Phensy — Privacy Policy
Version: v1 (draft, pending counsel review) Effective date: (to be set on publication) Last updated: 2026-05-15
This is a draft prepared by the Phensy team without independent legal review. It is provided in good faith and reflects our actual processing operations, but it is not legal advice and may need to be adjusted following review by qualified counsel.
1. Who we are
Phensy ("Phensy", "we", "us") is a live video discussion service operated by:
Mehmet Erkanar — sole trader Stenmursgatan 23 SE-523 47 Ulricehamn Sweden
For any privacy-related question — including exercising the rights described in Section 9 below — contact us at [email protected].
For general questions: [email protected].
We are the data controller for the personal data described in this Policy.
2. Scope
This Policy describes how we collect, use, and share personal data when you:
- Visit phensy.com, phensy.ai, or phensy.app (the latter two redirect to phensy.com)
- Create a Phensy account
- Join or host a Phensy room
- Purchase a Pro subscription or a ticket to a paid room
- Communicate with us by email or other channels
It does not cover third-party websites or services we link to. Those have their own privacy policies.
3. What personal data we collect
We try to collect only what we genuinely need to run the service. Categories:
3.1 Account data
When you sign up — via Google, Microsoft, or magic-link email — we receive and store:
- Your email address
- Your display name and profile picture (if you signed in with Google or Microsoft and chose to share them)
- A unique account identifier we generate
- Which identity providers you've used (Google, Microsoft, magic-link), so we can show "you signed up with…" hints
- Your subscription tier (Free / Pro) and account creation date
3.2 Content you create
When you use Phensy to host or join a discussion ("table"), we collect:
- The rooms you create (name, description, schedule, ticket price if paid, AI feature settings)
- Tickets you buy or sell (which room, which buyer, when, how much — payment card details are not stored by us; see Section 3.4)
- Chat messages, questions, polls, and other text content you contribute inside rooms
- Audio from the live video discussion, while it is taking place — see Section 4 for how this is processed
- Transcripts and AI-generated summaries / recaps derived from the audio above
- Calendar invitations and RSVPs for scheduled rooms
3.3 Technical / usage data
Automatically collected when you interact with the service:
- IP address, browser type, operating system, device language
- Pages and features used, rooms joined, session duration
- Timestamps of actions (logins, room joins, ticket purchases)
- Error logs if something breaks during your session
3.4 Payment data
If you purchase a Pro subscription or a ticket, Stripe processes your payment directly. We do not store your card number, CVV, or full bank details. We receive from Stripe only:
- A Stripe customer ID linked to your account
- The last 4 digits and brand of the card used (for showing in your billing page)
- Receipts, refund records, and subscription status
- Your billing address (which Stripe uses for tax calculation and we store for invoice records)
Stripe's own privacy policy: https://stripe.com/privacy
4. Special note: recording, transcription, and AI features
Phensy uses AI features to assist live discussions: real-time recap, a Q&A copilot, fact-checking suggestions, poll generation, and follow-up question prompts. These work by capturing and processing what is said in the room.
When a Phensy room is live and AI features are enabled:
- The audio of participants is streamed to a transcription provider (currently OpenAI Whisper and/or Deepgram) to convert speech to text in near real-time.
- The resulting transcript is sent to an AI model (currently Anthropic Claude) to generate summaries, surface questions, and suggest fact-checks.
- The transcript and AI-generated outputs are stored as part of the room's record, so participants can see the recap afterwards.
- We do not use participant audio or transcripts to train AI models. The sub-processors we use have contractual obligations not to train on inputs sent through their APIs.
Hosts are responsible for informing all participants that the room is being recorded and AI-processed before the discussion begins. We surface this in the join flow, but the host carries the contextual responsibility.
You can find out which sub-processors handle this audio at the time of your session in Section 6.
5. Why we process this data (legal bases under GDPR Article 6)
| Processing | Purpose | Legal basis |
|---|---|---|
| Operating the service (creating accounts, joining rooms, hosting tables) | Performance of the contract between you and us (Article 6(1)(b)) | Contractual necessity |
| Processing payments and managing subscriptions | Performance of the contract; compliance with tax/accounting law | Contractual necessity + legal obligation |
| Recording, transcribing, and AI-processing room audio | Delivering the recap, Q&A and other AI features you signed up for | Contractual necessity |
| Sending transactional emails (sign-in links, ticket confirmations, billing receipts) | Performance of the contract | Contractual necessity |
| Detecting and preventing fraud, abuse, or security incidents | Protecting the service and other users | Legitimate interests (Article 6(1)(f)) |
| Aggregated analytics about how features are used | Improving the service; product decisions | Legitimate interests |
| Keeping records of taxable transactions | Tax law | Legal obligation (Article 6(1)(c)) |
| Optional marketing communications | Telling you about new features (only when you've signed up for it) | Consent (Article 6(1)(a)) |
You can withdraw any consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
6. Who we share your data with (sub-processors)
We rely on third-party services to operate Phensy. The list below is current as of the Last updated date at the top of this Policy. We will update it (with notice) if we add or change sub-processors.
