated summaries or transcripts
• Request Re-processing: Request that we re-run AI processing on your debate content
• Manual Review: Request human review of AI-generated content if you believe it significantly misrepresents you

AI Service Providers

We use the following third-party AI service providers:

• OpenAI: GPT models for summarization and language processing
• Google Cloud AI: Speech-to-Text transcription services

These providers operate as "Service Providers" under data protection laws, meaning they cannot use your data to train their models or for any purpose other than providing services to us. We have contractual agreements in place to ensure your data is protected.

No AI Training on Your Data

We do not allow AI providers to train their models on your debate content. Our contracts with AI service providers explicitly prohibit them from using your personal data, biometric data, or debate content for model training, improvement, or any other purpose beyond providing the immediate service.

Service Providers (Sub-Processors)

We share data with carefully selected service providers who help us operate the Service. These companies are contractually bound as "Service Providers" under data protection laws (including CPRA and GDPR), meaning they:

• Can only use your data to provide services to us (not for their own purposes)
• Cannot sell, share, or retain your personal information
• Cannot use your data to train AI models or improve their own products
• Must delete your data when the service relationship ends
• Are subject to strict confidentiality obligations

Our Service Provider Partners

Below is a list of our sub-processors and what they process:

• Agora.io (Video Infrastructure): Processes video/audio streams for real-time debate hosting. Data is encrypted in transit and deleted after 24 hours unless Cloud Recording is enabled.
• Cloudinary (Video Storage): Stores and processes recorded debate videos, generates clips. Data is encrypted at rest (AES-256).
• OpenAI (AI Processing): Processes audio transcripts for summarization using GPT models. Contractually prohibited from using your data for model training. Data is not retained by OpenAI after processing.
• Google Cloud AI (Speech-to-Text): Converts audio to text. Contractually prohibited from using your data for model training. Data is not retained by Google after processing.
• Supabase / PostgreSQL (Database): Stores account data, debate metadata, and user preferences. Data is encrypted at rest and in transit.
• Vercel / AWS (Hosting): Hosts the application infrastructure. Does not have direct access to user content.

CPRA and GDPR Compliance

Under the California Privacy Rights Act (CPRA), sharing data with a vendor becomes a "sale" or "share" if the vendor can use the data for their own purposes (e.g., training AI models, building profiles). We explicitly prohibit this in our contracts:

• All AI providers (OpenAI, Google) are contractually bound as "Service Providers" and cannot use your data for training
• We use OpenAI's "API" service (not "ChatGPT"), which has a zero-retention policy for training
• We enable Google Cloud's data processing agreements that prohibit secondary use

Result: Your debate data is never used to train AI models or improve products you don't use.

Other Sharing Circumstances

• Public Content: Your debates, username, and profile information are public by default and can be viewed by other users and potentially indexed by search engines. You control the visibility of your debates through privacy settings.
• Legal Requirements: If required by law, court order, or in response to valid requests by public authorities (e.g., subpoena, government agency).
• Safety and Enforcement: To protect the rights, property, or safety of Debatable, our users, or the public (e.g., preventing fraud, abuse, or harm).
• Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business. In such cases, we will notify you and ensure the acquiring party honors this Privacy Policy.
• With Your Consent: With your explicit consent for specific purposes not covered in this policy.

Right to Know About Third Parties

You have the right to request a list of all Service Providers who have received your personal information in the past 12 months. To make this request, contact us at info@debatable.tech.

Retention Periods by Data Type

• Account Data: Retained until you request account deletion or for 3 years after your last login (whichever comes first)
• Biometric Data (Video/Audio): Maximum 3 years from recording date or last account activity, as detailed in Section 3
• Debate Transcripts and Summaries: Retained for 3 years from creation date
• Usage Logs and Analytics: Aggregated and anonymized after 12 months, retained indefinitely in anonymized form
• Support Communications: Retained for 2 years from last interaction

Deletion Process (Soft Delete vs Hard Delete)

When you delete content or request account deletion, we use a two-stage deletion process to protect against accidental data loss:

• Stage 1 - Soft Delete (30-Day Grace Period): Your data is marked for deletion and removed from active systems within 24 hours. During this 30-day period, you can contact us to restore your data if you change your mind.
• Stage 2 - Hard Delete (Permanent): After 30 days, your data is permanently deleted from all production systems and cannot be recovered.

