Last updated: May 4, 2026. This policy applies to the Sossy.ai mobile application, related APIs, and web properties operated by RepCard (collectively, the “Services”).
Sossy.ai offers AI-assisted sales roleplay and coaching. RepCard, LLC (together with its subsidiaries and affiliates involved in operating Sossy.ai, “RepCard,” “we,” “us,” or “our”) is the primary controller of personal information described in this policy, unless we act solely as a processor on documented instructions of a customer (for example, an enterprise that licenses the product for its users).
This policy describes how we collect, use, disclose, and protect personal information when you use the Services. It does not govern third-party sites or services that we link to; those have their own policies.
When you enable AI or voice features, session content may be processed by named subprocessors described in Section 4 (including Vapi, OpenRouter, and ElevenLabs where applicable). We do not purchase marketing lists about you for the consumer app.
We use personal information for purposes including:
Where required by applicable law (for example the GDPR or UK GDPR), we rely on appropriate bases such as performance of a contract, legitimate interests that are not overridden by your rights, compliance with legal obligations, and—where applicable—your consent (including the in-app consent flow before certain AI processing).
To deliver AI-assisted sales roleplay, coaching, scoring, and related features, we may send personal information and session content to third-party AI processors. Depending on the feature you use, this can include microphone audio, transcripts, simulation and roleplay configuration, persona and scenario text, scores and feedback, account identifiers needed to run the session, and technical metadata (for example device/app version and timestamps) needed to operate and secure the Services.
We do not sell your personal information to third-party AI providers (or otherwise for monetary consideration as described in Section 5). We do not use these AI processing flows for cross-context behavioral advertising.
We configure these services to process information as processors or service providers acting on our behalf, subject to agreements that require appropriate confidentiality and security measures and limit use to providing the Services. Where applicable law requires consent, we obtain it through the in-app disclosure and consent flow before sending personal data to these AI processors for those features.
We require subprocessors that receive personal data to provide protections appropriate to the risk and consistent with our privacy commitments; however, each provider also publishes its own terms and privacy notices, which may apply to their processing.
You may withdraw AI/voice processing consent in Settings where offered; some AI features will not function without it.
Where we share personal information with service providers (including the AI-related subprocessors in Section 4), we use written agreements that require appropriate confidentiality and security safeguards and limit processing to the purposes we describe. We require these providers to protect personal data in a manner consistent with this policy and applicable law, and to provide the same or equal protection of user data as described in this policy.
We may share personal information with:
We do not sell your personal information as that term is commonly understood, and we do not sell personal information for monetary consideration under the California Consumer Privacy Act (CCPA) as amended. This includes not selling personal information to third-party AI vendors for their independent use.
No method of transmission or storage is completely secure. We implement technical and organizational measures appropriate to the risk, such as access controls, encryption in transit where supported, and vendor security requirements. You are responsible for keeping your device and credentials secure.
We retain personal information for as long as needed to provide the Services, comply with legal obligations (for example tax or accounting rules), resolve disputes, and enforce agreements. Guest accounts and session data may be retained for a shorter period than full registered accounts. Retention periods can vary by data category and legal requirements; we may delete or de-identify information earlier when no longer needed.
Depending on your jurisdiction, you may have rights to access, correct, delete, or export personal information; to object to or restrict certain processing; to withdraw consent where processing is consent-based; and to lodge a complaint with a supervisory authority (in the EEA/UK).
If you are a resident of California or another U.S. state with a comprehensive privacy law, additional rights may apply—for example, rights to know categories of personal information collected, to request deletion subject to exceptions, to correct inaccuracies, to opt out of certain “sharing” for cross-context behavioral advertising (we do not use the app to run cross-context behavioral ads as described in many state laws), and not to receive discriminatory treatment for exercising privacy rights.
Categories collected (illustrative): identifiers (email, phone, guest identifiers); commercial information (use of the Services); internet or electronic network activity (logs, diagnostics); audio or similar information when you use voice features; inferences from use of the Services (for example scores or coaching insights).
Sensitive information: some laws treat certain categories (for example voice audio) as sensitive. We process such information only to provide the voice and AI features you choose to use, consistent with this policy and applicable “limit” or similar requirements.
To submit a request, email support@repcard.com or call (602) 777-4030. If you are a California resident and we deny your request, you may appeal by replying to our decision message where applicable law requires an appeals process.
If the GDPR, UK GDPR, or similar laws apply, you may have the rights summarized in Section 8, including in certain circumstances the right to data portability and the right to object to processing based on legitimate interests (including profiling that produces legal or similarly significant effects, where applicable). You may also lodge a complaint with your local data protection authority.
Where we transfer personal information from those regions to countries that have not received an adequacy decision, we use appropriate safeguards such as standard contractual clauses approved by the relevant regulator, where required.
We and our vendors may process information in the United States and other countries where we operate. Those countries may have different data protection laws than your own.
The Services are not directed to children under 13 (or the age required by your jurisdiction to use the product without parental consent), and we do not knowingly collect personal information from children in that group. If you believe we have collected such information, contact us at support@repcard.com and we will take appropriate steps to delete it.
The Services may contain links to third-party websites or services. We are not responsible for their privacy practices; please read their policies before providing information.
We may update this policy from time to time. We will post the updated version on this page and update the “Last updated” date. If changes are material, we will provide additional notice as required by law (for example an in-app notice or email where we have your address).
For privacy questions, complaints, or to exercise rights, contact RepCard:
RepCard, LLC
3820 East Main St.
Suite 2
Mesa, Arizona 85205
United States
E-mail: support@repcard.com
Phone: (602) 777-4030
This policy is provided for transparency and compliance with platform requirements. It is not legal advice; have qualified counsel review it for your jurisdictions and data practices before you rely on it.