Virtuosis Artificial Intelligence SA together with its affiliates where applicable (“Virtuosis”, “we”, “us”, or “our”), is committed to protecting personal data and to explaining clearly how we collect,use, disclose, retain, and protect personal data in connection with our websites, applications, platforms, APIs, integrations, communications, and services.
This Privacy Policy applies to personal data processed through our websites and online pages, including www.virtuosis.ai, www.virtuosis.ch, online content, social media pages, events, email communications, and other interactions under our control (together, the“Sites”), and to the Virtuosis services, including the Virtuosis Web Application, Virtuosis Teams Plugin, Virtuosis API, dashboards, integrations, and related support services (together, the “Services”).
The Services are used primarily by business, healthcare, research, public-sector, and other organizational customers. However, individuals may also use Virtuosis Web Application or other Virtuosis Services directly for their own account. This Privacy Policy therefore explains both how we process personal data as an independent controller and how we process personaldata on behalf of organizational customers as a processor.
This Privacy Policy should be read together with our Terms of Service, available at https://www.virtuosis.ai/terms-of-service, and, where applicable, the Virtuosis Data Processing Addendum (“DPA”), available at https://www.virtuosis.ai/dpa. If you use the Services on behalf of an organization, your organization’s own privacy notice may also apply.
1. Definitions
“ApplicableData Protection Laws” means all privacy, data protection, and data securitylaws applicable to the processing of personal data, including, where applicable, the EU General Data Protection Regulation (“GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and any implementing or supplementary national laws.
“Customer”,“Content”, “Customer Personal Data”, “Permitted Users”, “Controller”, “Processor”, “Personal Data”, “Processing”, “Personal Data Breach”, “Special Categories of Personal Data”, and “Sub-processor” have the meanings given to them in the Terms of Service, the DPA, or Applicable Data Protection Laws, asapplicable.
Forreadability, we use “personal data” in this Privacy Policy to refer to information relating to an identified or identifiable individual, including “personal information” where similar terms are used under applicable laws.
2. Our role: controller or processor
Virtuosis may act either as an independent controller or as a processor, depending on how the Services are used.
When Virtuosis acts as controller:
When an individual uses Virtuosis' web app or another Virtuosis Service directly fortheir own account, Virtuosis acts as an independent controller for the personal data processed to provide the Service to that individual.
Virtuosis also acts as an independent controller for personal data processed inconnection with our Sites, marketing, sales, customer relationship management, billing, security, legal compliance, product administration, and general business operations.
When Virtuosis acts as processor:
When Virtuosis provides the Services to an organizational customer and processespersonal data on that customer’s behalf, Virtuosis acts as processor and the customer acts as controller, unless the parties expressly agree otherwise inwriting.
Inthat case, the customer is responsible for determining the legal basis for the processing, providing required notices, obtaining any required consent orauthorization, configuring the Services appropriately, and responding to datasubject requests, unless otherwise agreed.
Processingon behalf of organizational customers is governed by the applicable agreement with the customer, including the DPA where applicable.
Dependingon the applicable deployment and agreement, a Virtuosis affiliate, including Virtuosis Health SAS, may participate in the processing as controller, processor, or service provider. The applicable agreement, Order Form, research documentation, or customer notice will identify the relevant entity and rolewhere required.
3. Personal data we collect and process
Depending on your relationship with Virtuosis and the Service configuration, we may collect or process the categories of personal data described below.
Site, device, and usage data:
IP address, browser type and version, operating system, device type, language and locale settings, referring pages, pages visited, timestamps, session information, activity logs, cookie identifiers, and similar technical information.
Information about interactions with our Sites, emails, advertisements, forms, and onlinecontent.
Account,contact, contractual, and billing data:
Name, business or personal email address, phone number where applicable, organization, job title, department, role, username, user ID, authentication information, account settings, billing information, subscription information, and customer relationship information.
Information relating to account administrators, billing contacts, authorized signatories, support contacts, and other representatives of customers or prospects.
Service data and Content:
Audio recordings, audio streams, speech segments, uploaded files, and relatedtechnical representations, where submitted to or processed through the Services.
Voice-derived acoustic features, metadata, date and time of recording, timestamps, recording duration, file format, sampling rate, channel configuration, processing status, session identifiers, device or browser information, IP address, and language orlocale settings.
Questionnaire responses, wellbeing inputs, clinical or health-related inputs, symptoms, risk indicators, screening outputs, monitoring outputs, clinician or user notes, and other health or wellbeing information submitted to or generated through the Services.