| Sub-processor | Purpose | Where they process | Transfer safeguard |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Payments, subscriptions, billing portal | Ireland (EU) with global support | Within EU; SCCs for any transfer outside |
| Anthropic, PBC | AI model (Claude) for recap, Q&A, fact-check, poll generation | United States | EU Standard Contractual Clauses |
| OpenAI L.L.C. | Speech-to-text via Whisper API | United States | EU Standard Contractual Clauses |
| Deepgram, Inc. | Speech-to-text (alternative provider) | United States | EU Standard Contractual Clauses |
| Google LLC | Sign-in with Google (OAuth identity) | United States | EU-US Data Privacy Framework |
| Microsoft Ireland Operations Ltd. | Sign-in with Microsoft (OAuth identity) | Ireland (EU), some support from United States | Within EU; EU-US Data Privacy Framework for any transfer |
| Resend Co. | Transactional email delivery | United States | EU Standard Contractual Clauses |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, TLS | Global; EU edge cached | EU Standard Contractual Clauses |
| Hetzner Online GmbH | Server hosting; database | Germany (EU) | Within EU — no transfer outside |
We may, from time to time, add new sub-processors. We will update this Policy and — for material changes affecting how we use your data — notify you in advance.
7. International transfers
Some of our sub-processors are based outside the European Economic Area, primarily in the United States. For each such transfer we rely on legal safeguards approved by the European Commission:
- The EU-US Data Privacy Framework (where the recipient is certified)
- Standard Contractual Clauses (SCCs) approved by the European Commission, where the framework does not apply
You can request a copy of these safeguards by emailing [email protected].
8. How long we keep your data
| Data | Retention |
|---|---|
| Account data | Kept while your account is active; deleted within 30 days of account deletion request, except items we are legally required to retain |
| Room recordings and transcripts | Kept while the room exists in your account; you can delete a room (and its associated transcript) at any time from the room settings |
| Payment records (invoices, receipts, tax records) | 7 years from the end of the financial year, per Swedish bookkeeping law (Bokföringslagen) |
| Server logs | 90 days typical; longer if needed for fraud / security investigation |
| Marketing consent records | Kept while consent is active; 3 years after withdrawal as proof of withdrawal |
If you delete your account, we soft-delete the user record (anonymized in active databases) and hard-delete identifying personal data after 30 days. Items the law requires us to keep (tax/accounting) are retained in restricted-access archives for the periods above.
9. Your rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15) — request a copy of the personal data we hold about you.
- Right to rectification (Article 16) — correct inaccurate or incomplete data.
- Right to erasure (Article 17) — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restrict processing (Article 18) — pause certain processing while a dispute or correction is pending.
- Right to data portability (Article 20) — receive your data in a machine-readable format or have it transferred to another provider where technically feasible.
- Right to object (Article 21) — object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time.
- Right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) — https://www.imy.se — or with the data protection authority of your EU country of residence.
To exercise any of these rights, email [email protected]. We will respond within one month (and may extend by up to two further months for complex requests, as permitted by Article 12(3)). We may ask you to verify your identity to prevent unauthorised access to your data.
10. Cookies and similar technologies
Phensy uses a minimum of cookies and similar local storage:
- Authentication tokens in your browser's
localStorage, so you stay signed in between visits. These are essential to the service and cannot be disabled without preventing you from signing in. - A dismiss-state flag for the first-visit onboarding strip on the homepage. No personal data; purely UI state.
We do not currently use third-party analytics cookies, tracking pixels, or advertising cookies. If that changes, this section will be updated and (where required) we will display a consent banner before any non-essential cookie is set.
11. Children
Phensy is intended for users aged 16 years or older. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact [email protected] and we will delete it.
12. Security
We take reasonable technical and organizational measures to protect your data:
- TLS encryption for all traffic between your browser and our servers
- Encryption at rest on the database
- Single-server architecture with restricted SSH access
- Two-factor authentication required on operator accounts
- Sub-processor agreements that contractually require equivalent or stronger protections
- Routine security review of our infrastructure and dependencies
No method of transmission or storage is 100% secure. If we become aware of a personal data breach that risks your rights and freedoms, we will notify the Swedish supervisory authority within 72 hours as required by GDPR Article 33, and notify affected users without undue delay where Article 34 applies.
13. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. For material changes — such as a new category of personal data, a new sub-processor that handles material data, or a change of controller — we will notify you in advance by email and, where appropriate, ask for fresh consent.
14. Contact
| Topic | Contact |
|---|---|
| Privacy questions and rights requests | [email protected] |
| General questions | [email protected] |
| Postal address | Mehmet Erkanar, Stenmursgatan 23, SE-523 47 Ulricehamn, Sweden |
| Supervisory authority | Integritetsskyddsmyndigheten (IMY) — https://www.imy.se |