Data Retention & Protection Policy
Effective Date: January 10, 2026
This policy describes how VentraLink, Inc. ("VentraLink," "we," "us," or "our") collects, stores, protects, and retains data processed through our service. It supplements our Privacy Policy with specific details about data handling practices.
1. Data We Collect
VentraLink processes the following categories of data:
- Account Information: User names, email addresses, and authentication credentials
- Call Recordings: Audio files from integrated phone systems (Zoom Phone, RingCentral)
- Call Metadata: Call duration, timestamps, participant information, and call direction
- Transcripts & Analysis: AI-generated transcriptions and coaching insights derived from call recordings
- Business Documents: Files uploaded to the document repository
- Financial Data: Transaction information from integrated services (QuickBooks Online)
2. Data Protection Measures
Encryption
- In Transit: All data is transmitted using TLS 1.2 or higher
- At Rest: Sensitive data including OAuth tokens and credentials are encrypted using AES-256 encryption
- Cloud Storage: Call recordings and documents are stored in encrypted cloud storage
Access Controls
- Role-based access controls limit data visibility to authorized users
- Multi-factor authentication (MFA) is available for all accounts
- Administrative access to infrastructure requires additional authentication
PII Protection
- Automated PII detection scans call audio for sensitive information (credit card numbers, Social Security numbers)
- Calls containing detected PII are blocked and never saved to long-term storage
- Our system uses a fail-closed design: any uncertainty results in rejection
3. Retention Periods
| Data Type | Retention Period | Notes |
|---|---|---|
| Account Information | Duration of account | Deleted upon account closure |
| Call Recordings | 90 days | Audio files automatically deleted after retention period |
| Call Transcripts | 90 days | Full transcripts deleted with associated recordings |
| Call Summaries & Analysis | Duration of account | Coaching insights and performance metrics retained for reporting |
| Call Metadata | Duration of account | Timestamps, duration, and participant info for historical reporting |
| Uploaded Documents | Until deleted by user | Users control document lifecycle |
| OAuth Tokens | Duration of integration | Deleted when integration is disconnected |
| System Logs | 90 days | Used for security monitoring and troubleshooting |
4. Data Deletion
User-Initiated Deletion
- Users can delete individual call recordings and documents through the application interface
- Users can disconnect third-party integrations, which removes associated OAuth tokens
- Account deletion requests can be submitted to privacy@ventralink.com
Account Closure
When an account is closed:
- Active data (recordings, documents, analysis) is deleted within 30 days
- Backup copies are purged within 90 days
- Anonymized, aggregated data may be retained for service improvement
Third-Party Data
Data synchronized from third-party services (Zoom, QuickBooks) remains in those services according to their retention policies. Disconnecting an integration from VentraLink does not delete data from the source service.
Automatic Deauthorization
Upon receiving a deauthorization notification from a third-party app marketplace (such as Zoom App Marketplace), indicating the app has been uninstalled or disconnected by an administrator, VentraLink will automatically revoke all associated OAuth tokens and initiate the deletion of that account's synchronized data within 30 days, in accordance with our account closure procedures.
5. Data Portability
Users may request an export of their data by contacting support@ventralink.com. Exports are provided in standard formats (CSV, JSON) within 30 days of request.
6. Third-Party Processors
VentraLink uses the following categories of third-party processors:
- Cloud Infrastructure: Google Cloud Platform (hosting, storage, database)
- AI Processing: Enterprise-grade AI models (transcription and analysis)
- Payment Processing: Stripe (subscription billing)
All processors operate under their published data processing agreements and are selected based on their security certifications and privacy practices.
7. Incident Response
In the event of a data security incident:
- Affected users will be notified within 72 hours of discovery
- We will provide details about the nature of the incident and data affected
- Remediation steps will be communicated promptly
8. Policy Updates
This policy may be updated periodically. Material changes will be communicated via email to account holders. The effective date at the top of this page indicates the last revision.
9. Contact
For questions about this policy or to exercise your data rights, contact us at:
- Email: privacy@ventralink.com
- Support: support@ventralink.com