Backup Retention

Important Disclosure: Even after hard deletion from production systems, your data may remain in encrypted backup systems for up to 90 additional days. This is a standard industry practice for disaster recovery purposes.

• Backup Cycle: We create encrypted backups every 24 hours
• Backup Retention: Backups are retained for 30-90 days depending on the backup type (daily vs. weekly)
• Backup Security: All backups are encrypted at rest using AES-256 and access is restricted to authorized personnel only
• Maximum Total Retention: From the date you request deletion, your data will be completely erased from all systems (including backups) within 120 days maximum (30-day soft delete + 90-day backup retention)

How to Request Deletion

You can delete your data through the following methods:

• Account Settings: Delete individual debates or your entire account through your account settings page
• Email Request: Send a deletion request to info@debatable.tech with your account email and specify what you want deleted (specific debates, all debates, or full account)
• Response Time: We will process deletion requests within 48 hours and confirm via email when the soft delete is initiated

Legal Retention Exceptions

In certain limited circumstances, we may be required to retain your data for longer periods:

• Legal Compliance: If required by law, court order, or government investigation
• Dispute Resolution: If your account is involved in an active legal dispute, complaint, or Terms of Service violation
• Safety and Fraud Prevention: If your data is needed to investigate fraud, abuse, or other harmful activities

In these cases, we will notify you (unless legally prohibited) and retain only the minimum data necessary for the specific purpose.

Voluntary Provision of Information

By law, you are not obligated to provide us with any personal information. Providing information is done at your own free will and consent. However, without providing certain information, we may not be able to provide the Service:

• Essential Information: Email address, name, and camera/microphone access are required to use the debate features
• Optional Information: Profile pictures, bio, and social media links are optional and not required to use the Service

Database Owner and Registration

The database owner is Debatable, located in the USA. The database is registered in accordance with Israeli law where required. If you have questions about database registration, contact us at info@debatable.tech.

Amendment 13 Compliance (Effective August 2025)

Israeli Amendment 13 modernizes privacy law to align with GDPR principles. Key changes affecting Debatable users:

• Biometric Data Classification: Your video and audio recordings are classified as "biometric data" under Israeli law and receive enhanced protections
• Sensitive Information: Political opinions expressed in debates are considered "sensitive information" requiring explicit consent
• Profiling and Automated Decisions: If we use automated systems to make decisions affecting you, you have the right to human review
• Breach Notification: We will notify you within 72 hours if your personal data is involved in a data breach

Data Protection Officer (DPO)

Under Amendment 13, organizations that conduct "systematic monitoring" of individuals or process sensitive data at scale must appoint a Data Protection Officer (DPO). As Debatable processes video debates containing political opinions and biometric data:

• We have appointed an internal DPO responsible for privacy compliance
• The DPO oversees data processing activities and ensures compliance with Israeli law
• You can contact our DPO at info@debatable.tech with privacy concerns

Your Rights Under Israeli Law

Under Israeli privacy law, you have the following rights:

• Right of Access: Request a copy of the personal information we hold about you
• Right to Correction: Request correction of inaccurate or incomplete information
• Right to Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Right to Object: Object to processing of your data for certain purposes (e.g., marketing)
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Withdraw Consent: Withdraw consent for data processing at any time
• Right to Complain: File a complaint with the Israeli Privacy Protection Authority if you believe your rights have been violated

To exercise these rights, contact us at info@debatable.tech. We will respond to requests within 30 days.

Data Security Standards

In compliance with the Privacy Protection Regulations (Data Security), 5777-2017, we implement:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Access controls limiting data access to authorized personnel only
• Regular security audits and penetration testing
• Incident response procedures for data breaches
• Employee training on privacy and security best practices

Contact for Israeli Privacy Matters

For questions specific to Israeli privacy law or to exercise your rights under Israeli law, contact:

• Email: info@debatable.tech (Attention: DPO / Privacy)
• Israeli Privacy Protection Authority: If you wish to file a complaint, visit www.gov.il/privacy