Generated outputs, such as individual or group insights, scores, dashboards, reports, alerts, recommendations, classifications, suggestions, or other AI-generated outputs.
Support tickets, communications, diagnostics, error logs, security logs, and troubleshooting information.
Business,marketing, and event data:
Contactand business information about customers, prospects, partners, event participants, suppliers, and other business contacts.
Correspondence, meeting notes, call or video recordings where applicable, forms, surveyresponses, preferences, interests, and information relevant to our commercial relationship.
Data from third parties:
We may receive personal data from organizational customers, authorized users,integrations, third-party platforms, service providers, social media, events, public sources, and business partners, where permitted by applicable law.
4. Special categories of personal data, health data, and voice data
Dependingon the use case and Service configuration, the Services may process Special Categories of Personal Data, in particular health data, health-related inferences, wellbeing data, clinical data, questionnaire responses, voice recordings, and voice-derived data.
Voice recordings and voice-derived data may constitute personal data. They may also raise biometric-data issues where they are processed through specific technical means for the purpose of uniquely identifying or authenticating a natural person. Unless expressly agreed in writing, the Services are not intended toidentify or authenticate individuals by voice.
Where Virtuosis acts as controller, we process health data or other Special Categories of Personal Data only where an applicable legal basis and exception applies, such as explicit consent, provision of health-related services,scientific research where applicable, or another basis permitted by law. Where Virtuosis acts as processor, the organizational customer is responsible for identifying and documenting the appropriate legal basis and any applicable exception for Special Categories of Personal Data.
5. Purposes of processing
We process personal data for the purposes described below, depending on the relevant context and our role.
To provide, operate, secure, maintain, support, troubleshoot, administer, and improve the Sites and Services.
To process audio recordings or audio streams, related metadata, questionnaireinputs, clinical or wellbeing inputs, and other Content submitted to the Services, and to generate communication, wellbeing, screening, monitoring, health-related, or clinical decision-support outputs selected by the relevant customer or user.
Tocreate and manage accounts, authenticate users, manage access rights, administer subscriptions, process payments, and provide customer support.
To communicate with customers, users, prospects, partners, and event participants, including service, security, billing, administrative, legal, and support communications.
To send promotional communications, product updates, event invitations, or othermarketing communications where permitted by law and subject to applicable opt-out rights.
To analyze use of our Sites and Services, understand performance, improve userexperience, maintain security, prevent fraud or abuse, and develop or enhance our services where permitted by the Terms, the DPA, this Privacy Policy, andapplicable law.
To create aggregated or anonymized data that does not identify and is notreasonably capable of identifying any individual. Pseudonymized data remainspersonal data and is processed in accordance with Applicable Data Protection Laws.
To comply with legal, regulatory, contractual, accounting, tax, audit, security, and compliance obligations, and to establish, exercise, or defend legal claims.
The Services are designed to provide probabilistic outputs and insights. Unless expressly stated otherwise in an applicable Order Form or regulatory documentation, the Services are not intended to replace professional medical judgment, emergency care, diagnosis, or treatment. The Services are not intended to produce automated decisions with therapeutic, legal or similarly significant effect without appropriate human review and safeguards.
6. Legal bases for processing
Where Virtuosis acts as controller, we rely on one or more of the following legalbases, depending on the context:
Performance of a contract, where processing is necessary to provide the Services or respond to your requests.
Consent, including explicit consent where required for processing health data, optional features, marketing communications, cookies, analytics, or other processingrequiring consent.
Legitimateinterests, including securing and improving our Sites and Services, communicating with customers and prospects, preventing fraud and abuse, developing our business, and protecting our rights, provided that suchinterests are not overridden by the rights and freedoms of individuals.
Compliancewith legal obligations, including tax, accounting, regulatory, security, andlegal obligations.
Healthcare, public interest, scientific research, or other specific legal bases andexceptions, where applicable and permitted by law.
Where Virtuosis acts as processor, the organizational customer determines the legal basis for processing and is responsible for providing notices, obtaining anyrequired consent or authorization, and ensuring that its use of the Services complies with Applicable Data Protection Laws.
7. Cookies, analytics, and similar technologies
We and our service providers may use cookies, pixels, local storage, SDKs, analytics tools, and similar technologies to operate our Sites and Services, remember preferences, support login and security, understand usage, measureperformance, improve user experience, and, where permitted, support marketing and advertising activities.
Some cookies are necessary for the operation of the Sites or Services. Other cookies, such as analytics or marketing cookies, may require consent depending on your location and applicable law. Where required, we will request consent through a cookie banner or similar mechanism.
You can manage cookies through your browser settings. Disabling certain cookies may affect the availability or functionality of the Sites or Services.
We may use analytics tools to understand how visitors use our Sites and Services.
We currently use or may use the following tools and service providers in connection with our Sites and Services, depending on the context: Microsoft Azure for cloud infrastructure, hosting, storage, security, and processing; Infomaniak for transactional emails, service notifications, and support communications; and other providers described in the DPA or applicable Sub-processor list. Not all tools process all categories of data, and analytics or marketing tools are not intended to process raw audio or health data unless expressly described in the applicable agreement or notice.
8. Data sharing and recipients
We may disclose personal data to the categories of recipients described below,only as reasonably necessary for the purposes described in this Privacy Policy, the Terms, the DPA, or the applicable agreement.
Organizational customers. Where we process personal data on behalf of an organizationalcustomer, that customer may access data processed on its behalf according tothe applicable agreement, permissions, and Service configuration.
Service providers and Sub-processors. We may engage selected third parties to provide hosting, cloud infrastructure, communications, content delivery, security, authentication, payment processing, analytics, email delivery, monitoring, support, customer relationship management, legal, financial, compliance, and other services. They may process personal data only for the purposes agreed with us and subject to contractual safeguards.
MicrosoftAzure. The Services may be hosted using Microsoft Azure cloud services unless otherwise specified in an Order Form. Microsoft may act as a processor or Sub-processor of Virtuosis, as applicable. Microsoft’s processing is governed by Microsoft’s data protection commitments, including the Microsoft Products and Services Data Protection Addendum available at https://aka.ms/dpa.
Affiliates. We may share personal data with Virtuosis affiliates where necessary for thepurposes described in this Privacy Policy and subject to appropriate safeguards.
Professional advisers. We may share personal data with legal, financial, tax, audit,insurance, security, or compliance advisers where necessary for legitimatebusiness, compliance, or legal purposes.
Authorities and legal requests. We may disclose personal data where required by law, courtorder, subpoena, regulatory request, or other valid legal process, or where we reasonably believe disclosure is necessary to protect rights, safety, security, or legal interests.
Corporate transactions. If Virtuosis is involved in a merger, acquisition, financing, restructuring, sale of assets, or similar transaction, personal data may be disclosed or transferred as part of that transaction, subject to applicable law and appropriate safeguards.
With consent or instruction. We may disclose personal data where you or the relevant organizational customer instructs us to do so or provides consent.
Authorized research partners or collaborators. Where permitted by the applicable agreement, research documentation, ethics documentation, consent form, DPA, data transfer agreement, or other lawful basis, we may share limited personal data with authorized research partners or collaborators for clinical research, validation, regulatory, or scientific purposes, subject to appropriate contractual and confidentiality safeguards.
Not all service providers process all categories of data. In particular, Customer Personal Data processed through the Services is shared with Sub-processors only as described in the DPA, the applicable agreement, or the applicableSub-processor list.
9. International data transfers
We and our service providers may maintain, store, and process personal data in Switzerland, the European Economic Area, and other locations reasonably necessary to provide the Sites and Services or comply with legal obligations. For organizational customer deployments, Customer Personal Data is hosted in the region specified in the applicable Order Form, DPA, Service configuration,or customer-specific record of processing. Certain deployments are limited to Microsoft Azure regions in the European Union and do not involve making Customer Personal Data available to non-EU service providers, unless otherwise agreed or required by law.
Where personal data is transferred to a country or recipient that does not provide an adequate level of protection under Applicable Data Protection Laws, we rely onappropriate transfer safeguards, such as applicable standard contractual clauses, Swiss adaptations, adequacy decisions, encryption in transit,contractual commitments, or other lawful transfer mechanisms. For transfers involving Microsoft Azure or other Sub-processors, we may rely on transfer safeguards implemented by the relevant provider, provided that they comply with Applicable Data Protection Laws.
10. Data retention
We retain personal data for as long as reasonably necessary for the purposes described in this Privacy Policy, the Terms, the DPA, the applicable OrderForm, the Service configuration, customer instructions, legal obligations,audit, security, backup, dispute-resolution, and compliance purposes.
Unless otherwise agreed in writing or configured by the customer, raw audio recordingsare deleted after processing. Where retention is enabled or required to providethe Service, raw audio recordings, outputs, and related data are retained forthe period specified in the applicable Order Form, Service configuration, DPA,or customer instruction.
We may retain account, billing, support, security, and business contact data forlonger periods where necessary for legitimate business purposes, legalcompliance, accounting, tax, audit, security, or the establishment, exercise, or defense of legal claims.
Aggregatedor anonymized data that does not identify and is not reasonably capable ofidentifying an individual may be retained and used in accordance with thisPrivacy Policy, the Terms, the DPA, and applicable law. Pseudonymized dataremains personal data and is subject to applicable retention and protection requirements.
11. Data security
We implement appropriate technical and organizational measures designed to protectpersonal data against accidental or unlawful destruction, loss, alteration,unauthorized disclosure, unauthorized access, and misuse. These measures may include encryption in transit and at rest, role-based access controls,authentication controls, logging, monitoring, security review, backup and resilience measures, incident response procedures, and confidentiality obligations for personnel and service providers.
For incidents involving Customer Personal Data, we follow internal incident procedures covering detection, qualification, containment, remediation,documentation, and lessons learned. Where Virtuosis acts as processor, wenotify the relevant customer without undue delay after initial qualification of a Personal Data Breach, in accordance with the DPA.
The technical and organizational measures applicable to Customer Personal Dataprocessed on behalf of organizational customers are further described in the DPA. No system can be guaranteed to be completely secure, and we cannot guarantee that the Sites or Services will be immune from all security incidents, interruptions, unlawful access, or misuse.
12. Data subject rights
Depending on your location and applicable law, you may have rights to request access to rectification of, deletion of, restriction of, objection to, or portability of your personal data. Where processing is based on consent, you may have theright to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You may also have the right to lodge a complaint with a competent supervisory authority.
To exercise your rights where Virtuosis acts as controller, contact us at privacy@virtuosis.ch. We may need to verify your identity and may request additional information to understand and respond to your request. We may redact information relating to other individuals or confidential information where appropriate or required by law.
Where Virtuosis processes personal data on behalf of an organizational customer, thecustomer is generally responsible for responding to data subject requests. If you use the Services through an organization, or if your data was submitted byan organization, please contact that organization first. If you contact us directly, we may refer your request to the relevant customer or respond as required by applicable law and the DPA.
13. Communications
Wemay send service, administrative, billing, legal, security, support, andaccount-related communications that are necessary or important for use of the Sites or Services. You may not be able to opt out of certain servicecommunications, such as password reset, security, billing, or legal notices.
Wemay also send promotional communications about features, events, opportunities,or services where permitted by law. You may opt out of promotionalcommunications by following the unsubscribe or opt-out instructions in thecommunication, adjusting available account settings, or contacting privacy@virtuosis.ch.
14. Third-party websites, platforms, and integrations
Our Sites and Services may include links to third-party websites, applications, platforms, marketplaces, communication tools, or integrations. Your use ofthird-party services is governed by the privacy policies and terms of those third parties, not by this Privacy Policy. We encourage you to review the applicable third-party privacy policies before using those services.
15. Children
Our Sites and Services are not designed to attract children under the age of 16 without appropriate authorization, and we do not knowingly collect personal data from children under 16 without such authorization. If we learn that we havecollected personal data from a child under 16 without required authorization, we will take reasonable steps to delete or restrict such data in accordance with applicable law.
Organizational customers are responsible for ensuring that any use of the Services involving minors is lawful and supported by all required parental, guardian, institutional, ethics, healthcare, or other authorizations.
16. Changes to this Privacy Policy
Wemay update this Privacy Policy from time to time by posting an updated versionon our Sites or Services. The updated version will be effective as of the date stated at the bottom of the policy. Where required by law or where changes are material, we may provide additional notice through the Sites, Services, email, or other available communication channels.
17. Data protection contact
If you have questions, concerns, or requests regarding this Privacy Policy or our processing of personal data, you may contact us at:
Virtuosis Artificial Intelligence SA
EPFL Innovation Park, Bâtiment C
CH-1015 Lausanne, Switzerland
Where applicable, you may also contact:
Virtuosis Health SAS
14 rue Fédérico Garcia Lorca
76320 Saint-Pierre-les-Elbeuf, France
Email: privacy@virtuosis.ch
Last updated: 14 May 2026
